PARTNER INTERVIEW: ZTE chief security officer Zhong Hong (pictured) outlines the company’s open and collaborative approach to mitigating cybersecurity risks for 5G networks and stresses the importance of stakeholders taking an impartial and neutral stance at all levels.
Mobile World Live: Why has cybersecurity become even more critical as operators move to 5G and other complex, next-generation networks?
Zhong Hong: Cybersecurity is always a fundamental factor in the telecoms industry. It has now become even more critical because the deployment of 5G is seeing an increase in the potential attack surfaces and threat landscape with the introduction of new technologies, techniques and capabilities.
The ability of 5G to support massive IoT connectivity introduces many times more devices connected to the network, presenting a wide reaching and increased attack surface. The move towards virtualisation of network functions through software defined networks and network functions virtualisation technologies brings about potentially new attack surfaces within the software itself and the virtualisation infrastructure that supports the software. Other 5G technologies such as network slicing and multi-service edge computing also impose new cybersecurity concerns.
5G from the outset has been developed with security features and functions built in as standardised. 3GPP defined the 5G security architecture and developed a wide range of security specifications based on various scenarios. These include, for example, the user-plane integrity protection mechanism and the specification against false base stations. The organisation is still updating the specifications with more security features.
As a major player in the industry, ZTE has been keenly aware of cybersecurity issues from the very beginning and continues to enhance its internal security governance by implementing security by design and security by default. We follow network security specifications and make external contributions to standardisation efforts.
Are governments around the world justified in raising security questions about particular network equipment suppliers?
The security of telecoms networks and all critical infrastructure has always been considered an important issue for the security of each country, and each is justified in raising questions about all aspects of security. But we believe it is important to take an impartial and neutral point of view on every issue, and treat everyone concerned in an equal way.
Security is a common goal, which should be achieved by joint efforts of governments, operators, standardisation and industry organisations, equipment suppliers and even users, rather than challenging particular network equipment suppliers. Equipment suppliers are just one part of the industry chain to achieve this common goal.
We hope that governments apply common rules, duties and responsibilities to all suppliers, and select equipment suppliers based on a technical and evidence-based approach.
What steps is ZTE taking to give customers confidence about end-to-end security?
Through openness and transparency, we try to give our customers confidence by letting them see what we do and how we provide end-to-end security.
Internally, we have a holistic internal security governance process to address security assurance. We embed security across all business units, including supply chain, R&D, delivery, maintenance and incident response. We adopt the Three Lines of Defence organisational structure and make continuous improvements in technology and management according to industry standards and best practices.
We welcome independent assessments and audits in our cybersecurity labs, including source code review, document review and penetration testing to verify our products, services and processes. Our lab in Brussels is capable of building a 5G environment for testing.
We actively engage in global organisations and seek collaboration with regulators, well-known security firms and labs, and other stakeholders for security assessment, certification and capability building.
We also keep open-minded during the transparency process and consider suggestions and findings from customers and third parties to continuously make improvement, thus making networks more secure.
How is ZTE investing to ensure its network gear and the supporting systems meet global security standards?
One of our top priorities is to comply with technical standards and industry best practices on cybersecurity when developing network gear and supporting systems.
Keeping security by design and security by default in mind, ZTE is an active contributor in global security standards development. Since 2003, a professional security standard team has been built to meet standard requirements from each business unit. So far, ZTE has been deeply involved in security works in standards development organisations (SDOs) such as 3GPP, ITU-T, the European Telecommunications Standards Institute (ETSI) and the Internet Engineering Task Force (IETF). ZTE proposed more than 500 contributions on 5G network and virtualisation security, and acts as one of the rapporteurs of the 3GPP Security Assurance Specification series. A ZTE expert also served as vice chairman for the ITU-T Study Group 17 on security for two consecutive terms (2012 to 2016 and 2017 to 2020).
ZTE actively engages in activities of industry associations. Last year, GSMA developed the industry-recognised Network Equipment Security Assurance Scheme (NESAS). ZTE is a member of GSMA and actively engages in NESAS.
By following industry best practices, ZTE obtained international certifications, including ISO 27001 information security management, which is updated annually, ISO 28000 supply-chain security management, ISO 22301 business continuity management, and ISO/IEC 27701: 2019 privacy information management, which covers R&D and maintenance for 5G New Radio and Unified Management Expert. We also expect uniform cybersecurity standards and certification schemes to achieve the objective of secure networks.
How important is collaboration and how are you engaging with global organisations to mitigate cybersecurity risks?
We see collaboration as a critical approach to mitigate cybersecurity risks with all stakeholders, including regulators, telecoms operators, service providers, equipment suppliers, standards development organisations (SDOs), associations, security companies, academic institutions, the media and users.
Telecoms operators, with the help of equipment suppliers like us, build secure and trustworthy networks to provide reliable network services to end-users. Our sub-suppliers such as IT suppliers provide secure components, and specialised third-party companies offer advanced security tools and security assessment and verification services. Through collaboration, all players involved make joint efforts to achieve the goal of security.
Among all stakeholders, global organisations play a vital role in standards development, coordination and information sharing. On one hand, our engagement with SDOs and industry associations aims to enhance cybersecurity from the outset for the architecture and design. We are contributors for 3GPP, ETSI and ITU, and also play an active role with GSMA. On the other hand, we coordinate with global communities in threat awareness and incident handling. We are a full member of Forum of Incident Response and Security Teams (FIRST) and CVE Numbering Authorities (CVD), and we follow the GSMA CVD programme to mitigate and fix vulnerabilities to protect our customers’ networks.
How flexible are your systems – do customers using your network gear have the ability to prioritise security and privacy parameters?
We believe customers should have choice to enable appropriate security for their networks and users. To this end, we implement security in our technological solutions and follow the principles of security by design and security by default to give customers access to the deployments according to their specific needs.
An example is one of our recent solutions designed for 5G vertical industry applications, which supports customised network slicing transmission through end-to-end encryption, and the operator can flexibly deploy the security features for its network and service to protect user data.