Assume nothing, believe no one and check everything. This is the mantra that Huawei is driving in its professionally produced second edition Cyber Security Perspectives whitepaper.
How they were able to contain the urge to aim this mantra directly at the USA, Australia and other countries that have ‘blacklisted’ them (for want of a better word) shows remarkable constraint and professionalism.
Some might see the emphasis that Huawei places on cyber security as a marketing ploy to subjugate the effect on revenues those national bans have had. Others may see it as a ‘tongue in cheek’ response to the stealth activities of the NSA and its PRISM program that ‘came out’ recently.
Is it a case of the ‘shoe being on the other foot’? Whilst publicly articulating concerns that Chinese suppliers might have their hardware (and software) used to snoop on its citizens and government agencies, we now know they are doing a great job of it themselves!
In the foreword, Ken Hu, Deputy Chairman of the Board of Huawei and Chairman of the Huawei Global Cyber Security Committee, wrote, “I would like to make our company’s position clear. We can confirm that we have never received any instructions or requests from any Government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any government, or their agencies.”
What a diplomat! If I could offer a possible translation into common speak it would be “NO government has asked us to provide systems that snoop on others, so what’s all the fuss about?” Mary Lennighan writing for Total Telecom was a little more forthcoming when she read it as, “The Chinese government is not using Huawei's equipment to spy on the West, so let's all get along.”
Hu also stated, “We believe it is only by working together internationally, as vendors, customers and policy and law makers will we make a substantial difference in addressing the global cyber security challenge.” But I fear it may not be that easy.
Putting aside all these conspiratorial overtones, the paper is a classy tome. Gone are the days when young Chinese companies venturing into the Western world used an early version of Google Translate to produce their marketing material. This document is aeons away and the international team that contributed to this really know what they are talking about and have had their thoughts compiled an edited with great skill by one John Suffolk, a former UK Government official.
The over-riding theme is one of collaboration if cyber security is to be effective, including governments, enterprises and people and a whole chapter is devoted to managing third parties and supply chain and procurement practices. This is very timely in this era of cloud services and virtualization where multiple players will be called on to supply end-to-end digital services.
Neutral industry organizations like the TM Forum are playing an active role in bringing all parties together to collaborate on cyber security and it quite a task. Huawei elaborates its own experiences with cyber security and what their customers are most concerned about. It takes a gentle stab at the lag in regulation and the lack of cyber security knowledge and specialists in many corporations putting out RFPs. They go as far as providing what they call a “Reverse Request for Information (RFI)”.
If you overlook the occasional subliminal and obvious marketing messages it is definitely worth a read, even if only to sharpen your ‘translation’ skills. You may also choose to adopt the ‘assume nothing, believe no one and check everything’ mantra in your own dealings with third parties, even vendors.