Huawei is understandably frustrated. The company has been accused by the U.S., UK and others of improper ties to the Chinese government and punished without any proof of wrongdoing. The company has done everything it can to address those concerns short of exiting its home country, and not only is it not enough, but no one can seem to figure out if there is even a path out of the current dilemma.
Last week Huawei launched its 7th global Security Transparency Center, where prospective and existing customers can dig into products and confirm they are secure. Huawei spends, on average, 5% of revenue, or a third of its R&D budget, on security research. These efforts show that security and transparency is a top priority, but those efforts have swayed no one.
Huawei’s frustration goes beyond this guilty until proven innocent problem. Company officials are frustrated that, worldwide, security requirements are all over the map. Last week, as part of the opening for their new Chinese Security Transparency center, Huawei officials expressed a critical need for a common set of auditable security standards, placing every company, regardless of where it resides, on an even playing field.
This won’t solve every major cybersecurity challenge facing the planet, but it could be an important step toward global coordination on the issue. China doesn’t trust U.S. companies, the U.S. doesn’t trust Chinese companies, cooperation across borders is pretty pathetic, and criminals are getting away with the money. If you can establish an international testing standard that everyone must pass that is regularly updated, then governments shouldn’t compromise the tech, and firms could go back to selling. Way too much is being spent on making examples of companies that may have done nothing wrong instead of putting that same effort into better assuring the products and going after the criminals.
Cybersecurity is a mess
With a combination of hostile governments, criminal organizations like DarkSide, which was behind the Colonial Pipeline ransomware attack, and hostile governments like Iran, which has released fake ransomware that deletes rather than encrypts files, we have a severe security problem at the moment. The easiest attack vector is still employees who don’t stop to think before clicking links or installing untrustworthy apps, and the resulting damages are increasingly material to the countries facing them. The Biden Administration has raised its response to cyber attacks to the level of terrorist attacks, suggesting that the state of cybersecurity has become dire, and the G7 nations have followed with a call to Russia and other nations to crack down on ransomware gangs.
Here in the U.S., we’ve had several successful attacks on infrastructure running everything from food to transportation, and we are far from done. However, the FBI’s recent successful recovery of the Bitcoin Ransom from DarkSide, coupled with escalating responses, undoubtedly hurts all but the criminal entities with government backing.
And while enforcement is a significant part of this battle, without consistent rules and regulations, consistent oversight, and consistent methods to assure compliance, we’ll never get out of this mess.
Huawei’s unique need and value
Huawei is under a security cloud, not for anything they’ve been found to be doing wrong, but because of a widely held belief that they are somehow an agent for their government. Perhaps Huawei’s employee-owned business model has also earned it the enmity of global financial powers.
But suppose there were consistent and consistently enforced cybersecurity rules that crossed borders. In that case, Huawei could then focus on complying with those rules and dig out from under the image cloud that currently defines the company outside of China. Granted, they could also execute an image recovery program like Louis Gerstner pulled off at IBM, or more closely emulate Lenovo’s split country management model, to remove a lot of the Chinese stigma. Still, those efforts are relatively unique and require scarce skills, particularly in the tech segment, and are almost non-existent in China.
But the result of better standards would be a more secure world, and a fairer one for companies everywhere, including U.S. companies that aspire to do business in China.
In short, if the world truly wants to be more secure, it needs to come together before an ill-conceived government-backed hack starts an even more serious incident. A good place to start would be the arbitrary decisions that wind up wasting time and effort — and the security tools that could help us climb out of this mess.
A step toward better cybersecurity
Its mistreatment aside, Huawei is an example of how we might better assure global cybersecurity. By requiring practices like the Huawei Security Transparency Center for every significant technology supplier, customers and governments could be better assured of the quality of products that are on the market. Kaspersky has taken a similar approach by allowing independent review of its source code.
Huawei’s suggestion of common worldwide standards and rules that are enforced across borders would reduce the costs of international compliance while improving the overall security for the world. Granted, I doubt that an effort like this is in the cards yet. Still, a hack that resulted in a war or did massive worldwide damage might motivate the necessary worldwide response. Hopefully we can get there before that happens.
We still aren’t taking security globally seriously enough and, until that changes, Huawei’s vision of a more secure world where all companies can fairly compete may be beyond reach.