The G20 is a suitable forum for formulating new global standards for cybersecurity, says the chief security officer of one of China’s leading telecommunication companies. One or a few G20 members could be asked to take the lead and champion ideas that could the be tested by the others, he suggests.
John Suffolk is the global cybersecurity officer at Huawei, the Chinese-based multinational telecommunications company. He was formerly an advisor and chief information officer to the British government. He spoke to EurActiv’s Jeremy Fleming in Brussels.
Do you have any key criticism of the proposed EU data protection regulation?
It is not about whether you agree with the policy or not. What is more important is whether the policy is understandable and will be interpreted the same way by every reader. For example, in one EU member state individuals – and even lawyers – will give different interpretations of the requirements. It is not so much about the rules and regulations themselves but whether they are, and whether they will be, enforced in a broadly consistent way. I would recommend them [the EU] to focus on implementation, on scenarios and case studies, to really crisp and hone the rules, think about local implementation where you may be layering different laws on top of each other, and to answer the tough questions about US companies in the EU. The vendors will then understand, and even if it slows or speeds things up its better than lack of clarity. That is where the energy should be focused I believe.
Last year you wrote a paper on cybersecurity calling for global standards, have you seen any progress?
When we wrote our original white paper we called for international standards and US President Barack Obama’s recent executive order on cybersecurity reflects that. China and US are talking, there has been good progress, and people understand that each bit of digital kit has an atlas of suppliers, so we need to reflect the global supply chain. This is not about individual countries and companies. Issues such as information-sharing, mandatory breach reporting, creating a centre of [cyber] excellence are now being discussed, the result is that people are taking time to assess these real problems and understanding that cybersecurity is also about foreign, economic and education policies.
Europe and the United States look set to implement different approaches to cybersecurity, with Washington adopting voluntary reporting mechanisms against Brussels’ compulsory measures, do you agree with that analysis?
Europe is one of the few places where you can get 27 countries to point in the same direction. The lobbying culture is not as great as in the US, and Europe has mechanisms to bring people at technical policy level together for combined debate. We may not like the outcomes, but you get people together. That gets people going in the right direction. The model in the US tends to move more from corporate to lobbying to individuals to policies. Obama, or any president, has a difficult job getting his policy through because there are so many people with powerful views trying to shave things off it. So I think the President has done a good job of getting some things on the table even if they are not perfect. The US has said it favours international standards which is positive. Getting the US and Europe to agree these standards may not be so easy. There is a big debate about information-sharing between companies in the US and whether they have legal cover. It is different to Europe, actually they are moving in similar directions, but the roots are different and the outcomes might be different. As a vendor it does not matter because if you can get commonality in Europe and there is something slightly different in the US, then that should be manageable.
In 2011 the US administration classed cyberattacks against it as “acts of war”. There have been increasing recriminations this year against Chinese cyberattacks by the US authorities. From the perspective of cybersecurity, do you believe that relations between the two countries are deteriorating?
It has become more exacerbated on a government-to-government basis, there is more public debate. I am a fan of diplomacy: quiet conversations in quiet rooms, solving issues. The moment things become political, that’s when the emotion comes in, rather than level-headedness. You would expect governments to say: “We must protect our country, citizens would expect less of us if we did not.” So I’m not surprised. But I ask myself what is the end game? What we are saying is when someone drops a bomb, or carries out a cyberattack, those are both to be classed as an act of war. Then what? Does that solve cyberattacks? No. The technology is still not inherently built with the best security in mind. Governments are not using their buying power to demand the best standards in security from their vendors. So these things [such as changing the definition of a cyberattack to an act of war] do not change the fundamental issue. We are using so much technology, it is so inventive, so complicated, and we are joining everything to everything else. We want more data, and anyone can create a cloud computing environment anywhere in the world. It solves none of this, and that is where we want governments to focus their attentions. That is where we need governments to make their connections. If you cannot solve all the problems, then at least move the issue along.
The Commission has acknowledged that there are no easy solutions to finding a global platform for cybersecurity, whether through the G20 or the OECD. Do you see this as a problem?
I think it takes leadership. There will always be a debate about whose standards you adopt, because typically – although less so now – whoever controlled the standards controlled the market. So Europe was brilliantly good at mobile telephone standards. It got together, created a market with lots of interoperability, and everybody won out in the end. So I think what needs to be done is for states to pick where you can have a standard then use the G20 and to nominate a leading country to link with standards bodies.
Would picking a lead country be a problem?
Europe is very good at allotting different jobs to different countries. I cannot believe the G20 could not appoint one or three core countries. It does not mean that they have to determine the standards. I would adopt what I call the “champion challenger” system. This way you ask countries: “Who thinks their model is the best?” Then you call that system the champion and anyone can challenge their system under any evaluation technique. But you cannot knock off the champion unless you can demonstrate a clear benefit over that system. It is a democratic process and means there would be conformity.
What are the new models of cyberattack arriving?
I think the whole issue in terms of cybersecurity is morphing every day. It is becoming more economic. There is a commercial criminal ecosystem which has been maturing and maturing. Where there is money there is investment. It is a little like financial fraud. If I spend €1 million to stop fraud and you are a fraudster and spend €10 million to break my protection, you are likely to be successful eventually. It is the same with cybercrime. The more that gangs get organised and generate cash, the more they have to develop new attack software. And that is not going to stop, as soon as you close one avenue off you open up another.
I think what is also happening which I am more and more worried about is that you are seeing more and more countries beginning to say we want our local justice departments and police and intelligence to be able to go an hack other people’s machines around the world and to spy on people. There has to be a digital ‘line in the sand’ between what is ethical and what is moral.
Australia and Holland have been taking openly about whether they should be giving law enforcement authorities the ability to attack machines if they feel they are under attack. But the more that people make that the norm you then move onto the next level, which will see this escalating. The issue is not that countries are doing it is that they are legitimising it, which means that the next thing is that they would accept something more. We have to have a convention whereby there is a clear agreement not to do this. It needs a convention.