Amid the ongoing controversies about his employer, Huawei’s global cyber security and privacy officer (GSPO) John Suffolk is frequently in the hot seat. He oversees 170 countries where Huawei equipment is deployed by 1,700 customers; Huawei says that one-third of the world’s mobile traffic passes through its equipment.
Suffolk sat down with IT World Canada at Huawei’s global analyst summit at the company’s head office in Shenzhen, China to talk about how governments worldwide are failing in security, and how the company is addressing concerns about its security practices.
His mandate at Huawei is a broad one, encompassing everything from building security into business processes and the supply chain through end-to-end cybersecurity of all of the company’s solutions and devices. It’s not a job for the faint-hearted, but this former U.K. government CIO and CISO has no problem calling things as he sees them.
“For me, the narrative hasn’t changed,” he said. “And I’ve publicly said to politicians, I can almost predict your speech at the next government conference on security, because you’d be like everybody else’s speech five years ago. And I think we accept it’s a complex topic, but there are simple things that governments can do. And I know, governments are saying, well, we want to be the leader in 5G, and we want to be the leader over here. But the reality is, it’s an interconnected world, you’re going to have to work together.”
It’s an ongoing discussion with Huawei’s product teams, who have to balance their R&D and security spending against the fact that only a small proportion of customers worldwide understand security and build security requirements into their bidding documents.
“We have a baseline where you have to build to a certain level,” he said. “But what it tells us is those customers are not under pressure from their governments to have a baseline level of security in their infrastructure.”
It may be because those governments have other priorities such as healthcare or transportation, he admitted, but Suffolk believes that more developed countries should be pointing out the risks of connected devices and thinking about global standards, just as health professionals worldwide are working together to solve common problems. There are conferences and joint research projects already, he pointed out; they just have to add security into a research project as a vertical in the global industry, and vendors would support them to help decide what needs protecting, and to what extent.
“The reality is, you can’t put $10 worth of security into $1 device,” he said. “So we can help work out, in essence, ‘these sensors, no one cares about, but these sensors are very, very important. They’re not going to cost you $1, they need to cost you $10, because $2 needs to be worth of security in them.’ That is not just an advancement of technology at any price. That’s having a grown-up conversation.”
If, for example, a hospital connects all its insulin pumps wirelessly, it drives down the operating costs, but the pumps need to be protected as what Suffolk calls “mini critical infrastructure”. There have to be rules like those already in existence for health and safety.
“So my belief is I think politicians need to do more. Talk is cheap. And they don’t need to answer all questions themselves. The industry is more than capable of coming up with the majority of the answers,” he said. “At some point, though, governments are going to have to legislate. It actually doesn’t matter what the answer is, it’s politicians’ and governments’ roles to make the decision, make a decision, don’t complain, make a decision.”
But, he added, in the U.S. and Canada, people won’t wait for policy decisions; they’re looking for competitive advantage. Policy makers know this. Suffolk said that Huawei’s view is “codify it”. There’s a balance between being told what to do and how to do it, and good regulators know how to achieve that balance.
However, he went on, because governments don’t know every business intimately, they could take the GDPR model of a detailed framework that allows companies to use their own judgment based on their business and apply it to security.
“It’s something that we’re trying to promote to get away from this: ‘This is good, this is bad, but we don’t have a standard and we’re not going to tell you what the standard is. We just think it’s bad.’ Not helpful, guys! If you give us a standard, you give us a certification, we will achieve it.”
That’s why Huawei has committed $2.5 billion to clean up the code base for its older equipment’s software after an audit by the U.K. Huawei Cyber Security Oversight Board (OB) found deficiencies in engineering practices.
“So in the OB report, we have to stand naked in front of the world. It’s helped us immensely,” Suffolk said. “Because as the U.K. came out and said, there was no malfeasance. It doesn’t mean that we don’t have issues that we have to address. But we have a sort of a love-ish relationship with the OB and the oversight. Because when you come in from a top-secret world, they are hugely demanding. They see things that we as vendors will never see.”