Security Level: Cybersecurity and Trade Andy Purdy Chief Security Officer Huawei Technologies USA Andy.Purdy@Huawei.com 2014-9-24 HUAWEI TECHNOLOGIES CO., LTD. www.huawei.com Cyber Threat “The Cyber threat is one of the most serious economic and national security challenges we face as a Nation.” President Obama 2013 THREAT: Attacks Against Critical Infrastructure & National Security Systems. Theft of Intellectual Property & Government Secrets. THREAT ACTORS: Hacktivists, Terrorists, Organized Crime, Sovereign States. VULNERABILITIES: Poor Coding Practices, Inadvertence, Negligence, Malicious Intent. 2 Cyber Threat • • • Four primary types of malicious actors in the cyber world: foreign intelligence services, terrorist groups, organized crime enterprises, and hacktivists. Types of attacks: – Distributed Denial-of-Service (DDOS) attacks – that have interrupted or suspended the service of web servers at banks. – Theft and general invasions of privacy by “keystroke logging.” – Economic espionage and trade secret theft. – The cyber threat also takes the form of destructive malware. Collaborations and Partnerships: DIB Framework; partnerships with law enforcement, private industry, and academia through initiatives such as InfraGard, National Cyber-Forensics and Training Alliance (NCFTA), NCSA, and ISACs. 3 Improving the Nation’s Defenses Executive Order on Cybersecurity EO 13636: Improving Critical Infrastructure Cybersecurity • Calls for Public/Private Sector Collaboration in Information Sharing. • NIST to establish Cybersecurity Framework of Standards and Best Practices for critical infrastructure; draft due October 2013. • Identifies need to reduce vulnerabilities of government networks and systems by directing GSA to revise procurement processes and requirements. • GAO: Supply chain risk may be part of the Cybersecurity Framework draft of standards and best practices to protect critical infrastructure to be released in October. • At the 2nd NIST workshop, a NIST official noted the potential value of considering for ICT products and services “conformity assessment approaches” like those used in other product/service areas . • Conformity assessment approaches could be used to evaluate ICT products and ensure trusted delivery for installation, servicing, and updates. 4 Global Supply Chain Overreaching on the Budget Bill • With time running out and a furlough imminent April 1 2013, a small provision (Section 516) was added at the last minute to the Congressional Continuing Resolution (CR) funding the Government through September 2013 that would preclude procurement by select Federal Agencies from companies owned, directed or subsidized by the PRC. • In 2014, the Senate passed a provision that did not have a antigeographic focus (against China) 5 Global Supply Chain U.S. Industry Objected to Procurement Bans “Geographic-based restrictions run the risk of creating a false sense of security…undermining the advancement of global best practices and standards on cybersecurity.” “Section 516 creates challenges that could undermine U.S.-based companies’ global competitiveness.“* *Excerpted from April 4, 2013 letter from multiple U.S. industry and trade associations to Congressional Leadership commenting on Section 516 of the Continuing Resolution funding the U.S. Government through the Fiscal Year which would effectively ban select Federal Department procurement from companies “owned, directed or subsidized by the People’s Republic of China.” 6 Global Supply Chain The White House Agreed with the Private Sector • "The undefined terms of this provision will make implementation challenging," • "It could prove highly disruptive without significantly enhancing the affected agencies’ cybersecurity. While the Administration has raised concerns about the cyber threats emanating from China, resolving this issue requires open dialogue between the U.S. and China.” Quotes from White House spokesperson as quoted in “The Hill” on April 5, 2013 7 Global Supply Chain Huawei Perspective Cybersecurity is a shared global problem requiring risk-based approaches, best practices, and international cooperation to address the challenge. Transparency and an even-handed partnering approach across our industry by public and private sectors is necessary to proactively manage cybersecurity and global supply chain risk mitigation. Huawei is dedicated to collaborating, innovating and establishing international standards with other global organizations to ensure that the integrity and security of the networked solutions and services meets or exceeds the needs of our customers and provides the assurance confidence required by their own customers. See Huawei’s Second Security White Paper, “Cyber Security Perspectives -- Making cyber security a part of a company’s DNA - A set of integrated processes, policies and standards.” http://pr.huawei.com/en/connecting-the-dots/cyber-security/hw-310548.htm 8 Improving the Nation’s Defenses Huawei’s Approach that Promotes Fair Trade Policy • • • • Huawei actively participates in the development and implementation of international standards and best practices; Actively participates in The Open Group Trusted Technology Forum developing global supply chain assurance standards and thirdparty accreditation process; Huawei implements a global supply chain assurance program featuring transparency, end-to-end assurance, traceability, breach & tampering protections, and independent 3rd-party evaluation & assessment; and Implements and maintains trusted product assurance programs in the UK and North America meeting the security assurance needs of its global customers. 9 Improving the Nation’s Defenses Huawei’s Principles of Security Assurance Possible elements for international agreement regarding trade and security Openness, Transparency and Cooperation Compliance with Laws and Regulations Proactive End-2-End Security Assurance Assurance Verified by Independent Third-parties Traceability No “Back Doors” and Tamper Proof Working with stakeholders to meet and resolve security challenges. Security/privacy requirements imbedded into business processes. Risk management/assurance incorporated into design, development and operation to address the dynamic threat environment. Global capability for independent testing, verification, and certification of products using approved third-parties. Traceable products, solutions, services and components using management tools and integrated systems. Processes and technologies to protect against unauthorized tampering and breach using technologies such as digital signatures. 10 Improving the Nation’s Defenses Huawei’s Assurance Program The following are the components of the Huawei Assurance Program, closely aligned with the NIST Technical Report on Supply Chain Assurance and with the Open Group Supply Chain standard: Legal compliance R&D Security Security Verification Service Delivery Security Security Issue Communication and Resolution (CERT/PSIRT) Supply Chain Security Procurement Security Traceability HR Management 11 Global ICT Security Challenges Addressing risk while keeping promises re: trade Global • Sovereign Agreements on Norms of Conduct • International Norms – Public and Private • Global Norms of Conduct for ISPs and Carriers Global and National • Coordinated Approach Against Malicious Activity ICT Industry • Standards and Certification Every vendor has certified processes in place that conforms to global standard. • Supply Chain Security • Product Evaluation Product risk evaluation before deployment • Delivery System Security Standardized process ensuring secured product installed and secured updates and service 12 Restoring Trust, Ensuring Integrity Possible framework for international agreement ICT Vendors Service Providers/Data Managers Global industrywide initiative to identify risks Global norms of conduct for ISPs and Carriers Global industrywide certifiable security assurance standards Transparent legal and regulatory environment Government Multilateral sovereign agreements on cyber behavior 13 Restoring Trust, Ensuring Integrity Supply Chain Standards and Certification ICT Vendors Global industry-wide initiative to identify risks Global industry-wide certifiable security assurance standards • Every vendor adheres to certified processes that conform to global standards (e.g., Open Group). Risk-based Product Evaluation Per Global Standards • Baseline certification requirements Self- or 3rd-party certification of conformity (e.g., NIST SP 800-161, e.g., SA-11) • Higher risk/assurance requirements Tri-party MOU: customer/evaluator/government Dynamic threat assessment (NOT disclosed to vendor) Delivery System Security • Standardized processes ensuring secure product installation, management, update and service. 14 Restoring Trust, Ensuring Integrity Real-world Implementation May 23, 2013 Finally, Saw (Clearwire CTO) reiterated that Clearwire is "subjecting every LTE base station vendor to a Trusted Delivery Program whereby we require that all of our vendors' base station and software pass extensive testing by a U.S. government-approved third party company recognized for vetting critical infrastructure systems for security weaknesses and threats." Supply Chain Standards and Certification • Every vendor adheres to certified processes that conforms to global standards (e.g., Open Group). Risk-based Product Evaluation Per Global Standards • Baseline certification requirements Self- or 3rd-party certification of conformity (e.g., NIST SP 800-161, e.g., SA-11) • Higher risk/assurance requirements Tri-party MOU: customer/evaluator/government Dynamic threat assessment (NOT disclosed to vendor) Delivery System Security • Standardized processes ensuring secure product installation, management, update and service. 15 Global ICT Challenges Huawei’s Perspective on Cyber Risk and Trade • Global Cyber Threat, including Supply Chain: industry-wide problems require collaboration and information sharing among private and public entities, and the development and leveraging of industry standards and best practices to mitigate risks; • Industry-Wide Application: all requirements applied to all vendors to assure product and service security; • US Framework for ICT product evaluation leveraging international standards and best practices supported by government and industry; • Effective assurance requires processes to ensure that evaluated products are unchanged throughout installation and not compromised during post-installation updates and servicing. 16 Draft Supply Chain Risk Model Leverage purchasing power to reduce risk • Key Incentive: leverage the purchasing power of government and • • commercial buyers to raise the cyber security/assurance bar Recognized standard and third-party accreditation of conformance (Open Group) Risk-based tiers of product evaluation appropriate to buyer Assessment of criticality and risk of product Baseline certification requirements • What are baseline requirements for evaluation? • Self- or third-party certification with proof of conformance • See NIST SP 800-161 (e.g., SA-11) Advanced evaluation – higher risk/assurance requirement Tri-party MOU: customer/evaluator/government Address dynamic threats; use latest tools (NOT disclosed to vendor) Highest risk/assurance – Trusted delivery Installation/updates/services 17 Improving the Nation’s Defenses Huawei’s Approach Product assurance programs – enhanced trust and security • In the U.S., Huawei and EWA have set up a security evaluation model for third-party verification of Huawei product being sold into the U.S. market, as necessary and commercially meaningful. • In the UK, Huawei has established the Cyber Security Evaluation Centre with security clearances approved by UK government. • In Australia, unrelated to Huawei, an independent lab is being considered to provide security assurance testing of software, hardware, system integration and network assurance to ensure that infrastructure and systems comply with a minimum set of security requirements. 18 Beyond the NSA, the international spillover also could be significant, said Michael Hayden, who has directed both the NSA and Central Intelligence Agency. Revelations about the NSA's surveillance operations are fueling international efforts to divide up the Internet by country, he said, which is a movement the U.S. government—and U.S. tech companies—have worked hard to prevent. "This is threatening the existence of the World Wide Web," Mr. Hayden said, adding that a Balkanization of the Internet is "a no-fooling danger." 19 Thank you! Andy Purdy Chief Security Officer Huawei Technologies USA Andy.Purdy@Huawei.com www.usahuawei.com 20