Capacity speaks to ZHONG HONG, Chief Security Officer Of ZTE Corporation, about the vision of security in DNA, trust through transparency.
Q.As operators move to 5G and other next-generation networks, how crucial a role does cybersecurity play?
5G has opened an era that our society is transforming to a more digitally dependent world. The use cases like V2X, IoT and automation not only indicate a new reality, but also mean that the cyber threats extend from the cyber space to the physical world.
Therefore, the 5G era is a time where policy makers and operators put increasing efforts into cybersecurity in order to build and maintain more secure and resilient telecommunication networks, which is the foundation to enable digital services that make our digital life accessible and prevalent.
The good news is that the security enhancement on 5G is unprecedented compared to previous generation networking. As we know, the 3GPP 5G Release-16 completely froze on 3 July 2020. And its upcoming Release-17 includes security features and mechanisms to support industrial IoT, edge computing, and so on.
The trend has shown clear signs for the field players, especially suppliers, to provide secure and resilient products by contributing and conforming to industry standards and best practices, making products and their development process verifiable, and most importantly, keeping the communication among all stakeholders.
Q. How is ZTE striving to provide reliable and trustworthy 5G products and ensuring security of the whole supply chain for customers?
Security should be verifiable, and ZTE never stops verification of its products and processes both internally and externally.
ZTE passed the GSMA Network Equipment Security Assurance Scheme (NESAS) audit for its development and product life cycle processes last year and later completed the 3GPP Security Assurance Specification (SCAS) testing on our main 5G products.
For the development process, we embed security considerations into the design of products and integrate security controls in our high performance product development (HPPD) process and service delivery. For the design of products, we adopt the 5G network security specifications from standardization organizations – like 3GPP, ITU, ETSI – and conform to regulatory requirements, such as the EU 5G Toolbox.
Ensuring reliable networks for the whole supply chain, not only ZTE itself, is important for our customers, as cyberattacks on the supply chain have reminded us from time-to-time. Through management of qualified sub-suppliers, control of third-party components, and the whole lifecycle secure development of products, we continuously enhance supply chain security and put emphasis in the ZTE cybersecurity assurance.
Q. How is ZTE engaging with customers technically about cybersecurity and mitigating security risks in the digital age today?
As a leading 5G network equipment provider, ZTE’s 5G products are designed ith security features, combining security solutions that meet customers’ requirements. It is especially true for 5G-enabled vertical industries, as the business scenario could be complex. For both telecom operators and industrial enterprises, we provide reliable and resilient networks that ensures secure connections, and deeply engages with customers to explore the best secure ways to fulfil business requirements.
For example, in Guangzhou, China, our 5G Metro project is the world’s first case of end to end 5G slicing solution adopting physical isolation by wireless physical resource block (PRB) in 5G SA environment, which enables secure and high-speed connections and data transfer for the Metro system and passengers. For a steel making enterprise in Shaoguan, we provide the 5G+ industrial Internet security solution that combines endto-end network slicing security, MEC security, and zero-trust access control.
Today, we have deployed 5G networks in 240+ cities globally, and developed 5G use cases with more than 500 industrial partners, to provide people with secure service and a better life.
Q. How is ZTE addressing the need for greater transparency across its portfolio and product lifecycle?
In the 5G-enabled digital age, cybersecurity is the common concern, along with an increasing focus on transparency in security assurance of network equipment.
Transparency is in ZTE’s cybersecurity motto. We actively invite third-parties, such as top security firms, to evaluate our products, services, and processes. The successful GSMA NESAS audit and security maturity level assessment fully revealed our security governance throughout our product development lifecycle. We also call for external security researchers and organizations to test our products by providing bug bounty programs.
According to requirements by regulators and customers, we disclose our source code and have our equipment tested by third-party bodies they designate, and we are willing to be involved in cybersecurity certification schemes as required.
We are happy that the assessments and certifications can verify security of our equipment and make our security practices transparent. In the journey to security, we look forward to more collaborations to gain trust, using the three cybersecurity labs we invested in China and Europe to promote transparency.
Q. Tell us more about ZTE’s cybersecurity labs in Europe. How do these facilities foster greater collaboration and help the company stay ahead of security trends?
ZTE’s two labs in Rome and Brussels have been well functioned since they were established in 2019. They carry out internal and external independent security assessments, and serve as a platform for collaborations and a centre of transparency.
As the only cybersecurity lab from a telecom vendor in Italy, the Italian lab has been actively engaged in the cybersecurity ecosystem in the country and helped with local technical innovation and capability transfer. It not only performs security assessments of products like 5G RAN and terminal products required by local customers, but also collaborates with National Inter-University Consortium for Telecommunications (CNIT), a non-profit consortium bringing together 37 public Italian universities. The cooperation focuses on technical evaluation and supervision. Our lab experts also participate in an online education project, “Risorgimento Digitale”, organized to give 5G lectures to the public.
In our European Cybersecurity lab in Brussels, we collaborated with ATSEC to complete the NESAS audit for the development and product lifecycle of 5G new radio (NR) and 5G Common Core products, and worked with Brightsight to finish the 3GPP SCAS testing of the same two products. To continuously verify the security of our 5G RAN and core network products, we invited top-tier security firms, like Synopsys, to carry out source code reviews, Building Security In Maturity Model (BSIMM) assessments, penetration testing, and security workshops.
In future, we will make more use of the labs for greater collaboration, technical innovation and exchange, and let more external stakeholders to verify our equipment.
Q. As members of 3GPP, ETSI, GTI, ITU, and GSMA organizations, how is ZTE leveraging these ecosystems to implement best practice in its own work?
ZTE has become one of the major contributors to global 5G technology activities. It participates in more than 70 international standards development organizations and forums and has submitted more than 48,000 contributions to these organizations. The company has also held more than 120 leadership positions, such as chairman and rapporteur, of more than 360 standard documents. Globally, ZTE is among the top three companies for its sustainable leadership in 5G declared Standard-Essential Patents (SEP) to ETSI.
In 3GPP, ZTE serves as vice chairman for RAN2 and RAN3, and is rapporteur of multiple 5G security standards project like SCAS NEF and SCAS IPUPS. In ITU-T, ZTE is vice president and co-chair of the WP4 in the Study Group 17 (security), and chairman of the WP3 in the Study Group 15 (transmission, access and home network), initiating multiple standards projects related to cloud computing security, IoT security, unknown malware detecting, etc. ZTE is also involved in the GSMA’s NESAS development and GSMA’s CVD program panel of experts, and is a CVE Numbering Authority.
By being involved in prospective standardization, ZTE not only adopts the advanced 5G standardization achievements from the organizations, but also is a contributor that knows how the standards are generated. The two-way engagement in the ecosystems can help us better implement product design and development and make more contributions to enhance cybersecurity of the whole ICT industry by continuously improving our technical strength.
See the Capacity webpage for the interview.