ZTE Chief Security Officer
As digital transformation drives network evolution, flexible 5G network architecture makes it possible to connect the industrial Internet to a society's core assets such as energy, transport, and healthcare – and thus we see that as 4G changed lifestyles, 5G will change and revolutionize our wider society. However, co-existing with these changes is the perceived security risk of 5G networks, which has attracted extensive attention from all stakeholders.
Enhanced 5G cybersecurity requirements
In the cybersecurity ecosystem, we are happy to see that regulators, standard organisations, certification institutions, industrial associations and operators are actively contributing to approaches for assuring the security of telecom networks.
At the end of January 2020, the European Union (EU) released the Cybersecurity of 5G networks – EU Toolbox of Risk Mitigating Measures. This proposes strategic measures, technical measures, and supporting actions based on the EU Coordinated Risk Assessment Report, in order to mitigate security risk, and also provides operable risk mitigation plans. At the same time, the UK's National Cyber Security Centre (NCSC) also released an analysis article elaborating the UK's framework and practices, including the Telecoms Security Requirements (TSR), to manage risks of these networks. ZTE welcomes and appreciates the operable security assessment approaches on 5G networks, as we believe these will lead to a more transparent and evidence-based methodology of security assessment and certification.
Reflections on the EU Toolbox
The EU Toolbox provides clear requirements and operable measures to address the cybersecurity of telecom networks for operators, suppliers, and other stakeholders. ZTE, as a supplier, regards regulatory powers, standards compliance, and supplier cybersecurity assurance, as the three important aspects that are most relevant to our business.
We noticed that the Toolbox specifies regulatory powers as short-term measures with “high or very high expected effectiveness” in multiple risk mitigation plans. ZTE agrees with the importance of regulatory powers, which aligns with our cybersecurity strategy. We will establish more channels at EU level and national level to acquire regulatory requirements, which will help us clarify our cybersecurity objectives. In parallel, we also implement independent security assessments and audits on an ongoing basis to verify that our security policies and controls are employed against relevant regulatory requirements.
As to standards compliance, the Toolbox suggests that suppliers should implement security measures into existing 5G standards. As the industry knows, security has been taken into consideration since the early 5G network design stage, such as integrity protection support and the key derivation mechanism. The inherent security considerations make 5G networks much more secure than 3G and 4G networks in terms of technical standards and designs. ZTE fully complies with security standards and aligns with best practices in its product R&D and service delivery to ensure our products are secure by design and by default.
For supplier cybersecurity assurance, we believe it is critical to review the security of products and services from the perspectives of people, process, and technology. In addition, ZTE considers supply chain security to be very important. The scope of ZTE's cybersecurity assurance covers the strict security management and controls of our suppliers, materials, and manufacturing, to ensure security throughout the whole product lifecycle.
ZTE's attitude and initiatives on cybersecurity
Cybersecurity is the highest priority for ZTE's product R&D and service delivery. We embed security across all business units, and have established a cybersecurity assurance framework, covering the full product lifecycle including security design, security coding, security evaluation, supply chain security, security delivery and O&M. We also evaluate the maturity of our security practices regularly to continuously improve our security delivery capabilities.
ZTE adopts a fully transparent policy allowing customers, regulators, and other interested third parties to perform independent security assessments and audits on our equipment. The independent source code review, document review, black box testing and penetration testing allow our customers to verify the security of ZTE's products, services, and processes.
This is a continuous investment that showcases our commitment to having an active role in assisting our customers to strengthen requirements, shape standards, implement and evaluate security measures, and ensure full product lifecycle risk management.
In the cybersecurity value chain, ZTE is all geared up and hopes to collaborate with customers to tackle the security challenges ahead.
ZTE is ready to tackle cybersecurity challenges and explore new opportunities
While cybersecurity is a long journey, ZTE is all-set to embrace the new challenges and opportunities ahead.
To move forward, we adopt a risk-based approach for managing security throughout the product lifecycle, conform to regulatory requirements and technical standards, implement assessments and obtain the certifications required by customers and regulators. We will also keep supporting suppliers' risk profile assessments.
ZTE looks forward to building a more secure and trustworthy 5G network with operators and industry stakeholders to enable a better digital life for everyone.