How to create transparency in today's cyber space

Dennis Chan, Country Cybersecurity & Privacy Officer (CSPO), Huawei International discusses best practices for cybersecurity standards.

Today’s world is embracing digitisation where we started to see smart transportation, smart port, smart retail and others, but as we know that new technologies often come with unprecedented challenges and unexpected risks like cybercrime and cyber-attacks which are happening in this new world of digitisation. Hence there may have doubts if we are confident enough to march into a completely digitised, intelligent world?

Trust the Right Security Standard

With various industries setting their foot onto the path of digitalisation, security standards will allow the various stakeholders to trust the system or network has been setup based on common set of security requirements and can be verified. Today, these standards like ISO, IEC, etc are supported globally by leading government authorities, global telecom operators, key technical vendors, industry associations and security researchers.

Huawei advocates and promotes the establishment of cyber security standards that are globally recognised and agreed upon. Huawei has also been actively participating with industry standards organisations to promote the establishment of new standards.

Product Security Baseline as a Fundamental Priority

After spoken on standards, so how Huawei is going to apply standards into our product and business? As you may have known that Huawei has established an end-to-end cybersecurity assurance system, covering not only on technologies, software or hardware, but also involving the whole organisation, every person and every process within Huawei.

Security as part of Huawei product development process is to assure cyber security is our fundamental priority before we ship out product to our customers. Product security is incorporated in the design and development of product, playing an important role in product lifecycle. By developing and implementing security requirements to form a common baseline for our products, so that we can ensure that all products will meet the same set of requirements in terms of security quality, and we will continuously update the security baseline so that the security quality will also improve.

On product security baselining, we will take reference from applicable global laws and regulations, combining customers’ business requirements with our internal governance requirements to analyse and then establish the baseline. With our organisation from people, technologies and processes we will focus on 12 key domains including strategy/governance, standards/procedures, laws and regulations, human resource management, R&D, test and verification, supply chain, service delivery, and so on.

To boost for transparency and collaboration, we have our Product Security Baseline which consists of 54 requirements under 15 categories, made available in our website to the industry to share on our framework and management practices. All Huawei products have to pass the independent verification before launch. If any of the product violate these baseline specifications, then the market launch of the product will be suspended until the critical issues are eliminated, and the product team’s performance will be graded as a critical failure within the security maturity assessment.  Of course, these baseline does not represent all cyber security requirements for the given network solutions or business scenarios, however we believe that by steadily improving a sufficient baseline will be more effective on assuring an end-to-end supply chain security, rather than going to set a maximum security requirements.

At the same time we aim to provide a platform for the industry stakeholders to share their expertise in cyber governance and work on technical solutions together. Our Global Cyber Security and Privacy Protection Transparency Center is also open to regulators, independent third-party testing organisations and standards organisations, to spur collaboration and to facilitate cybersecurity as priority for all.

A call for Public-Private Collaboration

At recent we have witnessed more calls for public-private partnerships to enhance and strengthen on cybersecurity. Over the past years, we have seen more than 150 countries releasing over 180 security and privacy laws and legislations. Private sectors also investing and contributing more towards innovations for security.

Trustworthiness become a key value for businesses as they continue to invest in ICT, expecting verifiable quality in both processes and results. With our Research Centres in Singapore and other cities, we will continuously improve on product quality and resilience through trustworthy R&D to ensure that every customer will provide with high-quality products, while our employees will continue to value product security and earning customers’ trust.

As more enterprises going digitisation, risk exposure to cyber threats such as ransomware and supply chain attacks may also increase, hence organisations must be well-equipped with the necessary tools and knowledge to mitigate such cyber threats. Building a safe cyberspace during the digital economy era will require closer collaboration among all players and stakeholders in the ecosystem.

On the other hand, consumers will need to understand the concept of shared goals and aligned responsibilities, while they can raise their security awareness on protecting their own data and privacy via learning course or webinar.

From adopting international standards, product security baseline to wider collaboration, everyone including governments, standards organisations, and technology providers need to work together to develop a unified understanding of cyber security challenges. This must be an international effort with shared goals, align responsibilities, and collaboration to build a trustworthy digital environment that meets the challenges of today and tomorrow.