Select Page

Why Global Internet Security Standards Can Provide A Foundation For Assurance And Accountability

Why Global Internet Security Standards Can Provide A Foundation For Assurance And Accountability

By: Andy Purdy, the CSO for Huawei Technologies USA, overseeing Huawei’s US cyber assurance program. 

The SolarWinds attack that compromised several U.S. federal agencies and many other organizations in America and overseas has made it painfully clear that we need to redouble our efforts to develop a more comprehensive and transparent approach to safeguarding our communications networks.

Europe is moving toward this goal in earnest. Last year, its companies faced a deadline for complying with a newly strengthened version of the EU’s first cybersecurity law. Passed in 2016, the Directive on security of network and information systems solidifies Europe’s more formal, more unified regulatory approach to managing cybersecurity risk, encouraging higher standards, more effective tools, and more consistency among EU member states.

The EU is serious about data protection and the world has taken notice: In May 2018, Europe promulgated what was effectively the first global data protection law, the General Data Protection Regulation. Since then, the GDPR has been adopted or used as a model by a number of non-EU countries and numerous companies. Last July, the EU Court of Justice struck down the U.S. Privacy Shield, a framework for regulating commercial transfers of personal data between the EU and the United States. Privacy Shield was intended to bring American companies into compliance with GDPR. But the EU Court said it was inadequate to protect the private data of EU citizens.

For the sake of U.S. businesses, an alternative must be developed that meets European data privacy requirements. This represents a good opportunity to support longstanding efforts by privacy advocates in the States to develop comprehensive U.S. privacy legislation and regulation. Given the importance of data privacy and the global nature of cyberspace, it would behoove the Biden Administration and the EU to work with other countries for a transparent international privacy protection framework that has clear requirements and is auditable, to facilitate accountability. 

As companies and governments rely increasingly on 5G-enabled networks, systems, and services, this reliance will only deepen as the full capabilities of 5G are rolled out. Accordingly, the U.S. government should work with industry organizations, as well as think tanks and other experts, to develop unified, auditable cybersecurity and privacy standards that apply equally to all private and governmental networks and the global supply chain.

SolarWinds provides a necessary reminder of the attack and surveillance capabilities of the world’s most sophisticated cyber actors. They don’t need the permission or acquiescence of telecom equipment suppliers, telecom operators, or others in the supply chain.

I believe we must adopt the zero-trust approach advocated by William Evanina, director of the U.S. National Counterintelligence and Security Center. Zero trust is the idea that no untested technology outside an organization’s perimeters should be ever be trusted and instead verified for authentication. This approach can provide an objective and transparent basis for knowing which products and services are worthy of trust. We should assume networks are dirty, and act accordingly. We certainly should not trust anyone — or even drop our guard by doing insufficient due diligence — simply based on who they are, where they are headquartered, or the fact that we have done business with them in the past.

Together with a security and privacy framework based on clear and unified standards and best practices — and reflecting the shared responsibility for addressing risk in ICT — we need conformance programs and protocols to ensure that those standards are being met. These can include independent, comprehensive and auditable verification processes of critical products and components that enable trust through verification.

Various security certification schemes have been developed over the past 30 years to evaluate vendors’ and operators’ security postures. Examples of standards are the two recent security enhancements aimed at 5G connectivity: SCAS, the Security Assurance Specifications, and NESAS, the Network Equipment Security Assurance Scheme. These are illustrative of clear, defined regulations that strengthen security. Testing criteria can be adjusted to different levels of assurance depending on the risk environment, making it possible to ensure that risk will be addressed even under extreme conditions.

Unified cybersecurity standards, along with conformance protocols including standardized verification and testing, can help foster a higher level of assurance and a more competitive, transparent playing field. In contrast to a world with multiple standards and disparate supply chains, a cyberspace enabled by unified standards is likely to foster robust competition, resulting in higher quality, lower costs, more innovation, enhanced security, and strengthened resilience.

In these precarious times, it is critically important that we recommit ourselves to working collaboratively to reduce risk and promote resilience in cyberspace.

Andy Purdy

Andy Purdy

Andy is CSO for Huawei Technologies USA, overseeing Huawei’s US cyber assurance program. Read Andy Purdy’s full executive profile here.

Source:

Latest News

Categories

WP Twitter Auto Publish Powered By : XYZScripts.com