The Huawei controversy has raised fundamental questions around supply chain security, Brian Honan has told Infosecurity Magazine. In a video interview recorded at Infosecurity Europe 2019 conference in London, BH Consulting’s CEO said the issue of technology containing alleged backdoors to enable spying has led to “interesting conversations” in the security community.
The question boils down to whether it’s possible to build secure systems if there’s no trust in the technology platform they’re built upon, Brian said. “Unless we actually build something ourselves from absolute scratch, we are relying on third parties, and how much trust can we give to those third parties? So the bigger issue becomes: how you secure your supply chain?”
For security professionals, securing their company’s supply chain needs a more rigorous due diligence process than asking vendors whether they have antivirus software on their PCs. It’s about “asking the right questions into the right levels, and digging deep into the technology, depending on what your requirements are,” Brian said.
Huawei to the danger zone
Noting the accusations that Huawei technology has security bugs, Brian said that the same is true of products from many other places including the US, UK or Europe. “There’s no such thing as 100% secure systems. Take the Intel chips that we have in all our servers: they have security bugs in them,” he said.
Emphasising that he wasn’t trying to defend Huawei, Brian said: “A lot of what we’re reading in the press and the media, there’s nothing to substantiate the claims behind it.” The larger question about whether any bugs are accidental, or deliberately placed backdoors that allow Government-level spying, is “outside the remit of our industry,” he said.
Even if a security professional decided not to use a certain brand of equipment in their network, there’s a question of what happens when their information travels elsewhere within their company’s external supply chain, or through its internet service provider. Instead, infosec professionals should focus on protecting information at rest or in transit, since the early internet engineers designed it to share information, not keep it secret. “We have been trying to build security on top of a very unsafe foundation. We need to look at ways of how we keep our data safe, no matter where it goes or how far it travels,” Brian said.
As for what’s next in security, Brian said regulations will stay at the forefront over the next year. “GDPR isn’t over. GDPR is the evolution of data protection laws that we had already… the regulations are still being enforced. We still have to continue looking after GDPR.” Some of the earliest court cases relating to GDPR are due to conclude soon, with potentially large fines for offenders. He also said Brexit is “the elephant in the room”, given how it could affect the way that European companies deal with UK businesses, and vice versa.
Toys in the attic
The ePrivacy Regulation (ePR) will have a huge say in how companies embed cookies on their websites and how they communicate and market to customers. Regulations like the EU Cybersecurity Act look set to impose rules on IoT or ‘smart’ devices. Their security – or lack of it – has long been a thorny issue. Brian recently commented on this issue in an article for the Irish Times about smart toys and we’ve also blogged about it before on Security Watch.
Summing up the likely short-term developments in security, Brian said: “A lot of things in the next 12-24 months are going to have a big impact on our industry, and it’s where the regulators are going to play catch-up on the technology. It’s going to be interesting to see how those two worlds collide.” You can watch the 15-minute video here (free, but sign-in required).
Also during Infosecurity Europe, Brian moderated a debate on dealing with complex regulations while ensuring privacy, security and compliance. It featured with data protection and security practitioners from the Bank of England, Penguin Random House UK, News UK and the UK Information Commissioner’s Office. Bank Info Security has a good writeup of some of the talking points. Its report noted that Brian focused the discussion on the broader regulatory landscape, including the updated EU ePrivacy Directive, while panellists and audience questions kept returning to GDPR.
The article noted how the panelists broadly agreed that regulations, including GDPR, helped to improve their organisation’s security posture. It quoted Titta Tajwe, CISO of News UK, who said: “With the EU GDPR, it really helped for executives to understand what needs to happen to protect the data of your customers. So it did allow the CISOs to get the budget they needed to do the work they’d already been asking for, for a long, long time.”
Photos used with kind permission of Mathew Schwartz.