The Huawei network security panel highlighted equipment verification, operation transparency and global standards
In what appeared to be a direct response to the U.S.’ continued suspicion of Huawei Technologies and its potential threat to U.S. network security, the Chinese equipment vendor sponsored a seminar at this year’s Competitive Carriers Association annual convention, calling for global collaboration between mobile operators, government agencies and equipment vendors to make American’s communications networks more secure.
Huawei has been effectively blacklisted by the Trump administration, who placed the company on the U.S. Commerce Department’s Entity List in May due to concerns around national security risks. The administration has also encouraged its global allies to exclude Huawei from participating in building out their 5G networks, citing concerns that the Chinese government could use the vendor to attack or surveil foreign networks. Using this argument, the U.S. government has been successful in convincing Australia to ban the vendor.
The Huawei-sponsored panel, which included Kevin Jackson, founder and CEO of GovCloud Network, Tony Scott with Patton Boggs and Huawei’s Chief Security Officer Andy Purdy, highlighted the need for effective equipment verification, supply chain and operation transparency, as well as the establishment of global network security standards for our networks.
Huawei, which has consistently denied allegations that its products represent a security risk, views itself as having been placed in the middle of a much larger conflict around trade between the U.S. and China — and that under different circumstances, Huawei and the U.S. government would be engaging in different discussions.
“Those conversations aren’t being had,” stated Purdy. “We would have discussions with them about what real cybersecurity risk is, what’s necessary to be done about it and talk about proven mechanisms to address risk, such as those that allow Nokia and Ericsson to do business in the United States in a fairly unrestricted way because they have government-monitored risk mitigation agreements in place.”
He added that Huawei is very interested in talking to the government about whether something like that could be developed for them.
Role of the operator
Jackson put the issue in its simplest terms, saying: “We are moving so fast, it’s hard to keep up — and that in and of itself is a threat.”
He went on to explain that because network infrastructure is no longer hardware-based, but instead becoming increasingly software-based, security threats will now be software-based, as well.
“As a carrier, it’s important to understand what this means for your operations,” he explained. “Historically, you have been focused on physical things, but the threat is coming from a completely different direction now.”
This, Jackson said, will drive a change in carrier operations, and a change of view about what a telecom network is. “Global standardization is critical to address this because competition is not in the technology itself, but in the services that you deliver, but primary to all of this, is the security of the data and information for your customers,” he said.
Standardization becomes critical because it enables visibility across an infrastructure, and in turn, allows for a higher level of security. “A lack of a consistent pattern or rules is also a major threat the cybersecurity of our current and future telecommunications infrastructure,” Jackson elaborated.
He also called on operators to develop a better understanding of the “non-person” entities within their infrastructures and the data that these entities are capable of, and permitted to, share with another entity.
Scott agreed, adding, “As machines start to take over the role of humans, we have to have a more richly developed concept of machine identity and what those machines are able to access and actions that those machines can take based on that access.”
For the panelists, the biggest hurdle facing operators when it comes to security is going to be a cultural shift. “It necessary to change the mindset about what it takes to be an effective telecom operator,” said Jackson.
Role of the vendor
Purdy pointed to a need to create better monitoring capabilities in general and greater transparency, and referenced efforts by GSMA and 3GPP to work with operators and equipment vendors to create standards and a certification process for next-generation telecom equipment.
He also highlighted that equipment vendors should develop a close collaboration with the telecom operators to make sure the vendors are meeting the operator’s international and external requirements. “[Equipment vendors] have the requirement to address the risk from what [they] do and the risk from [their] supply chain and doing so transparently and effectively.”
Having independent programs as an equipment vendor to verify that requirements are met—requirements “steeped in international standards” when possible—and the feedback from those processes can, according to Purdy, do a whole lot to reduce security risks.
In addition, he elaborated on the role of the vendor, explaining that there are methods that can be used to ensure that vendors have very limited ability to access any data that they’re not supposed to access or to turn over that data to anyone they’re not supposed to turn it over to. “Methods that provide both assurance and transparency are absolutely essential as part of verification and conformance,” he added.
Role of the government
“Government has to be engaged in this big time,” Scott asserted. According to him, the government has to have two major roles: establishing regulatory and policy frameworks; and fostering innovation by encouraging R&D through funding.
Purdy called for better accountability on the part of the government and private sector organizations. “[They] have to own cybersecurity risk and need to know what they’re requirements are. They don’t need to be experts, but they need to use frameworks and follow guidelines.”
He also feels that the U.S. government is not putting enough emphasis on the importance of competition in the telecom equipment space.
“There is a fragile situation in the world about the number of equipment vendors and their capability to perform R&D,” he said. The risk of losing companies from that competition is too high. He pointed to the Chinese government as an example worth following, explaining, “The [Chinese] government recognizes the importance of competition and that having it in the market helps encourage reduced prices, better innovation, and better security features and resilience.”
While all three panelists agreed that the government has a crucial role to play in ensuring network security, they all also asserted that some things are better left to those in the industry.
“[The government’s role] should not be to pick winners and losers,” Scott said. “You see that play out in a whole bunch of different ways, and that starts to be a dangerous space.” He added later in response to an audience question that government should not look at anything beyond objective criteria when deciding where to put funding.
Further, Jackson revealed that after speaking with operators at the convention, he began to understand that operators feel that it is not innovation and improved services that drives decisions — instead, it is governmental grants. “It’s not the desire or need to provide innovation, but the choices they are able to make based upon funding,” he said, “so government grants can hinder innovation in an unexpected way.”
Lastly, Purdy said he does not think that the government should lead the way in setting verification and transparency standards. Instead, it should be led by the private sector, to avoid the development of regulations that end up stifling competition, innovation, assurance or transparency.
Network security was a theme throughout much of the convention. FCC Commissioner Geoffrey Starks also addressed the issue network security, assuring those in attendance that he is “paying close attention” to the many national security issues that have been raised as the world races towards 5G. Starks concluded by stressing the role of carriers, especially small, rural carriers, telling them, “We need your input.”