Security Level:
Cybersecurity and Trade
Andy Purdy
Chief Security Officer
Huawei Technologies USA
Andy.Purdy@Huawei.com
2014-9-24
HUAWEI TECHNOLOGIES CO., LTD.
www.huawei.com
Cyber Threat
“The Cyber threat is one of the most serious economic and national
security challenges we face as a Nation.”
President Obama 2013
THREAT:
Attacks Against Critical Infrastructure & National Security Systems.
Theft of Intellectual Property & Government Secrets.
THREAT ACTORS:
Hacktivists, Terrorists, Organized Crime, Sovereign States.
VULNERABILITIES:
Poor Coding Practices, Inadvertence, Negligence, Malicious Intent.
2
Cyber Threat
•
•
•
Four primary types of malicious actors in the cyber world:
foreign intelligence services, terrorist groups, organized crime
enterprises, and hacktivists.
Types of attacks:
–
Distributed Denial-of-Service (DDOS) attacks – that have
interrupted or suspended the service of web servers at banks.
–
Theft and general invasions of privacy by “keystroke logging.”
–
Economic espionage and trade secret theft.
–
The cyber threat also takes the form of destructive malware.
Collaborations and Partnerships: DIB Framework; partnerships
with law enforcement, private industry, and academia through
initiatives such as InfraGard, National Cyber-Forensics and
Training Alliance (NCFTA), NCSA, and ISACs.
3
Improving the Nation’s Defenses
Executive Order on Cybersecurity
EO 13636: Improving Critical Infrastructure Cybersecurity
• Calls for Public/Private Sector Collaboration in Information Sharing.
• NIST to establish Cybersecurity Framework of Standards and Best Practices for
critical infrastructure; draft due October 2013.
• Identifies need to reduce vulnerabilities of government networks and systems by
directing GSA to revise procurement processes and requirements.
• GAO: Supply chain risk may be part of the Cybersecurity Framework draft of
standards and best practices to protect critical infrastructure to be released in
October.
• At the 2nd NIST workshop, a NIST official noted the potential value of considering
for ICT products and services “conformity assessment approaches” like those used in
other product/service areas .
• Conformity assessment approaches could be used to evaluate ICT products and ensure
trusted delivery for installation, servicing, and updates.
4
Global Supply Chain
Overreaching on the Budget Bill
• With time running out and a furlough imminent April 1 2013, a
small provision (Section 516) was added at the last minute to the
Congressional Continuing Resolution (CR) funding the
Government through September 2013 that would preclude
procurement by select Federal Agencies from companies owned,
directed or subsidized by the PRC.
• In 2014, the Senate passed a provision that did not have a antigeographic focus (against China)
5
Global Supply Chain
U.S. Industry Objected to Procurement Bans
“Geographic-based restrictions run the
risk of creating a false sense of
security…undermining the
advancement of global best practices
and standards on cybersecurity.”
“Section 516 creates challenges that
could undermine U.S.-based
companies’ global competitiveness.“*
*Excerpted from April 4, 2013 letter from multiple U.S. industry and trade associations to Congressional Leadership commenting on Section 516 of the
Continuing Resolution funding the U.S. Government through the Fiscal Year which would effectively ban select Federal Department procurement from
companies “owned, directed or subsidized by the People’s Republic of China.”
6
Global Supply Chain
The White House Agreed with the Private Sector
• "The undefined terms of this provision will make
implementation challenging,"
• "It could prove highly disruptive without significantly
enhancing the affected agencies’ cybersecurity. While the
Administration has raised concerns about the cyber threats
emanating from China, resolving this issue requires open
dialogue between the U.S. and China.”
Quotes from White House spokesperson as quoted in “The Hill” on April 5, 2013
7
Global Supply Chain
Huawei Perspective




Cybersecurity is a shared global problem requiring risk-based approaches,
best practices, and international cooperation to address the challenge.
Transparency and an even-handed partnering approach across our
industry by public and private sectors is necessary to proactively manage
cybersecurity and global supply chain risk mitigation.
Huawei is dedicated to collaborating, innovating and establishing
international standards with other global organizations to ensure that the
integrity and security of the networked solutions and services meets or
exceeds the needs of our customers and provides the assurance confidence
required by their own customers.
See Huawei’s Second Security White Paper, “Cyber Security
Perspectives -- Making cyber security a part of a company’s DNA - A set
of integrated processes, policies and standards.”
http://pr.huawei.com/en/connecting-the-dots/cyber-security/hw-310548.htm
8
Improving the Nation’s Defenses
Huawei’s Approach that Promotes Fair Trade Policy
•
•
•
•
Huawei actively participates in the development and implementation
of international standards and best practices;
Actively participates in The Open Group Trusted Technology Forum
developing global supply chain assurance standards and thirdparty accreditation process;
Huawei implements a global supply chain assurance program
featuring transparency, end-to-end assurance, traceability, breach &
tampering protections, and independent 3rd-party evaluation &
assessment; and
Implements and maintains trusted product assurance programs in
the UK and North America meeting the security assurance needs of
its global customers.
9
Improving the Nation’s Defenses
Huawei’s Principles of Security Assurance
Possible elements for international agreement regarding trade and security
Openness, Transparency
and Cooperation
Compliance with Laws
and Regulations
Proactive End-2-End
Security Assurance
Assurance Verified by
Independent Third-parties
Traceability
No “Back Doors” and
Tamper Proof
Working with stakeholders to meet and resolve security challenges.
Security/privacy requirements imbedded into business processes.
Risk management/assurance incorporated into design, development
and operation to address the dynamic threat environment.
Global capability for independent testing, verification, and
certification of products using approved third-parties.
Traceable products, solutions, services and components using
management tools and integrated systems.
Processes and technologies to protect against unauthorized
tampering and breach using technologies such as digital signatures.
10
Improving the Nation’s Defenses
Huawei’s Assurance Program
The following are the components of the Huawei Assurance Program,
closely aligned with the NIST Technical Report on Supply Chain
Assurance and with the Open Group Supply Chain standard:
 Legal compliance
 R&D Security
 Security Verification
 Service Delivery Security
 Security Issue Communication and Resolution (CERT/PSIRT)
 Supply Chain Security
 Procurement Security
 Traceability
 HR Management
11
Global ICT Security Challenges
Addressing risk while keeping promises re: trade
Global
• Sovereign Agreements on
Norms of Conduct
• International Norms –
Public and Private
• Global Norms of Conduct
for ISPs and Carriers
Global and National
•
Coordinated Approach
Against Malicious Activity
ICT Industry
• Standards and Certification
Every vendor has certified processes
in place that conforms to global
standard.
• Supply Chain Security
• Product Evaluation
Product risk evaluation before
deployment
• Delivery System Security
Standardized process ensuring secured
product installed and secured updates
and service
12
Restoring Trust, Ensuring Integrity
Possible framework for international agreement
ICT Vendors
Service
Providers/Data
Managers
Global industrywide initiative to
identify risks
Global norms of
conduct for ISPs
and Carriers
Global industrywide certifiable
security assurance
standards
Transparent legal
and regulatory
environment
Government
Multilateral
sovereign
agreements on
cyber behavior
13
Restoring Trust, Ensuring Integrity
Supply Chain Standards and Certification
ICT Vendors
Global industry-wide
initiative to identify
risks
Global industry-wide
certifiable security
assurance standards
• Every vendor adheres to certified processes that
conform to global standards (e.g., Open Group).
Risk-based Product Evaluation Per Global
Standards
• Baseline certification requirements

Self- or 3rd-party certification of conformity (e.g.,
NIST SP 800-161, e.g., SA-11)
• Higher risk/assurance requirements
Tri-party MOU: customer/evaluator/government
 Dynamic threat assessment (NOT disclosed to
vendor)

Delivery System Security
• Standardized processes ensuring secure product
installation, management, update and service.
14
Restoring Trust, Ensuring Integrity
Real-world Implementation
May 23, 2013
Finally, Saw (Clearwire CTO)
reiterated that Clearwire is
"subjecting every LTE base
station vendor to a Trusted
Delivery Program whereby we
require that all of our vendors'
base station and software
pass extensive testing by a U.S.
government-approved third
party company recognized for
vetting critical infrastructure
systems for security
weaknesses and threats."
Supply Chain Standards and Certification
• Every vendor adheres to certified processes that
conforms to global standards (e.g., Open Group).
Risk-based Product Evaluation Per Global Standards
• Baseline certification requirements

Self- or 3rd-party certification of conformity (e.g.,
NIST SP 800-161, e.g., SA-11)
• Higher risk/assurance requirements
Tri-party MOU: customer/evaluator/government
 Dynamic threat assessment (NOT disclosed to vendor)

Delivery System Security
• Standardized processes ensuring secure product
installation, management, update and service.
15
Global ICT Challenges
Huawei’s Perspective on Cyber Risk and Trade
• Global Cyber Threat, including Supply Chain: industry-wide
problems require collaboration and information sharing among private
and public entities, and the development and leveraging of industry
standards and best practices to mitigate risks;
• Industry-Wide Application: all requirements applied to all vendors to
assure product and service security;
• US Framework for ICT product evaluation leveraging international
standards and best practices supported by government and industry;
• Effective assurance requires processes to ensure that evaluated
products are unchanged throughout installation and not compromised
during post-installation updates and servicing.
16
Draft Supply Chain Risk Model
Leverage purchasing power to reduce risk
• Key Incentive: leverage the purchasing power of government and
•
•
commercial buyers to raise the cyber security/assurance bar
Recognized standard and third-party accreditation of conformance
(Open Group)
Risk-based tiers of product evaluation appropriate to buyer
 Assessment of criticality and risk of product
 Baseline certification requirements
• What are baseline requirements for evaluation?
• Self- or third-party certification with proof of conformance
• See NIST SP 800-161 (e.g., SA-11)
 Advanced evaluation – higher risk/assurance requirement
 Tri-party MOU: customer/evaluator/government
 Address dynamic threats; use latest tools (NOT disclosed to vendor)
 Highest risk/assurance – Trusted delivery
 Installation/updates/services
17
Improving the Nation’s Defenses
Huawei’s Approach
Product assurance programs – enhanced trust and security
•
In the U.S., Huawei and EWA have set up a
security evaluation model for third-party
verification of Huawei product being sold into the
U.S. market, as necessary and commercially
meaningful.
•
In the UK, Huawei has established the Cyber
Security Evaluation Centre with security clearances
approved by UK government.
•
In Australia, unrelated to Huawei, an independent
lab is being considered to provide security
assurance testing of software, hardware, system
integration and network assurance to ensure that
infrastructure and systems comply with a minimum
set of security requirements.
18
Beyond the NSA, the international spillover also could be significant, said
Michael Hayden, who has directed both the NSA and Central Intelligence
Agency. Revelations about the NSA's surveillance operations are fueling
international efforts to divide up the Internet by country, he said, which is a
movement the U.S. government—and U.S. tech companies—have worked
hard to prevent.
"This is threatening the existence of the World Wide Web," Mr. Hayden said,
adding that a Balkanization of the Internet is "a no-fooling danger."
19
Thank you!
Andy Purdy
Chief Security Officer
Huawei Technologies USA
Andy.Purdy@Huawei.com
www.usahuawei.com
20