NSA Leaks Prompt Need For Broader Security Discussion, Huawei Says


Huawei, which pledged to not retreat from the U.S. market following concern from lawmakers that its hardware components could contain back-door access for Chinese surveillance, is using the ongoing National Security Agency leaks as a stepping stone for a broader discussion about cybersecurity and transparency at technology providers.

The Beijing-based firm issued a paper today to highlight its internal security processes and oversight of its global operations, including how it oversees its supplier network, manufacturing processes and employee hiring practices. Huawei's U.S.-based executives say the goal is to avoid future knee-jerk reactions from lawmakers against vendors.

"Businesses are concerned about quality and trust and accountability," said Andy Purdy, chief security officer for Huawei USA. "They want to make sure that they understand what it is they are buying, and hold the provider accountable to deliver whatever it is that they say they can deliver."

Purdy and Huawei Vice President of External Affairs William Plummer said they are seeing signs of multiple policies, fragmenting an already difficult environment to carry out business for transnational organizations. As a reaction to the NSA leak, the government in India said it was considering banning the use of U.S.-based email services, such as Gmail and Yahoo, for official communications. In Germany, Deutcher Telekom launched an encrypted email service it said would thwart NSA spying activities, and in Brazil, officials there are considering measures to break free from their view of U.S.-dominated Internet control. If carried out fully, the moves could result in fracturing or balkanization of technology infrastructure and services around the world, Plummer said.

[Related: Huawei's ICT Nation Aims To Unite Partners, Vendors, CIOs In One Community]

"All of us are transnational. All of us leverage global supply chains and exist within ecosystems across the globe," Plummer said. "Let's define some certifiable standards and best practices that can apply across the industry, and as an industry address this crisis of confidence."

Huawei USA is based in Cupertino, Calif., and makes servers, storage and networking gear that generally competes with Cisco Systems products. Huawei executives have pledged to remain in the U.S. and say they are pressing forward with plans to build out a broader partner channel presence. The company has been making attempts to bolster its image following concerns that it and ZTE had alleged ties to the Chinese government. The firm denies any link exists, but a U.S. congressional committee has barred the use of Huawei equipment fearing that it could be used in Chinese cyberespionage activities.

The company is virtually turning the tables by taking the high road to showcase an image of transparency and security, say solution providers. Most businesses are more concerned about product quality and long-term performance, said Chris Allman, president of Dallas-based Tech10 Networks, which specializes in selling application delivery appliances. The firm sells England-based JetNexus' line of application acceleration appliances and recently signed on to sell German antivirus vendor Avira's software to small businesses.

"For sure, the client wants to makes sure there are no security vulnerabilities, but most of the time it comes down to features and capabilities," Allman said. "It's mainly about getting the most value out of a technology investment, not the location of the manufacturer."

Huawei's technical paper, "Cyber Security Perspectives: Making cyber security a part of a company's DNA – A set of integrated processes, policies and standards," outlines the company's information security program and structure. The core governance principles are developed by a global cybersecurity steering committee, with internal audits and independent third-party assessments at all of its locations as part of the security certification and accreditation process. The company also laid out how it oversees its 400 U.S. suppliers and thousands of international partners that make up its extensive global supply chain.

"We have institutionalized the accountability at the national level to be consistent with the global assurance program, globally," Purdy told CRN. "We are working internally with our general council to make sure that operations in the U.S. are consistent with the overall approach."

Purdy took the helm as CSO in Huawei's U.S. region in July 2012 in an attempt to patch up Huawei's political ties. He has extensive ties with U.S. government work. Purdy was a White House adviser, helping draft the U.S. National Strategy to Secure Cyberspace in 2003, and served at the Department of Homeland Security, where he helped form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT).

"When you look at something like NIST cybersecurity framework and issues of supply chain and suppliers, you can see that it is a difficult but critically important area," Purdy said. "We are calling for the creation of a global conformity consortium to help raise the bar on the quality of products that come to market."

PUBLISHED OCT. 18, 2013