After more than a year of posturing over whether it was safe to integrate Huawei's equipment into the UK’s telecom network, the Prime Minister finally made a decision. Last January, Boris Johnson decided to allow not only Huawei but also other companies deemed “high-risk” limited access to Britain's 5G networks.
Across the pond, this decision infuriated President Trump and with good reason. The recent revelation that the Chinese military was behind a major data breach at the credit-reporting agency Equifax in 2017 confirms our fears.
Protecting critical IT infrastructures from both hackers and government-sponsored threat actors has reached a critical stage, but to achieve it, we have to carefully navigate through networks of increasing complexity and volatility.
The concerns surrounding Huawei is directly attributed to its Chinese origin. As most successful Chinese companies have close ties to the ruling Communist Party, there’s always fear that they would be forced to install backdoors that allow intelligence agencies (and competitors) access to traffic passing through the network.
Although there’s hardly any evidence of wrongdoing, concerns persist as Huawei's founder and president, Ren Zhengfei, who joined the Communist Party in 1978, was also an engineer in China's army.
As a result, core parts of the UK's Critical National Infrastructure, communication networks, and sensitive nuclear and military sites will remain off-limits. Furthermore, the government has also restricted how much of the network the company can own to 35%.
This story begs the question, is transparency critical to cybersecurity?
Paul Hague, CEO and Co-Founder of BlackDice put it best when he said “by the very nature of the industry, transparency is difficult at every level.”
According to Michael Fontana, Director at Optionbox, “transparency with cybersecurity is vital. Businesses rely on a piece of software to protect their hardware and data, but it’s difficult to say how they are being protected. Many cybersecurity companies don’t detail how they’re actually protecting your data, which is a huge concern. This concern is even greater when you consider that businesses such as Avast actually sell customer data to advertisers. That’s why transparency is of utmost importance—you need to know how your data is actually being protected.”
(You can read about Avast’s response HERE).
The video conferencing app Zoom recently made the headlines because of privacy concerns. Soon after, they were found to be using their own definition of the term and not actually implementing end-to-end encryption claimed on their website, marketing materials, and in their security whitepaper.
Then the company got caught routing calls made in North America through data centers in China along with the encryption keys used to secure those calls. This puts all these Zoom conversations at risk as they’re obligated to share the encryption keys with Chinese authorities upon request.
Such incidents make it critical for companies to be thorough with their vetting process. “I’m sure that in any other walk of life, you would want to know. With the social media record on data and security, would you trust them with a smart lock? Probably not; so organizations and consumers must research where the ultimate buck stops and make an informed decision, with all the information, about whether it is appropriate or not,” Hague added.
In-Depth Research Helps Build a Secure Future
As cybersecurity is critical to maintaining compliance and business continuity, it's essential to check out the background of each third-party partner. Even if their role on your enterprise network is small, it's vital to do a background check.
Mateo Meier, Founder and CEO of Artmotion, “thorough research at all levels definitely helps ensure security. That’s why we are transparent about all the hardware and software we use and even encourage our clients to visit our data centers in Switzerland.”
While this might sound like common sense, it’s still far from the norm. “Do you research who owns a cybersecurity company before purchasing their security tools? Most businesses don’t, which can be damning. Who owns the VPN provider that’s meant to be protecting you? Who created the security software that you rely on to keep your hardware and data safe? If you don’t know the answers to these questions, it’s possible that there are malicious practices going on in the background that you’re unaware of. It is crucial that you know who owns the cybersecurity company you’re working with or who created the security software you rely on,” Fontana added.
Cybersecurity is an ongoing commitment, and transparency certainly helps make it a little easier. If you’re not getting answers to your questions, then it’s best to move on to another, more responsive software or hardware provider.
Cyber Resilience Depends on Regular Comprehensive Reviews
After you have partnered with “safe” and reliable companies that support your technology infrastructure, your job is not finished. You have to continue to monitor every hardware and software that you have added to your network. Even when working with reputable businesses, you have to be alert to mistakes and vulnerabilities that need to be patched immediately.
“In a rapidly changing threat landscape, cybersecurity is everyone’s responsibility. We have to use available tools, technologies, knowledge, and experience to stay a step ahead of threat actors. We have to have programs in place to monitor the environment, patch known vulnerabilities, engage in penetration testing, and evolve with the threat. Part of this process is to keep track of ownership. If another business bought the company you're working with, you have to take the time to find out what they are all about," Meier added.
As the world gets more connected, smart cities will need cybersecurity protocols deployed at the micro and macro level. Our collective effort will go a long way to help secure the national infrastructure from the potential threat of hackers and rogue governments that seek to destabilize society.
“Any product or solution is as secure as its weakest link. Knowing how a product is built, both its software and hardware, is critical. We always say that most of this is hiding in plain sight, so do your homework and ask the questions,” Hague advised.
It’s an endless game of cat and mouse. Taking a security-first approach that demands transparency will help avert regulatory fines while making life (hopefully) more difficult for threat actors.