Andy Purdy, CSO for Huawei USA, believes the US needs to be more active in the development of global security standards rather than being aloof.
"The US has fundamentally dropped the ball when it comes to participation in global security standards," Purdy told The Register. "We need really strong standards and the US should be a major player."
Instead of working with China and other technologically sophisticated nations, the US under the Trump administration took a confrontational stance. Huawei, a China-based global telecom conglomerate, suffered during this period and the mistrust laid bare during those years lingers.
So it's perhaps not surprising that Purdy, as an executive with the company's US subsidiary, believes the US made the wrong move by erecting trade barriers and shunning Huawei.
"I don't think the US realizes it, but I think the US made a colossal mistake in imposing the export controls to basically drive China to accelerate the chance when they'll create an alternative to what the semiconductors in the US can do," he said.
But Purdy is more focused on advocating for cooperation than assessing the effect of trade barriers on China's tech sector. He went so far as to describe an encounter at a security conference last year where he asked a top US intelligence official about the possibility of agency personnel visiting Huawei facilities to evaluate security practices. The official replied that the agency does not have the authority to do so because Huawei is not a US company tied to the US defense industrial base.
Citing discussions with other security professionals to the effect that you have two choices – develop a security protocol that eliminates the advantage nation states have for intelligence gathering or accept that you're not really going to have security – Purdy said he disagreed.
"I don't believe that," he said. "Nation states – US and China in particular, Israel and a couple others – are going to have the ability to spy, all around the world."
"But I think we need to learn some lessons and it looks like the Biden administration is taking some steps in the right direction from the recent attacks on SolarWinds, Microsoft Exchange, and to a lesser extent the ransomware attacks. They all show the vulnerability of everything."
These attacks, though attributed to nation states, he said, involved trusted suppliers, so the old assumptions no longer work.
- Huawei to America: You're not taking cyber-security seriously until you let China vouch for us
- Huawei says its latest flagship smartphones lack 5G, blames US sanctions
- Money can't buy you love: Huawei continues to throw fistfuls of dollars at US lobbying efforts
- UK.gov's Huawei watchdog says firm made 'no overall improvement' on firmware security but won't say why
Purdy argues that trust doesn't need to be assumed. "Something I've really emphasized is the trust-no-one approach," he said. "[We should be] working on developing a zero-trust architecture and zero-trust principles so it's not just about the perimeter."
And if trust isn't a given, Purdy suggests we can at least have enough transparency to make informed decisions.
"How can you make it possible to know whether or not a company is doing the right thing?" he said. "You can't just use an approach like [the Trump administration did with] WeChat and TikTok. ...Ownership and control assertions by the head of a company aren't the answer. You need to test. You need to have independent conformance and you need visibility to know whether the company is doing the right thing. ...You also need much greater accountability."
Purdy said he sees the US tiptoeing toward greater accountability, at least for critical infrastructure.
"We need to move from the old UN cyber-norms of conduct to incorporate some of the things China has recommended in the China Global Initiative on Data Security from 2020," he said.
Purdy imagines that might take the form of mutual trust agreements between governments, so companies in the US, China, or wherever can operate from a common set of assumptions, with penalties for broken promises similar to those contemplated for privacy violations by Europe's GDPR.
He points to the way Germany oversees the relationship between telecom operators and suppliers as an example of how to proceed. "The operators are responsible for these suppliers that are part of their supply chain to make sure they know what the suppliers are doing," he explained.
"You need a special visibility between operators and suppliers, much greater than we've had in the past, so you have an objective way to know whether the suppliers are doing what they're supposed to be doing.
"I think we need to move toward a system where there's greater visibility and transparency, and much greater accountability, because we really have not been big on accountability in the United States at all and it's really been a mistake," he concluded. ®