Don't trust the NSA? China-based Huawei says, 'Trust us'
A year after charges it was a threat to U.S., Huawei touts its approach to global cybersecurity
Network World - What a difference a year makes.
At this time last year, China-based network vendor Huawei was being accused of being a threat to U.S. national security because it could "provide Chinese intelligence services access to telecommunications networks," according to the House Intelligence Committee report that made headlines. Now, the National Security Agency (NSA) in the U.S. stands accused of planting backdoors in network gear and weakening at least one encryption standard for its own cyber-spying purposes, based on documents released by former NSA contractor Edward Snowden.
In the midst of this turn of events, Huawei -- which was effectively shut out of the U.S. telecom market after last year's committee report -- today sought to initiate a fresh dialog about global cybersecurity by issuing what it calls its "Cyber Security Perspectives" report.
"We're trying to contribute to a broader collaboration on standards and best practices," said Andy Purdy, Huawei chief security officer.Huawei is making the argument that new standards for vulnerability assessment, tracking and fixing of software and hardware need to be developed, along with compliance testing. In its "Cyber Security Perspectives" report, Huawei also advocates that "governments, the industry and end-users worldwide need to collectively come to an understanding on how we will work together to define and agree on new, specific norms of behavior, standards and laws, and how we promote privacy and security in global networks."
"The imperative is to try and have agreements on what is OK and not OK globally," said Purdy, and especially to establish trust in governments and the private sector.
Huawei's 52-page report outlines that company's internal procedures and practices as a global manufacturer. The report contains no surprises in its discussion of code-quality checks, supply-chain safety, concern about open source, which Huawei uses to some extent, and vulnerability reporting.
But Huawei also wants to open the door to the possibility of a new approach to global cybersecurity and conformance testing that would likely tilt away from efforts driven by the National Institute of Standards and Technology (NIST) and the NSA, including the existing IT product-testing program called Common Criteria.
Common Criteria was created in 1998 by the U.S., Canadian and European governments as a way to have accredited labs test IT gear for security and assurance purposes and it's sometimes a requirement in government procurements. China never joined the Common Criteria effort, though Huawei indicated it has had some equipment tested in Common Criteria labs.
"There are things that can be done that are a lot less expensive than the Common Criteria," says Purdy. He says Huawei is advocating an approach that would rely on independent assessments but be "much more dynamic."
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Cybercrime and Hacking White Papers | Webcasts