WEBVTT 1 00:00:01.100 --> 00:00:01.950 Hi, I'm Matthew Schwartz 2 00:00:01.950 --> 00:00:04.260 line:15% with Information Security Media Group. 3 00:00:04.260 --> 00:00:05.780 line:15% And it's my pleasure to welcome Andy Purdy, 4 00:00:05.780 --> 00:00:09.820 CSO of Huawei Technologies USA to the iSMG studios. 5 00:00:09.820 --> 00:00:11.230 Andy, thank you for joining us today. 6 00:00:11.230 --> 00:00:12.100 You're welcome. 7 00:00:12.100 --> 00:00:16.210 So our topic is gonna be predictably, Huawei and 5G. 8 00:00:16.210 --> 00:00:18.320 Talk to me about the security concerns 9 00:00:18.320 --> 00:00:20.800 that come with 5G, please? 10 00:00:20.800 --> 00:00:22.510 Well as Art Coviello talked about yesterday 11 00:00:22.510 --> 00:00:23.620 on a panel session here, 12 00:00:23.620 --> 00:00:25.690 line:15% he talked about the importance of this community 13 00:00:25.690 --> 00:00:27.630 line:15% trying to provide some real visibility 14 00:00:27.630 --> 00:00:30.060 line:15% into what is necessary for security, 15 00:00:30.060 --> 00:00:31.990 what is necessary for transparency. 16 00:00:31.990 --> 00:00:34.899 One of the fundamental things is as we see the progress 17 00:00:34.899 --> 00:00:37.520 of the evolution of 5G, 18 00:00:37.520 --> 00:00:40.010 the community has to be very active in developing 19 00:00:40.010 --> 00:00:43.110 and strengthening the standards and conformance programs, 20 00:00:43.110 --> 00:00:46.730 and making sure folks tell truth about what 5G is, 21 00:00:46.730 --> 00:00:48.144 what 5G isn't. 22 00:00:48.144 --> 00:00:50.580 It's gonna really help enable jobs, 23 00:00:50.580 --> 00:00:52.070 but we have to make sure we understand 24 00:00:52.070 --> 00:00:54.080 that the likelihood is there 25 00:00:54.080 --> 00:00:55.750 there are gonna be greater security assurance 26 00:00:55.750 --> 00:00:58.220 as we roll under 5G, then under 4G. 27 00:00:58.220 --> 00:00:59.460 Where are we in that standards process? 28 00:00:59.460 --> 00:01:02.010 I mean, things are still developing, are they not, 29 00:01:02.010 --> 00:01:05.600 in terms of you know, the 5G and how it's being implemented? 30 00:01:05.600 --> 00:01:07.030 Well the well the 3GPP process 31 00:01:07.030 --> 00:01:09.440 of developing the standards is doing 32 00:01:09.440 --> 00:01:10.610 a step-by-step approach, 33 00:01:10.610 --> 00:01:13.390 as the different business scenarios are rolled out for 5G, 34 00:01:13.390 --> 00:01:16.340 they wanna make sure that they've done the threat mapping, 35 00:01:16.340 --> 00:01:17.480 they've done the risk assessments, 36 00:01:17.480 --> 00:01:19.880 and they've come up with a priority new standard. 37 00:01:19.880 --> 00:01:22.730 So they've identified at least four new standards 38 00:01:22.730 --> 00:01:23.700 that are gonna be required, 39 00:01:23.700 --> 00:01:25.200 that are gonna help increase security. 40 00:01:25.200 --> 00:01:27.150 And so it's really important for the community 41 00:01:27.150 --> 00:01:30.840 to be involved in the next steps to identify 42 00:01:30.840 --> 00:01:33.460 what are the additional standards that need to be developed 43 00:01:33.460 --> 00:01:35.675 before the business scenarios are rolled out. 44 00:01:35.675 --> 00:01:38.222 So I think we need to touch on, 45 00:01:38.222 --> 00:01:40.750 obviously this is a very controversial storm, 46 00:01:40.750 --> 00:01:42.120 and you're at the center of that 47 00:01:42.120 --> 00:01:44.560 when it comes the discussion of 5G 48 00:01:44.560 --> 00:01:46.510 and the role or your company. 49 00:01:46.510 --> 00:01:48.970 How do you respond to that discussion? 50 00:01:48.970 --> 00:01:52.000 Well, I respond suggesting that it's very important 51 00:01:52.000 --> 00:01:56.440 that experts understand and assess real cybersecurity risk. 52 00:01:56.440 --> 00:01:58.525 This community here at RSA, 53 00:01:58.525 --> 00:02:01.660 they understand that you really can't trust anybody. 54 00:02:01.660 --> 00:02:04.170 They understand the capabilities of malicious actors. 55 00:02:04.170 --> 00:02:06.400 They understand the white noise of cyberspace. 56 00:02:06.400 --> 00:02:08.010 They also understand that with the history, 57 00:02:08.010 --> 00:02:09.740 the long history of the RSA Conference, 58 00:02:09.740 --> 00:02:12.070 now we're moving into a time in humanity 59 00:02:12.070 --> 00:02:14.810 where we can no longer talk the talk of cybersecurity, 60 00:02:14.810 --> 00:02:16.020 we have to walk the walk. 61 00:02:16.020 --> 00:02:18.630 Because we are, as computing power moves to the edge, 62 00:02:18.630 --> 00:02:21.560 we as a society, as organizations and individuals, 63 00:02:21.560 --> 00:02:24.650 are gonna be much more dependent on these capabilities. 64 00:02:24.650 --> 00:02:27.140 And we need to make sure that our privacy's protected, 65 00:02:27.140 --> 00:02:28.450 but we need to make sure these systems 66 00:02:28.450 --> 00:02:29.640 and networks are resilient. 67 00:02:29.640 --> 00:02:31.760 And we need to make sure the experts 68 00:02:31.760 --> 00:02:34.530 help make sure there are conformance and testing programs 69 00:02:34.530 --> 00:02:36.783 to make sure we have a basis for confidence. 70 00:02:38.200 --> 00:02:39.940 It might be too personal a question, 71 00:02:39.940 --> 00:02:41.420 but you're in an interesting position. 72 00:02:41.420 --> 00:02:42.253 You're an American. 73 00:02:42.253 --> 00:02:43.380 You used to work for the US government. 74 00:02:43.380 --> 00:02:45.200 You were with CSC for a long time, 75 00:02:45.200 --> 00:02:46.900 and you've been with Huawei Technologies 76 00:02:46.900 --> 00:02:48.340 in the USA now for a long time. 77 00:02:48.340 --> 00:02:51.440 Is it challenging to discuss these issues 78 00:02:51.440 --> 00:02:54.380 as an American representing a Chinese company 79 00:02:54.380 --> 00:02:58.810 that is being, in the US especially, regularly denigrated? 80 00:02:58.810 --> 00:03:01.450 You know, it's interesting because part of the difficultly 81 00:03:01.450 --> 00:03:04.390 has to do with the fact because I work for Huawei, 82 00:03:04.390 --> 00:03:06.700 people assume what I'm going to say. 83 00:03:06.700 --> 00:03:08.580 And even after I say things, 84 00:03:08.580 --> 00:03:09.940 they don't really listen. 85 00:03:09.940 --> 00:03:13.440 And that can be a little frustrating 'cause I think, 86 00:03:13.440 --> 00:03:14.890 and I had a briefing for it, 87 00:03:14.890 --> 00:03:16.990 a leader of think tank in Washington last week 88 00:03:16.990 --> 00:03:18.610 and talked about some transparency things 89 00:03:18.610 --> 00:03:20.250 that I'd like to see the community call on us 90 00:03:20.250 --> 00:03:22.470 and yell at the other telecom equipment providers. 91 00:03:22.470 --> 00:03:24.277 And his reaction was, "That's really good. 92 00:03:24.277 --> 00:03:26.460 "This is really important for making cyberspace safer." 93 00:03:26.460 --> 00:03:28.327 But he said, "I'm not sure that's gonna help 94 00:03:28.327 --> 00:03:31.190 "Huawei do business in the United States anytime soon." 95 00:03:31.190 --> 00:03:33.267 And my reaction was, "I don't care. 96 00:03:33.267 --> 00:03:35.280 "This about making cyberspace safer." 97 00:03:35.280 --> 00:03:38.980 And so people need to go beyond who I work for. 98 00:03:38.980 --> 00:03:42.367 And as Art Coviello said, "Get the experts to come in 99 00:03:42.367 --> 00:03:44.827 "to say what's necessary so we have an objective 100 00:03:44.827 --> 00:03:46.447 "and transparent basis for knowing 101 00:03:46.447 --> 00:03:48.090 "which products are worthy of trust." 102 00:03:48.090 --> 00:03:49.230 And we don't trust anybody, 103 00:03:49.230 --> 00:03:50.470 and certainly don't trust anybody 104 00:03:50.470 --> 00:03:52.420 just because they're headquartered in a country 105 00:03:52.420 --> 00:03:54.030 that is not China. 106 00:03:54.030 --> 00:03:56.680 What would be crucial next steps on the road 107 00:03:56.680 --> 00:03:58.560 to that type of transparency? 108 00:03:58.560 --> 00:03:59.450 And it's interesting. 109 00:03:59.450 --> 00:04:01.350 This came up at RSA in a discussion 110 00:04:01.350 --> 00:04:03.150 with the director of CISA. 111 00:04:03.150 --> 00:04:07.310 The question was we've seen Kaspersky facing questions. 112 00:04:07.310 --> 00:04:08.440 They've pushed for transparency. 113 00:04:08.440 --> 00:04:10.700 We've seen Huawei push for transparency. 114 00:04:10.700 --> 00:04:12.800 You haven't necessarily seen a huge amount of buy-in 115 00:04:12.800 --> 00:04:15.065 from other organizations in the US especially 116 00:04:15.065 --> 00:04:17.240 on this transparency initiative. 117 00:04:17.240 --> 00:04:19.270 What are some of the next steps you would advocate? 118 00:04:19.270 --> 00:04:20.500 Well, it's really two things. 119 00:04:20.500 --> 00:04:22.930 Look at what's happening globally in terms of the standards 120 00:04:22.930 --> 00:04:24.730 generally for 5G. 121 00:04:24.730 --> 00:04:27.090 Look at the standards that we and our competitors 122 00:04:27.090 --> 00:04:28.730 and the mobile operators have helped develop, 123 00:04:28.730 --> 00:04:30.880 the Network Equipment Security Assurance System, 124 00:04:30.880 --> 00:04:33.690 where you have standards for the telecom equipment. 125 00:04:33.690 --> 00:04:34.930 You have testing. 126 00:04:34.930 --> 00:04:37.210 That's necessary for the whole global community 127 00:04:37.210 --> 00:04:39.330 to have a basis for knowing what's worthy of trust. 128 00:04:39.330 --> 00:04:43.000 So while the US may be slow in trying to develop those, 129 00:04:43.000 --> 00:04:45.390 the global community is gonna move ahead. 130 00:04:45.390 --> 00:04:47.660 As for transparency, it shouldn't be about us 131 00:04:47.660 --> 00:04:49.200 having a transparency initiative. 132 00:04:49.200 --> 00:04:52.320 It should be about the US telecoms, the US government, 133 00:04:52.320 --> 00:04:54.700 the major stakeholders calling on Huawei, 134 00:04:54.700 --> 00:04:56.380 calling on Nokia and Ericsson, 135 00:04:56.380 --> 00:04:58.730 telling us to come forward and say what it is 136 00:04:58.730 --> 00:05:00.490 we are doing, what are we trying to do? 137 00:05:00.490 --> 00:05:02.410 And in fact, that community should call 138 00:05:02.410 --> 00:05:03.450 on the equipment suppliers 139 00:05:03.450 --> 00:05:06.257 and say, "You should come up with a set of industry 140 00:05:06.257 --> 00:05:08.137 "minimum security and assurance practices 141 00:05:08.137 --> 00:05:09.870 "for the telecom equipment suppliers." 142 00:05:09.870 --> 00:05:11.210 That should be what they call on us. 143 00:05:11.210 --> 00:05:12.480 It shouldn't be our initiative. 144 00:05:12.480 --> 00:05:14.310 This would help make America safer. 145 00:05:14.310 --> 00:05:16.720 And I hope somebody out there will call on us 146 00:05:16.720 --> 00:05:18.930 and our competitors to be more transparent, 147 00:05:18.930 --> 00:05:21.100 and so we can be held more accountable. 148 00:05:21.100 --> 00:05:23.510 Well, Andy, thank you very much for coming to our studios 149 00:05:23.510 --> 00:05:25.070 and sharing your time and insights today. 150 00:05:25.070 --> 00:05:26.340 You're welcome. 151 00:05:26.340 --> 00:05:28.670 Obviously with Andy Purdy of Huawei USA. 152 00:05:28.670 --> 00:05:31.970 I'm Matthew Schwartz with Information Security Media Group. 153 00:05:31.970 --> 00:05:33.113 Thanks for joining us.