Governments concerned about increasingly high-profile cyber-attacks must look past individual suppliers and work with vendors to consider risk in the context of an increasingly global security supply chain, the head of IT security with network supplier Huawei has advised.
Citing the importance of public-private partnerships to evaluate and implement best practice around security protections, John Suffolk – Huawei’s global cyber security officer and a previous UK government CIO – said the sheer number and diversity of security solutions being pitched to a market terrified by the spectre of cyber-attack was creating strategic challenges for organisations that just want to protect their data.
Security requirements vary according to individual organisations’ policies and exposure, he said, which makes it difficult for potential customers to know exactly how security solutions fit together.
“I never specify what ‘good’ looks like from a security point of view,” Suffolk told CSO Australia after a presentation to audiences at this week’s CeBIT conference in Sydney. “It’s very hard to do because there’s a plethora of standards and best practice. Having policies about this is meaningless because you have hackers that know you haven’t patched your server, and they’re going to come through your front door.”
Despite rapid growth that last year made it the world’s second-largest supplier of network equipment, Huawei has struggled to counter growing perception that it is an instrument of the Chinese government, and that its products could compromise institutional security. The company was excluded from participation in Australia’s National Broadband Network (NBN) last year on security fears – and offered its source code for inspection as a peace gesture but last month disbanded its local NBN-related business unit.
Last month, Huawei turned its back on the US market after it and fellow Chinese equipment maker ZTE were blacklisted by US politicians and telecommunications carriers as well as concerned analysts.
Arguing that 70% of the components in Huawei equipment come from third parties, most of them overseas suppliers, Suffolk said efforts to boost security by mandating particular equipment were misplaced: “I don’t see that as a viable solution, because everyone’s components come from around the world,” he said. “People rely on free trade, and that’s what we should promote and protect.”
In the longer term, government organisations will need to continue working through their policies to develop what Suffolk called “a measured sense of requirement” that guides closer collaboration between those organisations and the private-sector suppliers upon which they rely.
This includes not only specifying security standards, policy and manufacturing requirements – for example, auditing a vendor’s vulnerability management process – but addressing broader issues around skills pathways, policies for boosting R&D investment, and so on. Australia’s dwindling base of IT security experts has been singled out as a significant threat facing the country and is forcing companies like security service provider Earthwave, is forcing many providers to look to import foreign nationals to meet security demand.
Such trends reflect the difficulties governments have in applying black-and-white policies to a field that is changing by the day – but Suffolk believes these policy vagaries can be worked through as governments and private firms lay down the terms of reference to work together towards common goals.
“Many governments are at different stages of maturity, so we shouldn’t be surprised to see them taking different decisions at different points in time,” he said.
“We clearly need to do more to protect ourselves from people that wish to do us harm from a cyber security perspective, and I think you’ll see quite a lot of alignment around the world. Industry and government can come together to rationalise that quite quickly, and we will see more clarity around what ‘good’ looks like – and most vendors will make the investments to ensure they conform to those standards.”