Partner interview: Ahead of the GSMA’s Mobile 360 Privacy & Security event, Mobile World Live spoke with Donald A. Purdy Jnr (pictured below), chief security officer at Huawei Technologies USA, who outlined the company’s strategy to help enterprises and operators minimise the risk of malicious attacks. Purdy also offered his perspective on the recent high profile standoff between Apple and the FBI.
MWL: Why does the new era of cloud, IoT and big data pose privacy and security challenges for enterprises?
Donald Purdy: To fully reap the benefits of these new technologies, privacy and security should be built in, and not an afterthought. Therefore, it is important to work on questions such as: Who has the authority or responsibility to regulate, oversee or enforce compliance, and what should be the mandated requirements or recommended practices to protect the confidentiality, integrity, and availability of the data, and should there be requirements to prove or verify conformance? Another valid questions is: What are the rights of those who are the subject of the data or who created or own the data; who has the authority and statutory, regulatory, and/or fiduciary responsibility to enable those with rights to make choices about how the data will be protected and with whom it will be shared?
In addition to the issues raised above, that to some extent cut across all of these technologies and capabilities, some issues arise in the context of IoT and 5G specifically: what will be the standards or best practices – and who will determine them – regarding: (1) the security and assurance related to the enabling technologies such as consumer devices, controllers, and other communication infrastructure; (2) the need for an enhanced security ecosystem to enable and protect the different virtual enclaves or slices of cyberspace – and authenticate access to them and protect that private data — that will allow a new dimension of value from ICT permitting users with similar needs to seamlessly proceed from and through the different enclaves of cyberspace that may have dramatically different requirements for latency, privacy, and security. Think of how significant the differences can be in requirements for driverless cars, remote surgeries, healthcare and industrial control systems.
These are all issues that, if well managed, can help users reap the most benefits from these new technologies.
The attack surfaces will change with the introduction of IoT; no longer will the perimeter defences be adequate as the inflection points will be scattered around the physical environment. It will be difficult to continue to defend against attacks in the various environments or virtual enclaves.
In relation to cloud, as more critical data will be hosted in the cloud, traditional perimeter defences will be inadequate and cloud providers may need to take on regulations and policies of companies they are hosting. This will be a challenge for cloud providers.
How can enterprises protect themselves technically from being hacked?
DP: It is impossible to eliminate all risk of being hacked. However, there are a number of things that the leadership of an organisation should do to appropriately manage the risk that is customised for the risk posture of that organisation.
It starts with an organisation-wide commitment by the board of directors (if there is one), senior leaders, and senior managers to manage privacy and security risk as part of their enterprise risk management programs.
There should be an organisation-wide governance framework in place that enables senior leadership to exercise their responsibilities as owners of risk, including visibility into how well risk is being managed, responsibilities are being exercised, and the risk management program is being improved on a continuous basis as needed.
Moreover, the organisation should identify and implement requirements for risk identification and mitigation that are appropriate for all key functions of the organisation and the functions/responsibilities of groups/teams and individuals with special responsibilities, and develop, implement, and oversee robust oversight and implementation mechanisms based on principles of separation of duties and a system of performance measures for key groups and individuals.
Last, but not least, it is important to implement a system of verification, audit and accountability to confirm, encourage, and reward conformance, discourage non-conformance, and punish wrongdoing.
Enterprises will need to implement governance and policies to better protect themselves and their environment. Reactive, technical controls in the absence of a strong governance and accountability framework and mechanism are not likely to be effective.
Cloud services in particular raise regulatory issues. What are they?
DP: Cloud service allows many small and medium enterprises to provide their services online at a low cost. Also consumers can benefit greatly from this technology. The industry and regulators are now looking at what is to be regulated – where data is located, jurisdictions through which data passes or is received, where the keys are held from which access can be obtained, what rights do the owners or subjects of the data have? Who has the authority to regulate and to what extent, and how can the regulations be informed, realistic, and effective? How can law enforcement and regulators reconcile and coordinate between and among jurisdictions that have overlapping or concurrent authority? These are all pressing issues we need to tackle in joint collaboration.
Among the organisations that are contributing to address these challenges are the Cloud Security Alliance and the Open Data Center Alliance.
Is there a business opportunity for traditional telecoms vendors and mobile operators from the new era we are entering?
DP: In general, innovative, cutting-edge companies can provide the IT infrastructure – and the supporting hardware and software — to make these technologies possible, affordable, adaptable, interoperable, and secure. Traditional vendors and operators can benefit in several ways: by connecting business and individual customers to traditional as well as web content using existing and evolving packaging/bundling strategies, serving as a one-stop shop for access to nearly everything in cyberspace, and providing a secure authenticated interface to the services that will be available as virtual enclaves or special-purpose neighbourhoods of the web with different latency and security requirements.
More specifically, in relation to Mobile Network Operators they are in the best position for IoT, as the NB-IoT standard will be ratified by mid 2016. This will then allow devices to be developed to contact to the mobile networks. Mobile operators will have the benefit of existing networks so cost of deployment will be much lower and innovation will be a strong driver. In relation to cloud providers, they can leverage their governance and control to implement appropriate policies as well as utilising their global footprint for deployment.
What developments does Huawei see over the next five or ten years shaping the privacy and security debate?
DP: The debate will be impacted by a number of probable developments, but most importantly, by the fact that we will see many more connections and rapidly increasing data volumes, which bring numerous security and privacy implications into play.
The maturation of cloud and software defined networks will mean that most enterprises will own little, if any, IT infrastructure and will pay for access and services as they use and consume, just like any other utility such as water, gas, and electricity. Dramatically increased product interoperability will likely reduce costs as many products are commoditised.
“IoT will be perhaps the most significant driver of a new security debate”
IoT (eg sensors) and 5G, and AI (Artificial Intelligence) will undoubtedly enable technology to help organisations and individuals in real time. IoT will be perhaps the most significant driver of a new security debate. This has already started as it not only changes the attack surface but it makes securing the physical and logical worlds increasingly difficult.
There is likely to be a huge increase in direct, peer-to-peer and machine-to-machine communications, which will allow communications that totally bypass the operators, which now perform a security function in guarding access to their networks (requiring users to log in to gain access). The benefits of big data to business and private life will be everywhere.
One of the great enablers and differentiators for successful companies will be the ability to provide valuable services.
It is anticipated by many that at some time in the future supercomputing will be able to break all encryption, thus eliminating perhaps the most important weapon in the security arsenal.
As hyper-connected users and organisations expect and depend on real-time, secure access, there will be significant challenges to permit high-speed access while at the same time protecting personal authentication credentials, data about all activities and interactions in cyberspace and the real world, and most personal information about all individuals and organisations.
Recently there has been a debate in the US about Apple refusing to give the FBI a backdoor into an iPhone used by a terrorist. Where should the line be drawn between user privacy and the law?
DP: Regarding privacy protection, Huawei advocates that all governments, industry stakeholders, and customers should work together in an open and transparent manner to jointly address this challenge, and believe we will eventually reach the balance between safeguarding society and ensuring privacy through open dialogues and discussions. Huawei takes data integrity very seriously – we are committed to protecting the privacy of consumers enjoying the convenience of new technologies.
Speaking for myself from a personal perspective, I don’t know where to draw that line. For many years in the US there was a balance that protected both interests. Historically we have wanted to create and protect some expectation of privacy in our everyday lives while we have also wanted to facilitate legitimate and timely law enforcement access to certain communications using legal process based on proscribed requirements, to fight and deter wrongdoing, and protect private individuals and organisations from that wrongdoing, and investigate after the fact.
At one extreme, unrestrained law enforcement access to all information about our daily lives would probably maximize the ability of government to find and punish wrongdoing and even prevent some potentially horrific acts – even catastrophic acts of terrorism. But at what cost? It would essentially eliminate our online privacy rights and would empower governments who want to root out certain kinds of conduct, or free expression, to do so with near impunity. If companies like Apple are forced to provide access equivalent to a backdoor this could also have a significant impact on IoT, because this would arguably provide access to all IoT devices.
“If ‘backdoors”’ are inserted into products it is only a matter of time before they are discovered, reverse-engineered, and made available to criminals”
If “backdoors” are inserted into products it is only a matter of time before they are discovered, reverse-engineered, and made available to criminals and other persons and organizations with malevolent intentions. As we entrust much of our personal data onto these devices – including passwords and other sensitive information which control access to online banking, healthcare, and other websites and services – we will essentially be making that information eventually accessible to criminals and others. Even with backdoors in place, law enforcement and the intelligence community will be thwarted by the use of third-party encryption technologies installed by individual users who want to keep their data private.
At the other extreme, what if miscreants could communicate online freely with virtually no ability of law enforcement to use online communication tools to detect impeding malicious acts or even effectively investigate their origin, scope, or aftermath. Are their adequate alternative tools for law enforcement to use?
Again from Huawei’s perspective, we believe we will eventually reach the right balance between safeguarding society and ensuring privacy through open dialogues and discussions.