WEBVTT
1
00:00:01.100 --> 00:00:01.950
Hi, I'm Matthew Schwartz
2
00:00:01.950 --> 00:00:04.260 line:15%
with Information Security Media Group.
3
00:00:04.260 --> 00:00:05.780 line:15%
And it's my pleasure to welcome Andy Purdy,
4
00:00:05.780 --> 00:00:09.820
CSO of Huawei Technologies USA to the iSMG studios.
5
00:00:09.820 --> 00:00:11.230
Andy, thank you for joining us today.
6
00:00:11.230 --> 00:00:12.100
You're welcome.
7
00:00:12.100 --> 00:00:16.210
So our topic is gonna be predictably, Huawei and 5G.
8
00:00:16.210 --> 00:00:18.320
Talk to me about the security concerns
9
00:00:18.320 --> 00:00:20.800
that come with 5G, please?
10
00:00:20.800 --> 00:00:22.510
Well as Art Coviello talked about yesterday
11
00:00:22.510 --> 00:00:23.620
on a panel session here,
12
00:00:23.620 --> 00:00:25.690 line:15%
he talked about the importance of this community
13
00:00:25.690 --> 00:00:27.630 line:15%
trying to provide some real visibility
14
00:00:27.630 --> 00:00:30.060 line:15%
into what is necessary for security,
15
00:00:30.060 --> 00:00:31.990
what is necessary for transparency.
16
00:00:31.990 --> 00:00:34.899
One of the fundamental things is as we see the progress
17
00:00:34.899 --> 00:00:37.520
of the evolution of 5G,
18
00:00:37.520 --> 00:00:40.010
the community has to be very active in developing
19
00:00:40.010 --> 00:00:43.110
and strengthening the standards and conformance programs,
20
00:00:43.110 --> 00:00:46.730
and making sure folks tell truth about what 5G is,
21
00:00:46.730 --> 00:00:48.144
what 5G isn't.
22
00:00:48.144 --> 00:00:50.580
It's gonna really help enable jobs,
23
00:00:50.580 --> 00:00:52.070
but we have to make sure we understand
24
00:00:52.070 --> 00:00:54.080
that the likelihood is there
25
00:00:54.080 --> 00:00:55.750
there are gonna be greater security assurance
26
00:00:55.750 --> 00:00:58.220
as we roll under 5G, then under 4G.
27
00:00:58.220 --> 00:00:59.460
Where are we in that standards process?
28
00:00:59.460 --> 00:01:02.010
I mean, things are still developing, are they not,
29
00:01:02.010 --> 00:01:05.600
in terms of you know, the 5G and how it's being implemented?
30
00:01:05.600 --> 00:01:07.030
Well the well the 3GPP process
31
00:01:07.030 --> 00:01:09.440
of developing the standards is doing
32
00:01:09.440 --> 00:01:10.610
a step-by-step approach,
33
00:01:10.610 --> 00:01:13.390
as the different business scenarios are rolled out for 5G,
34
00:01:13.390 --> 00:01:16.340
they wanna make sure that they've done the threat mapping,
35
00:01:16.340 --> 00:01:17.480
they've done the risk assessments,
36
00:01:17.480 --> 00:01:19.880
and they've come up with a priority new standard.
37
00:01:19.880 --> 00:01:22.730
So they've identified at least four new standards
38
00:01:22.730 --> 00:01:23.700
that are gonna be required,
39
00:01:23.700 --> 00:01:25.200
that are gonna help increase security.
40
00:01:25.200 --> 00:01:27.150
And so it's really important for the community
41
00:01:27.150 --> 00:01:30.840
to be involved in the next steps to identify
42
00:01:30.840 --> 00:01:33.460
what are the additional standards that need to be developed
43
00:01:33.460 --> 00:01:35.675
before the business scenarios are rolled out.
44
00:01:35.675 --> 00:01:38.222
So I think we need to touch on,
45
00:01:38.222 --> 00:01:40.750
obviously this is a very controversial storm,
46
00:01:40.750 --> 00:01:42.120
and you're at the center of that
47
00:01:42.120 --> 00:01:44.560
when it comes the discussion of 5G
48
00:01:44.560 --> 00:01:46.510
and the role or your company.
49
00:01:46.510 --> 00:01:48.970
How do you respond to that discussion?
50
00:01:48.970 --> 00:01:52.000
Well, I respond suggesting that it's very important
51
00:01:52.000 --> 00:01:56.440
that experts understand and assess real cybersecurity risk.
52
00:01:56.440 --> 00:01:58.525
This community here at RSA,
53
00:01:58.525 --> 00:02:01.660
they understand that you really can't trust anybody.
54
00:02:01.660 --> 00:02:04.170
They understand the capabilities of malicious actors.
55
00:02:04.170 --> 00:02:06.400
They understand the white noise of cyberspace.
56
00:02:06.400 --> 00:02:08.010
They also understand that with the history,
57
00:02:08.010 --> 00:02:09.740
the long history of the RSA Conference,
58
00:02:09.740 --> 00:02:12.070
now we're moving into a time in humanity
59
00:02:12.070 --> 00:02:14.810
where we can no longer talk the talk of cybersecurity,
60
00:02:14.810 --> 00:02:16.020
we have to walk the walk.
61
00:02:16.020 --> 00:02:18.630
Because we are, as computing power moves to the edge,
62
00:02:18.630 --> 00:02:21.560
we as a society, as organizations and individuals,
63
00:02:21.560 --> 00:02:24.650
are gonna be much more dependent on these capabilities.
64
00:02:24.650 --> 00:02:27.140
And we need to make sure that our privacy's protected,
65
00:02:27.140 --> 00:02:28.450
but we need to make sure these systems
66
00:02:28.450 --> 00:02:29.640
and networks are resilient.
67
00:02:29.640 --> 00:02:31.760
And we need to make sure the experts
68
00:02:31.760 --> 00:02:34.530
help make sure there are conformance and testing programs
69
00:02:34.530 --> 00:02:36.783
to make sure we have a basis for confidence.
70
00:02:38.200 --> 00:02:39.940
It might be too personal a question,
71
00:02:39.940 --> 00:02:41.420
but you're in an interesting position.
72
00:02:41.420 --> 00:02:42.253
You're an American.
73
00:02:42.253 --> 00:02:43.380
You used to work for the US government.
74
00:02:43.380 --> 00:02:45.200
You were with CSC for a long time,
75
00:02:45.200 --> 00:02:46.900
and you've been with Huawei Technologies
76
00:02:46.900 --> 00:02:48.340
in the USA now for a long time.
77
00:02:48.340 --> 00:02:51.440
Is it challenging to discuss these issues
78
00:02:51.440 --> 00:02:54.380
as an American representing a Chinese company
79
00:02:54.380 --> 00:02:58.810
that is being, in the US especially, regularly denigrated?
80
00:02:58.810 --> 00:03:01.450
You know, it's interesting because part of the difficultly
81
00:03:01.450 --> 00:03:04.390
has to do with the fact because I work for Huawei,
82
00:03:04.390 --> 00:03:06.700
people assume what I'm going to say.
83
00:03:06.700 --> 00:03:08.580
And even after I say things,
84
00:03:08.580 --> 00:03:09.940
they don't really listen.
85
00:03:09.940 --> 00:03:13.440
And that can be a little frustrating 'cause I think,
86
00:03:13.440 --> 00:03:14.890
and I had a briefing for it,
87
00:03:14.890 --> 00:03:16.990
a leader of think tank in Washington last week
88
00:03:16.990 --> 00:03:18.610
and talked about some transparency things
89
00:03:18.610 --> 00:03:20.250
that I'd like to see the community call on us
90
00:03:20.250 --> 00:03:22.470
and yell at the other telecom equipment providers.
91
00:03:22.470 --> 00:03:24.277
And his reaction was, "That's really good.
92
00:03:24.277 --> 00:03:26.460
"This is really important for making cyberspace safer."
93
00:03:26.460 --> 00:03:28.327
But he said, "I'm not sure that's gonna help
94
00:03:28.327 --> 00:03:31.190
"Huawei do business in the United States anytime soon."
95
00:03:31.190 --> 00:03:33.267
And my reaction was, "I don't care.
96
00:03:33.267 --> 00:03:35.280
"This about making cyberspace safer."
97
00:03:35.280 --> 00:03:38.980
And so people need to go beyond who I work for.
98
00:03:38.980 --> 00:03:42.367
And as Art Coviello said, "Get the experts to come in
99
00:03:42.367 --> 00:03:44.827
"to say what's necessary so we have an objective
100
00:03:44.827 --> 00:03:46.447
"and transparent basis for knowing
101
00:03:46.447 --> 00:03:48.090
"which products are worthy of trust."
102
00:03:48.090 --> 00:03:49.230
And we don't trust anybody,
103
00:03:49.230 --> 00:03:50.470
and certainly don't trust anybody
104
00:03:50.470 --> 00:03:52.420
just because they're headquartered in a country
105
00:03:52.420 --> 00:03:54.030
that is not China.
106
00:03:54.030 --> 00:03:56.680
What would be crucial next steps on the road
107
00:03:56.680 --> 00:03:58.560
to that type of transparency?
108
00:03:58.560 --> 00:03:59.450
And it's interesting.
109
00:03:59.450 --> 00:04:01.350
This came up at RSA in a discussion
110
00:04:01.350 --> 00:04:03.150
with the director of CISA.
111
00:04:03.150 --> 00:04:07.310
The question was we've seen Kaspersky facing questions.
112
00:04:07.310 --> 00:04:08.440
They've pushed for transparency.
113
00:04:08.440 --> 00:04:10.700
We've seen Huawei push for transparency.
114
00:04:10.700 --> 00:04:12.800
You haven't necessarily seen a huge amount of buy-in
115
00:04:12.800 --> 00:04:15.065
from other organizations in the US especially
116
00:04:15.065 --> 00:04:17.240
on this transparency initiative.
117
00:04:17.240 --> 00:04:19.270
What are some of the next steps you would advocate?
118
00:04:19.270 --> 00:04:20.500
Well, it's really two things.
119
00:04:20.500 --> 00:04:22.930
Look at what's happening globally in terms of the standards
120
00:04:22.930 --> 00:04:24.730
generally for 5G.
121
00:04:24.730 --> 00:04:27.090
Look at the standards that we and our competitors
122
00:04:27.090 --> 00:04:28.730
and the mobile operators have helped develop,
123
00:04:28.730 --> 00:04:30.880
the Network Equipment Security Assurance System,
124
00:04:30.880 --> 00:04:33.690
where you have standards for the telecom equipment.
125
00:04:33.690 --> 00:04:34.930
You have testing.
126
00:04:34.930 --> 00:04:37.210
That's necessary for the whole global community
127
00:04:37.210 --> 00:04:39.330
to have a basis for knowing what's worthy of trust.
128
00:04:39.330 --> 00:04:43.000
So while the US may be slow in trying to develop those,
129
00:04:43.000 --> 00:04:45.390
the global community is gonna move ahead.
130
00:04:45.390 --> 00:04:47.660
As for transparency, it shouldn't be about us
131
00:04:47.660 --> 00:04:49.200
having a transparency initiative.
132
00:04:49.200 --> 00:04:52.320
It should be about the US telecoms, the US government,
133
00:04:52.320 --> 00:04:54.700
the major stakeholders calling on Huawei,
134
00:04:54.700 --> 00:04:56.380
calling on Nokia and Ericsson,
135
00:04:56.380 --> 00:04:58.730
telling us to come forward and say what it is
136
00:04:58.730 --> 00:05:00.490
we are doing, what are we trying to do?
137
00:05:00.490 --> 00:05:02.410
And in fact, that community should call
138
00:05:02.410 --> 00:05:03.450
on the equipment suppliers
139
00:05:03.450 --> 00:05:06.257
and say, "You should come up with a set of industry
140
00:05:06.257 --> 00:05:08.137
"minimum security and assurance practices
141
00:05:08.137 --> 00:05:09.870
"for the telecom equipment suppliers."
142
00:05:09.870 --> 00:05:11.210
That should be what they call on us.
143
00:05:11.210 --> 00:05:12.480
It shouldn't be our initiative.
144
00:05:12.480 --> 00:05:14.310
This would help make America safer.
145
00:05:14.310 --> 00:05:16.720
And I hope somebody out there will call on us
146
00:05:16.720 --> 00:05:18.930
and our competitors to be more transparent,
147
00:05:18.930 --> 00:05:21.100
and so we can be held more accountable.
148
00:05:21.100 --> 00:05:23.510
Well, Andy, thank you very much for coming to our studios
149
00:05:23.510 --> 00:05:25.070
and sharing your time and insights today.
150
00:05:25.070 --> 00:05:26.340
You're welcome.
151
00:05:26.340 --> 00:05:28.670
Obviously with Andy Purdy of Huawei USA.
152
00:05:28.670 --> 00:05:31.970
I'm Matthew Schwartz with Information Security Media Group.
153
00:05:31.970 --> 00:05:33.113
Thanks for joining us.