Don't trust the NSA? China-based Huawei says, 'Trust us'
A year after charges it was a threat to U.S., Huawei touts its approach to global cybersecurity
Network World - What a difference a year makes.
At this time last year, China-based network vendor Huawei was being accused of being a threat to U.S. national security because it could "provide Chinese intelligence services access to telecommunications networks," according to the House Intelligence Committee report that made headlines. Now, the National Security Agency (NSA) in the U.S. stands accused of planting backdoors in network gear and weakening at least one encryption standard for its own cyber-spying purposes, based on documents released by former NSA contractor Edward Snowden.
In the midst of this turn of events, Huawei -- which was effectively shut out of the U.S. telecom market after last year's committee report -- today sought to initiate a fresh dialog about global cybersecurity by issuing what it calls its "Cyber Security Perspectives" report.
"We're trying to contribute to a broader collaboration on standards and best practices," said Andy Purdy, Huawei chief security officer.Huawei is making the argument that new standards for vulnerability assessment, tracking and fixing of software and hardware need to be developed, along with compliance testing. In its "Cyber Security Perspectives" report, Huawei also advocates that "governments, the industry and end-users worldwide need to collectively come to an understanding on how we will work together to define and agree on new, specific norms of behavior, standards and laws, and how we promote privacy and security in global networks."
"The imperative is to try and have agreements on what is OK and not OK globally," said Purdy, and especially to establish trust in governments and the private sector.
Huawei's 52-page report outlines that company's internal procedures and practices as a global manufacturer. The report contains no surprises in its discussion of code-quality checks, supply-chain safety, concern about open source, which Huawei uses to some extent, and vulnerability reporting.
But Huawei also wants to open the door to the possibility of a new approach to global cybersecurity and conformance testing that would likely tilt away from efforts driven by the National Institute of Standards and Technology (NIST) and the NSA, including the existing IT product-testing program called Common Criteria.
Common Criteria was created in 1998 by the U.S., Canadian and European governments as a way to have accredited labs test IT gear for security and assurance purposes and it's sometimes a requirement in government procurements. China never joined the Common Criteria effort, though Huawei indicated it has had some equipment tested in Common Criteria labs.
"There are things that can be done that are a lot less expensive than the Common Criteria," says Purdy. He says Huawei is advocating an approach that would rely on independent assessments but be "much more dynamic."
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Cybercrime and Hacking White Papers | Webcasts