Trust, test and assure: A multi-party approach to 5G cybersecurity

Expert panel discusses 5G cybersecurity

As part of the 17th annual Huawei Analyst Summit, Huawei Technologies USA brought together experts from GSMA and Royal Holloway, the University of London for an informative webinar titled: “Cybersecurity Standards and Testing in Europe.” The May 20 webinar, which is now available on-demand at RCR Wireless and YouTube, discussed uniform standards and independent verification, and why these are all necessary for effective risk management. Panellists for the webinar included Andy Purdy, Huawei Technologies USA Chief Security Officer; Bob Xie, Cyber Security Officer of Huawei Western European Region and Director of Cybersecurity Transparency Centre Brussels; Professor Chris Mitchell from Royal Holloway, University of London; and Jon France, Head of Industry Security at GSMA.

Watch a recording of the discussion below:

5G networks will play a foundational role in the digital transformation of multiple industries and economies. Stakeholders in the process – including network operators, infrastructure vendors and governmental agencies – are therefore keenly interested in how these networks will be secured. 

However, cyber security concerns, particularly in the context of 5G, are not something that can be addressed in a vacuum. Creating a process wherein cyber security concerns can be articulated, evaluated and validated requires clear guidelines and collaboration among multiple parties. 

During the webinar, GSMA’s Head of Industry Security Jon France focused on the role of trust and assurance in cybersecurity in the telecoms sector. This issue should be viewed as a joint responsibility with standards organizations operators, suppliers, regulators and consumers having a part to play. ,

“Trust is a two-way street”, France said, “When we talk about the mobile ecosystem, there is a web of suppliers, operators, regulators that have to build and engender trust. It is not an absolute; it is about confidence in one another between two or more parties.” 

To foster baseline trust in telecoms network equipment, the GMSA worked with standards body 3GPP to develop the Network Equipment Security Assurance Scheme (NESAS). NESAS defines security requirements and an assessment framework for secure product development and product lifecycle processes, as well as using 3GPP defined security test cases for the security evaluation of network equipment. The core aim of NESAS is to reduce fragmentation in the market and provide a good baseline standard that every vendor should be able to go through to get security assurance. More than 50 operators and major vendors contributed to the development of the NESAS scheme, which was published in late 2019. 

Bob Xie is Huawei’s cyber security officer for the Western European Region and lead for its Brussels-based Transparency Centre. Xie said Huawei takes a multi-layered, “many hands, many eyes” approach to trusting and verifying cyber security. “We believe that trust should be based on facts,” he said. “And facts should be verifiable. And the verification should be based on the common standard.” He explained that Huawei has verification steps, both internal and independent, built into its product development process. 

In addition, the Transparency Center in Brussels provides an environment for customers, government officials and others to learn about the vendor’s cybersecurity strategy and practices as they relate to supply chain, R&D and products. Further, the facility serves as an environment open to all for testing and validation of Huawei products.

Despite navigating challenges in some markets, Huawei is still winning 5G business around the world. The company currently holds 91 commercial 5G contracts, 47 of which are in Europe, 27 in Asia and 17 from other regions. Forty-nine of those networks are now live, according to company officials. 

In the United Kingdom (UK), Huawei has worked with government watchdog groups and operators on 5G for years. This collaboration and cooperation has resulted in an arrangement that allows UK operators to use Huawei’s radio access network (RAN) equipment, subject to certain restrictions. Huawei’s technologies are evaluated under government supervision in the Huawei Cyber Security Evaluation Centre outside of London. 

Huawei is able to participate in 5G deployment in Germany as well. The German government takes the position that any and all equipment going in a 5G network should be subject to rigorous cyber security testing and validation, regardless of the vendor or country of origin.

Xie’s colleague Andy Purdy, chief security officer for Huawei Technologies USA, noted the importance of cyber security frameworks. These must reference recognized standards, such as those developed by 3GPP and GSMA for 5G and NESAS-SCAS for telecom equipment. Those frameworks must also include independent conformance and testing protocols, Purdy said. 

He also highlighted the need for market-based incentives that encourage telecom equipment suppliers to provide greater assurance and transparency, important complements to government regulation. Purdy suggested that  ICT buyers should use risk-informed procurement requirements for assurance and transparency. He added that telecom equipment buyers, in collaboration with other stakeholders, should call on vendors to compete not just on functionality and price, but also for cybersecurity practices and transparency. Such an approach would motivate suppliers to compete to drive greater security assurance and transparency so they can be market leaders. 

As an example, Purdy presented a five-fold framework developed by the NGO East West Institute: 

• Risk-informed procurement requirements
• Buyer-led security requirements for ICT vendors
• Vendor-led assurance and transparency requirements
• Regional transparency centers
• Global conformance program

“We think it’s a good idea if there could be a call to action to our competitors and us as part of this overall kind of framework…to develop minimum industry best practices for assurance and transparency,” Purdy said. “It’s a shared responsibility. Let’s work together as a global community to implement practices to raise the bar for cybersecurity.”

Click here to watch the webinar “Cyber Security Standards and Testing in Europe,” featuring the following panelists: 

• Andy Purdy, Chief Security Officer, Huawei Technologies USA
• Bob Xie, Cyber Security Officer for the Western European Region of Huawei Technologies and Director of the Huawei Cyber Security Transparency Centre in Brussels
• Chris Mitchell, Professor, Royal Holloway, University of London
• Jon France, Head of Industry Security, GSMA

For additional resources on 5G and cybersecurity, please reference the below content:

• What is threat modelling for 5G cybersecurity?
• Security vs. Privacy: What’s the distinction in the 5G era? =
• How should stakeholders work together to ensure 5G security? 
• How to develop 5G security standards at a global scale 
• 5G cybersecurity: 3GPP vs. NIST vs. ENISA—standardizing the standards’
• Video: Huawei Rotating Chairman Ken Hu opens Cybersecurity Transparency Center
• Video: Huawei cybersecurity center enables independent 5G and IoT and testing and verification
• Video: How can Huawei or any vendor guarantee cybersecurity absent uniform standards?

The post Trust, test and assure: A multi-party approach to 5G cybersecurity appeared first on RCR Wireless News.