ZTE Chief Security Officer
18 February 2019, Shenzhen, China – ZTE Corporation (0763.HK / 000063.SZ), a major international provider of telecommunications, enterprise, and consumer technology solutions for the Mobile Internet, today throws its light on the company’s cybersecurity assurance by its Chief Security Officer Zhong Hong.
According to Mr. Zhong Hong, ZTE puts security value of its customers above commercial interests, and complies with relevant laws and regulations on cybersecurity so as to ensure the end-to-end delivery of secure and trustworthy products and services.
Cybersecurity is one of the highest priorities for ZTE's product development and delivery. ZTE will establish a holistic cybersecurity governance structure based on the company's development strategy plan, with reference to international standards, laws, and regulations, thereby fostering good security awareness for all employees and emphasizing the security of the entire process.
In order to achieve an end-to-end secure delivery of products and services, ZTE integrates security policies and controls into every phase of the product lifecycle, establishing a cybersecurity assurance mechanism covering areas such as product development, supply chain and manufacturing, engineering services, security incident management, and verification and audits. Meanwhile, ZTE has also built three lines of defense cybersecurity governance structure to implement baselined, process-oriented, and closed-loop security management.
In terms of organizational structure, ZTE has adopted the three lines of defense cybersecurity governance model to implement and review cybersecurity from multiple perspectives. The business units act as the first line of defense to achieve cybersecurity self-management and control while the company security laboratory functions as the second line of defense to implement independent security verification and supervision. The external professional institutions and customers act as the third line of defense, auditing the effectiveness of the first and second lines of defense.
ZTE’s Product Security Incident Response Team (PSIRT) identifies and analyzes security incidents, tracks incident handling processes, and communicates closely with internal and external stakeholders to disclose security vulnerabilities in a timely manner to mitigate the adverse effects of security incidents. As a member of the Forum of Incident Response and Security Teams (FIRST) and a member of the CVE Numbering Authority (CNA), ZTE is collaborating with customers and stakeholders in a more open manner.
ZTE has passed ISO 27001 certification for information security management systems in 2005 and updated its certificate every year. In 2017, ZTE passed the ISO 28000 (Specification for security management systems for the supply chain) certification.
In terms of security assessment, the company has internationally certified professionals with CISSP, CISA, CCIE, CISAW, and CCSK to enable mature multidimensional security assessment capabilities in the aspects of code review, vulnerability scanning, and penetration testing.
Please refer to the below part for the detailed Q&A:
Question 1: The 5G era has arrived. Cloud computing, the Internet of Things, big data, artificial intelligence, and other technologies are triggering a new round of industrial changes. Under such a background, the greater challenge that the telecommunications industry is facing is to resist the evolving cybersecurity threat. As a global telecommunications equipment and solution provider, what position does ZTE take for cybersecurity assurance?
Answer: ZTE believes that the security value we provide customers is greater than that of commercial interests, and the security features of products are the first. Cybersecurity threats are a common issue that customers are facing with us. In my opinion, the biggest concern for customers is whether we have sufficient security control measures to ensure the security operation of their equipment and services. ZTE's ongoing cybersecurity governance in the past few years has provided customers with a holistic end-to-end security assurance mechanism that makes products and services be able to withstand cyber-attacks.
ZTE is willing to communicate and cooperate with operators, regulators, business partners, and other stakeholders in an open and transparent manner, comply with relevant laws and regulations, respect the legitimate rights and interests of customers and end users, and continuously improve management and technical practices to provide customers with secure and trustworthy products to create a good cyberspace security environment.
Question 2: Recently, some governments have raised concerns about cybersecurity. From your point of view, how can ZTE protect the security and confidentiality of information for customers around the world? In other words, how do you help customers achieve the goal of jointly resisting cybersecurity threats, how to dispel customers' concerns about cybersecurity?
Answer: This question should be answered from two perspectives. One is of our own, what should we do to guarantee cybersecurity and how to do it; the other is the customer perspective, how could our initiatives gain customer recognition and trust.
First of all, I think security is the intrinsic property of product, so we put security in the top position. Secondly, on the one hand, we should fully understand the security needs of our customers, and on the other hand, we need to let our customers know that our products are secure. ZTE is running a long-term and continuous cybersecurity assurance program, which is called “ZTE Cybersecurity Governance”. Its vision is “Security in blood, trust through transparency”. The ultimate goal is to provide customers with end-to-end trustworthy cybersecurity assurance.
At the strategic level, cybersecurity is one of the highest priorities for product development and delivery. That is to say, in the key decision-making points in the process of R&D and engineering services, when we need to make choices, we will give priority to ensuring the security of the products. For example, in the product development process, we set the release gate. If a product fails the security test, the version will not be allowed to release. In the engineering services process, the technical and management methods are used to ensure the security operation of the customer network. For example, account management applies the need-to-know and the minimum privilege principles; all operation involving access to customer networks and data must be authorized in advance by the customers.
At the organizational level, ZTE has adopted an industry-recognized three-lines of defense security structure. Based on the principle of separation of duties and responsibilities, ZTE oversees product security from multiple perspectives: The first line of defense achieves cybersecurity self-management and control, the second line of defense implements independent security verification and supervision; and the third line of defense audits the effectiveness of the first and second lines of defense.
In the product development process, the deployment of a multi-layer security verification mechanism ensures that security is reviewed from multiple perspectives. In the field of engineering services, according to regional, national, and project dimensions, the company has established a multi-level product security management team and a cybersecurity monitoring and incident response mechanism; The second and third line conduct on-site inspection and audit on the field of engineering services to ensure the operation and maintenance of on-line products are secure and trustworthy.
At the tactical level, the cybersecurity assurance program adheres to a six-point policy: Standardization, Strict implementation, Traceability, Strong supervision, transparency, and Trustworthiness.
1.Standardization – the developed security policies and process specifications are infiltrated into each product and process. We regularly review the security specifications against the industry's maturity model and ensure that they are enforceable and effective.
2. Strict implementation - the daily work of each business department is strictly implemented in accordance with the regulations. The company has issued a "Product Security Red Line" which drew an insurmountable security bottom line for customer network operations and personal data processing, mandatory for both organizations and individuals.
3.Traceability - the components of the product, the distribution of the product's location, and the record of the execution process constitute a complete picture of the product, helping us visually manage the product, for example, security incidents can be traced back and reviewed.
4.Strong supervision - check the effectiveness of the implementation of the regulations and specifications through internal and third-party security audits, the audit results are reported to the Audit Committee, rectification and review must be followed up.
5. Transparency – cybersecurity initiatives should be transparent to customers, and we have deployed a series of initiatives to make the process transparent.
In 2017, the company has become a CVE Numbering Authority, the relevant parties can be aware of the handling process of vulnerabilities in our products through the formal vulnerability disclosure policy. In the first quarter of 2019, we are expecting to release a new version of the “Cybersecurity White Paper” to let stakeholders understand ZTE’s understanding, attitudes, and initiatives on cybersecurity assurance. In the meantime, the company has begun to build overseas security labs, which allows customers to review our products online; in addition, we are seeking strategic partnerships with third parties to acquire industry-leading technologies and services for security laboratory preparation, independent evaluation and security audits.
6. Trustworthiness – The premise of winning customers’ trust is to respect and understand the values of our customers by making the process transparent and regulated. ZTE has passed ISO 27001 certification for the information security management system in 2005 and updated its certificate every year. In 2017, ZTE passed the ISO 28000 (Specification for security management systems for the supply chain) certification. Since 2011, more than ten products have been certified by the Common Criteria (i.e., ISO 15408). In the past two years, ZTE has been working closely with customers, third parties and overseas regulators to conduct activities, such as source code review, security design review and supplier audit.
In terms of personnel training, we believe that the success of the cybersecurity governance program depends largely on personnel and security awareness. We have built security teams and trained security professionals. In the past year, we have added 27 certificates consisting of CISSP (Certified Information System Security Professional), CISA (Certified Information Security Auditor), CISAW (Certified Information Security Assurance Worker) and CCSK (Certificate of Cloud Security Knowledge). We have also organized various levels of learning, training, workshops, hands-on practices, and exams, and have educated security personnel of more than 600 people. But, most importantly, the development of security awareness begins with management. The Cyber Security Committee (CSC) is headed by the CEO, with the CTO as the executive deputy director, and the CSO as the deputy director, the members of the Standing Committee of the CSC is represented by the ultimate responsible persons from the business unit of Supply Chain, System Products, and Engineering Services. The organization of cybersecurity assurance has been deployed throughout the management level.
Question3: Could you please introduce more on the preparation and release plan of the security labs?
Answer: The security labs being built will be operated in a “1+N”mode. The center lab will be located in China, and multiple remote access points will be deployed at home and abroad.
The security labs will preset three functions: 1. View and evaluate the source code of ZTE products in a secure environment; 2. Provide access to important technical documentation of ZTE products and services; 3. Provide manual and automated security testing of ZTE Products and services.
The construction will come in phases: Two security labs are expected to be built overseas in Belgium and Italy in 2019. Moving forward, ZTE will be considering the establishment of new labs in accordance with the customers’ needs and business development. .
Question 4: Recently, there is a concern about national security spreading around the world that the credibility of Chinese telecommunications equipment manufacturers has been questioned by foreign governments and enterprises. Some people believe that Chinese telecommunications vendors provide cooperation for government intelligence work. What opinion do you hold on the issue?
Answer: ZTE has never received any requests from relevant agencies to set up backdoors in our products; the source code of our products can be opened to security audits by customers and professional organizations through our security labs.