Why the mobile industry needs international security assurance standards

By Huawei

Andy Purdy, Huawei USA’s Chief Security Officer, discussed at the GovWare Focus 2020.

The World Economic Forum ranked cyberattacks as one of the greatest threats to the world in its 2020 Global Risk Report.

“Cyber threats are set to keep mounting as technology advances. Communications security is a shared responsibility, and the need for global security assurance standards has never been as imperative,” said Andy Purdy, Huawei USA’s Chief Security Officer, at GovWare Focus 2020.

Purdy announced Huawei’s commitment to the Network Equipment Security Assurance Scheme (NESAS), an industry-wide security assurance framework to facilitate improvements in security levels across the mobile industry. He also discussed the need for global security assurance standards and certification processes and how those can be achieved.

Emerging security risks

“As the next generation of technologies emerge, a new wave of security risks and privacy challenges have emerged,” said Purdy.

Cloud enables resource sharing, but traditional boundaries for data protection have become increasingly blurred, he said. Artificial intelligence and Big Data have created new breakthroughs in data processing, but have also increased the risk of data breaches.

“Lastly, the millions of IoT devices today are also new attack agents for malicious actors, enlarging the attack surface,” said Purdy.

The need for collaboration

An independent and objective assessment and evaluation scheme can help address these cybersecurity challenges, Purdy said.

“There’s been a lot of questions about the role of telecom equipment suppliers, but we have to recognise it's much larger than that,” said Purdy. All parties - including Telecoms operators, service providers and customers, regulators, governments, and standardisation development organizations - have an important part to play.

Governments are responsible for taking the necessary measures to ensure the protection of the national security interests and the enforcement of conformance programs and independent product testing and certification. Regulators guarantee that Telecoms providers take appropriate measures to safeguard the general security and resilience of their networks and services.

How NESAS will help

NESAS is jointly developed by GSMA and 3GPP, the global system for mobile communications association and industry group for technical specifications. “The assurance scheme is a comprehensive assessment framework for secure product development and product lifecycle processes, and a proper evaluation methodology of mobile network equipment,” Purdy said.

“NESAS will give mobile network operators visibility over the security capabilities of equipment vendors prior to purchase,” said Purdy. It will also reduce the operators’ security testing efforts, as testing is outsourced to accredited security test laboratories that meet the NESAS requirements.

“Governments and regulators can also avoid the fragmentation of security requirements across the global market,” said Purdy. Equipment vendors, in turn, can use NESAS to evidence how security is integrated into their design, development, implementation, and maintenance processes, and demonstrate compliance with security requirements to various stakeholders.

“NESAS is designed to improve iteratively over time,” said Purdy. By the end of this year, the assessment scheme will likely incorporate planned penetration testing, cryptographic analysis, and software engineering.

Huawei believes that an effective and transparent R&D process and security standards will overcome many cybersecurity challenges, reducing all risks to an acceptable level.

“We can and must work together to make a safer and more secure cyberspace, so we can bring the benefits of this technology to the people, homes and organisations of the world to make our lives safer and more prosperous,” said Purdy.