Huawei may have been barred by the Australian federal government from National Broadband Network (NBN) deals on security grounds, but the Chinese vendor has invited governments to review its security capabilities in a new white paper.
The white paper, entitled <i>Cyber Security Perspectives: 21st century technology and security--a difficult marriage</i>, outlines that the vendor will support and adopt any internationally agreed standard or best practice for cyber security in its broadest sense.
“We will also support any research effort to improve cyber defences and continue to improve and adopt an open and transparent approach, enabling governments to review Huawei’s security capabilities,” wrote the author of the white paper, Huawei global security officer John Suffolk.
He added that all stakeholders -- including government and industry -- need to recognise that cyber security is a shared global problem requiring risk-based approaches, best practices and international cooperation to address the challenge.
“With the recent publication of threats such as Stuxnet and Flame, the world has reached a decision point: Does it continue on its current path whereby any misguided actor, regardless of motive, can operate freely in an unregulated world and develop malware for any purpose?,” Suffolk wrote.
According to Suffolk, if industry and government accepts this route, then people must “stop complaining” and accept the consequences of the cyber race to the bottom of the pit and the return of the “Wild West”.
However, he argued that countries could collectively step back from the precipice, as it has been done in other forms of warfare, and establish laws, norms, standards and protocols.
“Trust has to be earned and continually validated and also accepting that a lack of trust exists between some stakeholders when it comes to cyber security. In this scenario we must be realistic but determined.”
He added that it was important for companies to work together to identify the anti-security players, and made a list of who to watch out for:
- Individuals who engage in a range of activities, including harassment, intimidation, bullying and grooming children for sexual exploitation.
- Hacktivists who are individuals or groups that have a particular point to make and use hacking to promote their causes.
- Criminals, both organised and disorganised who run various scams, from illicit trade and counterfeiting to industrial espionage.
- Terrorists, however defined, who set out to cause harm.
- Government-sponsored agents who use technology as they use other intelligence methods: To gather data and information on items of interest to them.
- Commercial espionage undertaken by a range of parties to obtain advanced information from a country or competitors for their own advantage.
“While the inclusion of governments on the list of cyber world adversaries seems incorrect given the outspoken nature of governments that vehemently decry those hacking their country, it is important to keep in mind that throughout history, spying and espionage have continually played a role in diplomacy, for better or worse," he wrote.
According to Suffolk, who cited two Forbes articles, "Meet the Hackers who sell Spies the tools to crack your PC (and get paid six figure fees)" and "Shopping for Zero Days: A Price List for Hacker’s Secret Software Exploits", there is a vibrant industry in identifying and selling zero-day exploits. These are attacks on security vulnerabilities which happen as soon as those vulnerabilities are discovered.
“In fact, the articles indicated that governments around the world are frequently the purchasers of zero-day exploits and that large defence contractors also buy and sell zero-day exploits,” he wrote.
“If governments are indeed involved in the acquisition of zero-day exploits or are developing attack software, such as Flame and Stuxnet, the phrase `what we sow we reap' springs to mind.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.