Huawei assesses cyber threat risk
Andy Purdy: Companies need to take risk-based assessments of cyber threats
Chinese telecommunications company Huawei can afford to take a “long view of history” according to the company’s US chief security officer.
According to Donald (Andy) Purdy, who spoke to InnovationAus.com ahead of a visit to Australia, the company is not mired by arguments about whether or not its technology should be barred from Western nations’ communications infrastructure - including Australia’s 5G network.
The Australian Communications and Media Authority is preparing to auction spectrum in the 3.6GHz band later this year, the first step in the rollout of a national 5G network. There have been calls for Huawei technology to be excluded from that network due to perceived security threats – the company was previously barred from supplying equipment to the national broadband network.
Its technology however is embedded in the Radio Access Network supporting Optus’ and Vodafone’s 4G networks, and is critical for mobile services outside of the major metropolitan areas.
The company supports similar networks in the US. According to Mr Purdy; “We have a lot of smaller customers – tier three broadband and wireless providers that are really dependent on us. People in those remote areas that no one wants to serve - they depend on this stuff for quality of life and business. We want to help protect that – and frankly we can afford to take a pretty long-term view of history.”
The big question for Huawei is, while the Radio Access Network will remain, will it be able to supply additional technology for Australia’s 5G networks?
Andy Purdy will deliver a keynote speech at the Huawei Breakfast Forum in Melbourne on August 2, 2018.
Australia’s Telecommunications Sector Security Reforms come into force this September. These deliver the Minister for Home Affairs with a new power to direct the actions of a telecommunications company if that is “reasonably necessary to protect networks and facilities from national security risks.” That power could be used to control equipment procurement policies.
According to Mr Purdy; “As a person that is really concerned about making my country safer, and all of cyber space safer, it’s frustrating to me where there is this attention on blocking individual companies. You can block us from every market in the world and we would still have a very vulnerable cyber space. There are some very bad guys out there and some malicious nations out there and so we can’t fool ourselves saying if we put restrictions on companies A or B that we are doing achieving anything.”
Instead Mr Purdy advocated for a more nuanced and risk-based assessment of cyber threats to networks, which he argued was more sensible, especially with the wave of multi-vendor sourced internet of things devices expected once 5G networks are deployed.
“We have to have programs set up to make sure that multiple vendors are meeting the requirements - but there has to be a demonstrated basis for trust in all these vendors, in all these capacities and all these capabilities so that we can be protected,” said Mr Purdy.
Mr Purdy was the US’s senior cyber security officer during the George W. Bush administration. He joined Huawei in 2012. Recruited by John Suffolk – who had been CIO of the UK government before taking on the global security and privacy officer role for Huawei – Mr Purdy said he was attracted by the chance to work with a company that wanted to transform the way that cyber risk was addressed.
“This was not principally about coming to work for Huawei – almost counterintuitively it was about being able to play a role with a China-based global company that could work collaboratively to make cyberspace more secure and that’s something I believe in. And we are making progress – not without controversy – but it has been great,” he said.
Mr Purdy, said that Huawei’s overarching intent was to; “Protect and appropriately address risk to customers, risk to Huawei. We are trying to make sure we protect any particular access to customer data, to customer networks and so that we do nothing to harm customers.”
He said that it was important cyber security received proper focus. “When I was in charge of cyber security for the US government some years ago, having come from the White House staff, there was a growing recognition that cyber security is a very important thing. Looking over time, and I’ll choose my words a little bit carefully, looking at the difference between what representatives of major organisations and government say and what they actually do, there has been a whole lot more talk than there has been action in an awful lot of places around the world.”
He warned that; “The major systems and networks of most governments and businesses are very vulnerable. They’re vulnerable not just to sophisticated attacks by well resourced malicious actors or even the most advanced governments - they are susceptible to cyber-attacks that are unsophisticated.
“We have got to be driving progress to make it safer. With some exceptions we are not doing a very good job of it.”
He stressed the urgency given the advent of Internet of Things connected systems required for autonomous vehicles, drones, remote controlled aircraft, remote surgery – all of which would feature components sourced from multiple vendors. Ticking off connected devices trusted vendor by trusted vendor was not feasible.
“We really have to be serious about this stuff. That’s the new model of trust based on a risk management framework that will be critical to a safer, more secure cyberspace,” said Mr Purdy.
He added that this was a hard problem that some companies and many governments did not have the appetite for – particularly the complex and nuanced situations which he acknowledged had been complicated by geopolitical trade and economic arguments.
While he did not expect the current US-led trade wars to spill over into cyber wars, he did acknowledge that “the tendency to impose trade barriers in the name of cyber security is a problem” which could lead to a “balkanization” of technology and higher costs for business and consumers.
Huawei has partnered with InnovationAus.com to host the Huawei Breakfast Forum in Melbourne on August 2, 2018. Register your attendance here: https://www.innovationaus.com/news/55/127/Huawei-Breakfast-Forum