Huawei has decided to school America on cyber-security, and its lesson is to co-operate with China so its vendors – including Huawei – can be trusted around the world.
A post from Huawei's CSO for the USA, Andy Purdy, rates President Biden's sweeping May 2021 Executive Order on Improving the Nation's Cybersecurity as "the bare minimum that companies should be doing".
Purdy, a former White House adviser on cyber security, makes some decent points – especially when pointing out that the Executive Order is only binding on federal agencies and their private sector suppliers.
"For companies that don't do business with the government, they're simply guidelines," Purdy wrote. The CSO therefore called for the USA's Securities and Exchange Commission to force businesses to adopt sound security frameworks like that offered by the National Institute of Standards and Technology.
Purdy also called for robust public/private partnerships "on a global scale".
Which means – surprise! – chatting to China.
"The US and other countries must work together more closely and share information more openly than they do now," Purdy stated. "Governments and companies must also leverage the decades-long effort to develop norms of cyber conduct.
"This is an opportunity for the US to work collaboratively – not only with its G7 and the G20 partners, but with China and Russia and other countries – to build a more rules-based order for cyberspace that has requirements steeped in standards and best practices, transparency and conformance mechanisms, and meaningful accountability."
- Huawei says its latest flagship smartphones lack 5G, blames US sanctions
- UK.gov's Huawei watchdog says firm made 'no overall improvement' on firmware security but won't say why
- Australian government in talks to buy Pacific Islands' top telco
Fine words, but also words it's hard to imagine sparking action.
The USA and China already have a mutual non-hacking pact but each nation regularly names the other as a source of hostile electronic attack. US President Biden has accused Russia of doing far too little to curb the activity of ransomware gangs operating from its soil.
While Purdy mentioned the UN's Group of Governmental Experts on Advancing Responsible State Behaviour in the Context of International Security as an effort that could stop nation-state cyber-skirmishes if only big nations signed up, major powers aren't exactly enthusiastic participants in its development. They have also avoided engaging with similar entities like the Global Commission on the Stability of Cyberspace.
Why is Purdy tilting at diplomatic cyber-windmills? The following extract from his piece may explain why:
It would be a major step forward if governments and global companies would subject themselves to auditable testing and verification processes for critical components and legal processes in the countries with whom mutual trust agreements are signed.
To The Register's mind, that's Huawei arguing that if the USA and China had better infosec agreements, China would vouch for Huawei and the USA could therefore shop with confidence.
Which sounds great in theory, but also naïve – we know the USA targeted Cisco and Juniper devices to improve its intelligence prospects. And once the USA, or any other nation, knew the rules, they'd also know how to step around them. ®