5G is a hot topic nowadays, as it plays a role the digital transformation of multiple industries and economies. Even hotter is the debate on the cybersecurity of 5G networks, which can be achieved if all stakeholders in the process, including network operators, infrastructure vendors and governmental agencies, collaborate on different layers to secure these mobile communication networks.
The cybersecurity debate around 5G goes from uniform standards to independent verifications, effective risk management, to trust, assurance and joint responsibility, or security requirements and assessment framework.
Huawei Technologies USA debated these topics at its 17th annual Huawei Analyst Summit earlier this year. A webinar focusing on “Cybersecurity Standards and Testing in Europe” brought together panelists from Huawei and from international institutions which focus on cybersecurity: Andy Purdy, Huawei Technologies USA Chief Security Officer; Bob Xie, Cyber Security Officer of Huawei Western European Region and Director of Cybersecurity Transparency Centre Brussels; Professor Chris Mitchell from Royal Holloway, University of London; and Jon France, Head of Industry Security at GSMA. They shared their insights on uniform standards and independent verification, and why these are all necessary for effective risk management.
Comprehensive, credible, internal and external testing of all network elements is a critical component of effective, trustworthy cybersecurity. Independent external testing is also essential to certify compliance with industry standards by equipment vendors, network operators, and service providers.
Huawei takes a multi-layered, “many hands, many eyes” approach to trusting and verifying cybersecurity. “We believe that trust should be based on facts,” said Bob Xie, Huawei’s cybersecurity officer for the Western European Region and lead for its Brussels-based Transparency Centre. “And facts should be verifiable. And the verification should be based on the common standard,” he said. Huawei has verification steps, both internal and independent, built into its product development process.
The Transparency Center in Brussels, led by Xie, helps customers, government officials and others to learn about Huawei’s cybersecurity strategy and practices as they relate to supply chain, R&D and products. It is also open to all for testing and validation of Huawei products.
Cybersecurity frameworks that must reference recognized standards, are also of utter importance, said Xie’s colleague Andy Purdy, chief security officer for Huawei Technologies USA. Recognized standards are those developed by 3GPP and GSMA for 5G and NESAS-SCAS for telecom equipment, while frameworks must also include independent conformance and testing protocols, Purdy said.
Markets need to offer incentives to encourage all telecom equipment suppliers to provide greater assurance and transparency, and these would complement government regulations. Purdy suggested that IT&C buyers should use risk-informed procurement requirements for assurance and transparency. Telecom equipment buyers, in collaboration with other stakeholders, should call on vendors to compete not just on functionality and price, but also for cybersecurity practices and transparency. This would motivate suppliers to compete to drive greater security assurance and transparency to achieve market leadership.
Huawei’s Chief Security Officer presented a five-fold framework developed by the NGO East West Institute: 1. Risk-informed procurement requirements 2. Buyer-led security requirements for ICT vendors 3. Vendor-led assurance and transparency requirements 4. Regional transparency centers 5. Global conformance program.
“We think it’s a good idea if there could be a call to action to our competitors and us as part of this overall kind of framework…to develop minimum industry best practices for assurance and transparency,” Purdy said. “It’s a shared responsibility. Let’s work together as a global community to implement practices to raise the bar for cybersecurity.”
Trust and assurance in cybersecurity is key in the telecoms sector and joint responsibility, with standards organizations operators, suppliers, regulators and consumers having a part to play, said GSMA’s Head of Industry Security Jon France. “Trust is a two-way street”, France said, “When we talk about the mobile ecosystem, there is a web of suppliers, operators, regulators that have to build and engender trust. It is not an absolute; it is about confidence in one another between two or more parties.”
The GMSA worked with standards body 3GPP to develop the Network Equipment Security Assurance Scheme (NESAS), which helps foster baseline trust in telecoms network equipment.
NESAS defines security requirements and an assessment framework for secure product development and product lifecycle processes. It also uses 3GPP defined security test cases for the security evaluation of network equipment. Its aim is to reduce fragmentation in the market and provide a good baseline standard that every vendor should be able to go through to get security assurance. More than 50 operators and major vendors contributed to the development of the NESAS scheme, which was published in late 2019.
Huawei currently holds 91 commercial 5G contracts, 47 of which are in Europe, 27 in Asia and 17 from other regions. Currently, 49 of those networks are now live.
In the UK, Huawei has worked with government watchdog groups and operators on 5G for years, resulting in an arrangement that allows UK operators to use Huawei’s radio access network (RAN) equipment, subject to certain restrictions. Huawei’s technologies are evaluated under government supervision in the Huawei Cyber Security Evaluation Centre outside of London.
In Germany, where Huawei recently helped launch 5G, the government demands that any and all equipment going in a 5G network should be subject to rigorous cybersecurity testing and validation, regardless of the vendor or country of origin.
Below you can watch the full panel talk on cybersecurity at the Huawei conference in May 2020.
(p) - This article is an advertorial.