ZTE Chief Security Officer Sheds Light on Cybersecurity Assurance

 

 

ZTE puts security value of its customers above commercial interests, and complies with relevant laws and regulations on cybersecurity so as to ensure the end-to-end delivery of secure and trustworthy products and services. Cybersecurity is one of the highest priorities for ZTE's product development and delivery. In an interview, ZTE Chief Security Officer Zhong Hong talked about the company's cybersecurity assurance. ZTE will establish a holistic cybersecurity governance structure based on the company's development strategy plan, with reference to international standards, laws, and regulations, thereby fostering good security awareness for all employees and emphasizing the security of the entire process.

The 5G era has arrived. Cloud computing, IoT, big data and AI are triggering a new round of industrial changes. Under such a background, the greater challenge that the telecom industry is facing is to resist the evolving cybersecurity threat. As a global telecom equipment and solution provider, what position does ZTE take for cybersecurity assurance?

ZTE believes that the security value we provide customers is greater than that of commercial interests, and the security features of products are the first. Cybersecurity threats are a common issue that customers are facing with us. In my opinion, the biggest concern for customers is whether we have sufficient security control measures to ensure the security operation of their equipment and services. ZTE's ongoing cybersecurity governance in the past few years has provided customers with a holistic end-to-end security assurance mechanism that makes products and services be able to withstand cyber-attacks.

ZTE is willing to communicate and cooperate with operators, regulators, business partners, and other stakeholders in an open and transparent manner, comply with relevant laws and regulations, respect the legitimate rights and interests of customers and end users, and continuously improve management and technical practices to provide customers with secure and trustworthy products to create a good cyberspace security environment.

Recently, some governments have raised concerns about cybersecurity. From your point of view, how can ZTE protect the security and confidentiality of information for customers around the world? In other words, how do you help customers achieve the goal of jointly resisting cybersecurity threats, how to dispel customers’ concerns about cybersecurity?

This question should be answered from two perspectives. One is of our own, what we should do to guarantee cybersecurity and how to do it; the other is the customer perspective, how our initiatives could gain customer recognition and trust.

First of all, I think security is the intrinsic property of product, so we put security in the top position. Secondly, on the one hand, we should fully understand the security needs of our customers, and on the other hand, we need to let our customers know that our products are secure. ZTE is running a long-term and continuous cybersecurity assurance program, which is called "ZTE Cybersecurity Governance". Our vision is "security in blood and trust through transparency". The ultimate goal is to provide customers with end-to-end trustworthy cybersecurity assurance.

At the strategic level, cybersecurity is one of the highest priorities for product development and delivery. That is to say, in the key decision-making points in the process of R&D and engineering services, when we need to make choices, we will give priority to ensuring the security of the products. For example, in the product development process, we set the release gate. If a product fails the security test, the version will not be allowed to release. In the engineering services process, the technical and management methods are used to ensure the security operation of the customer network. For example, account management applies the need-to-know and the minimum privilege principles; all operation involving access to customer networks and data must be authorized in advance by the customers.
At the organizational level, ZTE has adopted an industry-recognized three-lines of defense security structure. Based on the principle of separation of duties and responsibilities, ZTE oversees product security from multiple perspectives: The first line of defense achieves cybersecurity self-management and control, the second line of defense implements independent security verification and supervision; and the third line of defense audits the effectiveness of the first and second lines of defense.
In the product development process, the deployment of a multi-layer security verification mechanism ensures that security is reviewed from multiple perspectives. In the field of engineering services, according to regional, national, and project dimensions, the company has established a multi-level product security management team and a cybersecurity monitoring and incident response mechanism; The second and third line conduct on-site inspection and audit on the field of engineering services to ensure the operation and maintenance of on-line products are secure and trustworthy.
At the tactical level, the cybersecurity assurance program adheres to a six-point policy: standardization, strict implementation, traceability, strong supervision, transparency, and trustworthiness.

  – Standardization: The developed security policies and process specifications are infiltrated into each product and process. We regularly review the security specifications against the industry's maturity model and ensure that they are enforceable and effective.

  – Strict implementation: The daily work of each business department is strictly implemented in accordance with the regulations. The company has issued a "Product Security Red Line" which drew an insurmountable security bottom line for customer network operations and personal data processing, mandatory for both organizations and individuals.

  – Traceability: The components of the product, the distribution of the product's location, and the record of the execution process constitute a complete picture of the product, helping us visually manage the product, for example, security incidents can be traced back and reviewed.

  – Strong supervision: Check the effectiveness of the implementation of the regulations and specifications through internal and third-party security audits, the audit results are reported to the Audit Committee, rectification and review must be followed up.

  – Transparency: Cybersecurity initiatives should be transparent to customers, and we have deployed a series of initiatives to make the process transparent. In 2017, the company has become a CVE Numbering Authority, the relevant parties can be aware of the handling process of vulnerabilities in our products through the formal vulnerability disclosure policy. In the first quarter of 2019, we are expecting to release a new version of the "Cybersecurity White Paper" to let stakeholders understand ZTE's understanding, attitudes, and initiatives on cybersecurity assurance. In the meantime, the company has begun to build overseas security labs, which allows customers to review our products online; in addition, we are seeking strategic partnerships with third parties to acquire industry-leading technologies and services for security laboratory preparation, independent evaluation and security audits.

  – Trustworthiness: The premise of winning customers' trust is to respect and understand the values of our customers by making the process transparent and regulated. ZTE has passed ISO 27001 certification for the information security management system in 2005 and updated its certificate every year. In 2017, ZTE passed the ISO 28000 (Specification for security management systems for the supply chain) certification. Since 2011, more than ten products have been certified by the Common Criteria (i.e., ISO 15408). In the past two years, ZTE has been working closely with customers, third parties and overseas regulators to conduct activities, such as source code review, security design review and supplier audit.

In terms of personnel training, we believe that the success of the cybersecurity governance program depends largely on personnel and security awareness. We have built security teams and trained security professionals. In the past year, we have added 27 certificates consisting of Certified Information System Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Assurance Worker (CISAW) and Certificate of Cloud Security Knowledge (CCSK). We have also organized various levels of learning, training, workshops, hands-on practices, and exams, and have educated security personnel of more than 600 people. But, most importantly, the development of security awareness begins with management. The Cyber Security Committee (CSC) is headed by the CEO, with the CTO as the executive deputy director, and the CSO as the deputy director, the members of the Standing Committee of the CSC is represented by the ultimate responsible persons from the business unit of Supply Chain, System Products, and Engineering Services. The organization of cybersecurity assurance has been deployed throughout the management level.

Could you please introduce more on the preparation and release plan of the security?

The security labs being built will be operated in a "1+N" mode. The center lab will be located in China, and multiple remote access points will be deployed at home and abroad.

The security labs will preset three functions: View and evaluate the source code of ZTE products in a secure environment; provide access to important technical documentation of ZTE products and services; and provide manual and automated security testing of ZTE Products and services.

The construction will come in phases: Two security labs are expected to be built overseas in Belgium and Italy in 2019. Moving forward, ZTE will be considering the establishment of new labs in accordance with the customers' needs and business development.

Recently, there is a concern about national security spreading around the world that the credibility of Chinese telecommunications equipment manufacturers has been questioned by foreign governments and enterprises. Some people believe that Chinese telecom vendors provide cooperation for government intelligence work. What opinion do you hold on the issue?

ZTE has never received any requests from relevant agencies to set up backdoors in our products; the source code of our products can be opened to security audits by customers and professional organizations through our security labs.