Yoann Klein, Senior Cyber Security Advisor, Huawei
Mr. Klein, could you please present yourself to our readers: your educational and professional background, and your role at Huawei?
I am the holder of a master’s degree specialized in Telecommunications and Computing, awarded by IMT Lille Douai, a civil engineering school located in north of Paris.
Prior to joining Huawei, I have been working almost 15 years for major European cyber companies such as Airbus and Thales. All along my career, I had the opportunity to take technical authority roles and to lead cyber engineering teams operating in various critical environments such as defense, public safety, aeronautics, space and transportation.
I am now senior cyber security advisor based in the Huawei Cyber Security and Transparency Center in Brussels. I am part of the Huawei Global Cyber Security Privacy Office (GSPO). This global entity oversees the enhancement and implementation of Huawei’s end-to-end global cyber security assurance system, which includes monitoring and improving all aspects of information security across the company’s global supply chain, in addition to the management of the trusted delivery process.
You are based at the Huawei Cyber Security Transparency Centre in Brussels, and focusing on 5G and IoT security areas. What scope of activities does that include?
Established in Brussels, the Huawei Cyber Security and Transparency Centre opened its doors on March 2019. It provides a platform to enhance communication and joint innovation with all stakeholders, public and private. It also provides a technical verification and evaluation platform for our customers.
Openness, Collaboration and Transparency are really the three words driving this initiative.
“Openness” as we showcase our end-to-end cyber security practices, from strategies and supply chain to R&D through presentations, videos, demos involving Huawei’s products and solutions in areas such as 5G, IoT, cloud, etc.
“Collaboration” as we organize dedicated expert workshops and conferences with key stakeholders (standard organizations, regulators, national authorities, etc.) on cyber security practices, to explore and promote the development of security standards, verification mechanisms, and technological innovation in cyber security across the industry.
And eventually “Transparency” as we provide a product security testing and verification platform to Huawei customers and 3rd party laboratories. It includes black box and white box (with access to source code) environments. We can simultaneously carry out 5 projects of products and platform in Brussels.
During 2018, the 3rd Generation Partnership Project (3GPP) SA3 held seven meetings. 74 companies sent technical experts to attend the meetings, with the key objective of formulating 5G security standards. The 3GPP SA3 has comprehensively analyzed 5G threats and risks in 17 security areas. Can you name those areas and what are the biggest security threats and risks related to them?
Within the 3GPP Technical Specification Group Service and System Aspects (TSG SA), the main objectives of 3GPP TSG SA WG3 (SA3) includes defining the requirements and specifying the architectures and protocols for security and privacy in 3GPP systems.
In order to better serve these objectives, several security areas have been indeed defined and investigated, respectively: Security architecture (1), authentication (2), security context and key management (3), radio access network (RAN) security (4), Security within NG-UE(5), authorization (6), subscription privacy (7), network slicing security (8), relay security (9), network domain security (10), security visibility and configurability (11), credential provisioning (12), interworking and migration (13), small data (14), broadcast/multicast security (15), management security (16), and cryptographic algorithms (17).
Out of these 17 domains, it is very difficult to define one specific security area more risky than others. They can (and should) not be perceived as independent areas when assessing cyber risks. A potential threat or a failing protection in one area might directly or indirectly impact others. But if I have to pick one specifically, I would highlight, just as I am promoting it for many years in various industries, the importance to balance protection and detection. As a consequence the security area “security visibility and configurability” is, according to me, of paramount importance for the necessary detection capabilities of end-to-end systems.
Why is 5G secure? How do experts from industry and standards organizations ensure that 5G security risks can be effectively managed in terms of security protocols and standards as well as security assurance mechanisms?
Just like mentioned, many stakeholders (regulators, vendors, operators, academics, etc.) with high expertise have been involved in 5G standard definition and they are continuing to work together on the coming 3GPP releases. They contributed to reach a high level of security for the definition of 5G specifications. This collaborative approach has also been promoted when creating the Network Equipment Security Assurance Scheme (NESAS).
NESAS is a security assurance framework highly recognized within the mobile industry. It is globally used as a security baseline and includes common requirements for security evaluations of network equipment and an assessment of telco equipment vendors. NESAS provides the necessary tools for ensuring effective assurance testing.
The NESAS framework is a joint effort between 3GPP SA3 and GSMA, and also includes standard-based assessments for 5G security, which are part of the Security Assurance Specifications (SCAS). The product evaluation is performed by competent, security test laboratories accredited according to ISO 17025.
That’s why at Huawei, we are very proud to have been able announce in December 2020 to have successfully completed the world’s first SCAS audit on 5G & LTE base station (audit performed by 3rd party DEKRA), following also the world’s first NESAS audit on 5G base station passed in May 2020 performed by @sec.
As stated in your whitepaper, most threats and challenges faced by 5G security are the same as those faced by 4G security. However, the security challenges brought by new services, architectures, and technologies to 5G networks need to be considered. For example, access authentication for third-party slicing service providers, network slicing, Service Based Architecture (SBA), the secure use of computing resource assets, especially as cloud architecture in 5G is widely adopted, and the impact of new technologies, such as quantum computing development, on traditional cryptographic algorithms. Can you explain these new challenges in the common tongue?
On the one hand, it is indeed true that 5G network inherits the 4G network security architecture: like the previous telco generation, 5G access and core networks have clear boundaries, interconnect through standard protocols, support intervendor interoperability, and have standards-based security protection mechanisms.
However on the other hand, it is also indisputable that new services and use cases will bring new challenges and that is why extra security measures have been defined and specified in the 3GPP standard.
If I have to summarize some key enhancements to address these new challenges, I would highlight the following four improvements: (1) a stronger air interface security, offering user data integrity protection to prevent it from being tampered on top of the existing user data encryption present in 2G, 3G, and 4G networks, (2) an enhanced user privacy protection by transmitting user’s IDs (IMSIs) in cipher text compared to 2G, 3G, and 4G networks which is transmitting this information in plain text over the air interface, (3) a better roaming security between operators avoiding attackers to be able to exploit SS7 weaknesses and tamper sensitive data (e.g. key, user ID, and SMS) exchanged between core networks from different operators, and eventually (4) enhance cryptographic algorithms by supporting 256-bit cryptographic algorithms, being sufficiently resistant to future attacks with quantum computers.
There was a lot of talk and discussion in the media the last couple of years about the security of your companies’ 5G network. Why is Huawei 5G secure? What technical approaches have Huawei adopted to ensure cyber security of its equipment?
First of all, I would like to emphasize that it is clear that the allegations we might have read or seen against Huawei in the media are not linked our technical approach or the way Huawei is addressing cyber security when designing and developing our products. These assertions are just a consequence of a broader geopolitical and economical struggle where an existing leading technological country is fighting to keep its dominating position.
Huawei has not had any major cybersecurity incidents while working with more than 500 telecom providers, including most of the top 50 telecom operators, for nearly 20 years in 170 countries to connect more than 3 billion people. No other vendor can claim this level of cybersecurity success.
We can fairly say that Huawei is the most scrutinized company in the world today.
That’s why we deal almost obsessively with the strict rules that we have drawn up for our employees, our suppliers and development processes. Because we realize like no other party that if there was even one security incident involving Huawei, then we are done.
Concretely, Huawei R&D focuses heavily on security throughout product development, adhering to the principle of security by design and security in process. Cyber security activities built into the process are performed in strict compliance throughout the entire product lifecycle, so that security requirements can be implemented in each phase. Huawei R&D provides the Integrated Product Development (IPD) process to guide E2E product development, according to industry security practices and standards such as OWASP’s Software Assurance Maturity Model (OpenSAMM), Building Security In Maturity Model (BSIMM), Microsoft Security Development Lifecycle (SDL), and National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as well as cyber security requirements of customers and governments.
At Huawei we have adopted a “many eyes and many hands” security verification mechanism. In addition to security tests of product lines, we established the Independent Cyber Security Lab (ICSL), which is independent of the R&D system, to be responsible for the final verification of products. Test results are directly reported to the Global Cyber Security & Privacy Officer (GSPO), who has veto power over product launch. Third-party testing and verification schemas are also supported with the cooperation of customers and industry regulators. That is why, for even more transparency, we have implemented testing centers in the UK, Germany, Brussels and Canada to allow for independent testing of Huawei’s equipment, up to the source code.
We believe in cyber security standards and objective evaluation based on facts and evidence.
How to ensure 5G cyber security, including Huawei’s support for cyber resilience and recommendations on how to deploy and operate 5G networks in a secure manner?
Huawei is committed to not only building confidentiality, integrity, availability, traceability and user privacy protection in 5G equipment based on the 3GPP security standards, but also collaborating with operators to build high cyber resilience in networks from the O&M perspective.
For instance, to speed up service recovery if a security incident occurs, the design must realize continuous monitoring and response to security incidents so that their impact scope and resulting service loss can be minimized. Huawei, as a vendor, uses the Identify, Protect, Detect, Respond and Recover (IPDRR) methodology of the NIST CSF to identify and control key risks in live-network services and build cyber resilience with operators. By using IPDRR, Huawei can help operators that provide critical information infrastructure to better meet the regulatory requirements for cyber resilience.
Moreover a comprehensive and secure set of rules is required, in addition to the network security architecture, with which operators must follow to operate the O&M management layer. O&M is crucial in controlling the risk of entire network. Strict security rules should therefore be applied for each O&M task, with zero tolerance for how O&M data flows are processed.
How to continuously improve the 5G security level from the perspectives of different stakeholders in order to address future challenges.
5G is becoming a reality and the lifecycle for 5G is going to be lasting for a while. Based on successful experience for 4G security, controlling 5G security risks is achieved through joint efforts of all industries. To control risks in the 5G lifecycle, we need to continuously enhance security solutions through technological innovation and build secure systems and networks through standards and ecosystem cooperation.
As vendor, we should continue contributing to the industry security standard work, complying with standards, and integrating security technologies to build secure equipment.
Then, operators are responsible for the secure operations and cyber resilience of their own networks. 5G networks are private networks. The boundaries between different networks are clear. Operators can prevent external attacks with firewalls and security gateways. For internal threats, operators can manage, monitor, and audit all vendors and partners to make sure their network elements are secure.
Eventually, as an industry (incl. government regulators), we all need to work together on standards. This is our shared responsibility. To build a system that we all can trust, we need aligned responsibilities, unified standards, and clear and non-discriminatory regulation.
Recently, as a speaker at our Virtual Security Summit, you mentioned several major cyber security challenges we are facing when it comes to software development, among which a need to have a standard for secure development. Did European Cybersecurity Act lay a good foundation for that, especially in preventing fragmentation or scheme proliferation?
I think indeed that we all, as ICT industry, need to work together to improve our cybersecurity and digital resilience. It is only by working together and coordinating efforts, at the European level but also broader, that we can successfully tackle the future threats. The industry lacks a unified set of technical standards for security, the landscape today is still too fragmented. It is true in various domains, and obviously particularly true in software development.
And that is why I believe indeed that the recent European Cybersecurity Act can and will bring clear added-value in this field. Europe has already shown in the past with GDPR that when a consensus among the different Member States is reached, Europe can pave the way for globally recognized security rules and guidelines.
Moreover, beyond the Cybersecurity Act, the European Union agency for cybersecurity (ENISA) has also demonstrated in the past with thorough and comprehensive publications such as “Good Practices for Security of IoT – Secure Software Development Lifecycle“ in November 2019 that it has the expertise to guide the industry when it comes to secure software development.
It should be easy for customers to evaluate the security level of the software. But how to achieve transparency from the supplier perspective? Why is that so important? And what did Huawei do to make its security level transparent?
Trust is a feeling. But when it comes to cybersecurity, both trust and distrust should be based on facts, not feelings, not speculation, and not baseless rumour.
We believe that facts must be verifiable, and verification must be based on standards. That’s why Huawei has opened its Cyber Security Transparency Centre in Brussels. This is a good and concrete example of how we raise the right level of transparency. We provide access to our customers and 3rd party laboratories to our source code and allow them to evaluate our solutions against their own tools, personnel and processes.
Transparency is essential. It is essential because it is at foundation of trustworthiness. The history of ICT industry has shown that security by obscurity was never the right choice.
At Huawei we believe that we exist to serve our customers and they have the right to require and they deserve a high level of transparency.
In your opinion, the software industry puts a strong effort in having a product certified, but not in evaluating the process itself. How can we balance between the two and why is evaluation of the process equally important?
I am not saying that software industry does not evaluate the process itself at all. I am saying that the efforts between product certification and process evaluation have been in the past unbalanced.
An obvious way to change it, is simply to strengthen in the current and future certification standards, the evaluation part of the development practices. It does not require to reinvent the wheel. There are existing guidelines such as BSIMM or SDLC from Microsoft.
Things are moving. I am actually very pleased when I see that the European Cyber Security Act includes by definition an assessment of the processes. Another good example is also NESAS which embeds natively an evaluation of some key processes (for instance, how to address vulnerabilities during the lifecycle of the product).
The challenge is how to avoid adding extra burden to the already heavy certification effort.
However, I am optimistic as I truly believe that evaluating and eventually reinforcing trustworthiness in the developing processes may actually help to reduce re-certification effort. It can also support the never-ending challenge of the certification validity during the full product lifecycle, including after deploying vulnerabilities patches and corrective releases.
Third parties have a key role to play in ensuring secure development, being a partner not just at the end, but during the process of product development. How did Huawei implement this through its Integrated Product Development (IPD)? How do you leverage feedback provided by third parties?
Collecting properly feedback is essential for a fruitful collaboration. It is actually part of Huawei’s DNA. One of our Core Value is “Growth by Reflection”, which refers to employing wisdom accumulated through experience (sharing) and thinking.
That is why sharing and exchanging with 3rd parties all along the product development and accepting to be challenged is vital. It nourishes our continuous improvement process. Concretely, in our IPD, we have a dedicated process called “closed loop management”.
Leveraging feedback implies also to deploy the adequate and associated governance model in order to put effectively follow-up actions in place. A combined top-down and bottom-open approach is the most effective way for successful implementation and leveraging 3rd party feedback.
As an example of result, we initiated couple of years ago our new software engineering program. We have been establishing a continuous and constructive dialogue with our stakeholders (customers, national authorities, standards organizations) to first understand how we could still improve our software development practices and now we are applying these changes in our organization.