ZTE chief security officer sheds light on cyber security assurance
ZTE Corporation (0763.HK / 000063.SZ), a major international provider of telecommunications, enterprise, and consumer technology solutions for the mobile Internet, today throws its light on the company's cyber security assurance by its Chief Security Officer, Zhong Hong.
According to Hong, ZTE puts the security value of its customers above commercial interests, and complies with relevant laws and regulations on cyber security so as to ensure the end-to-end delivery of secure and trustworthy products and services.
Cyber security is one of the highest priorities for ZTE's product development and delivery. ZTE will establish a holistic cyber security governance structure based on the company's development strategy plan, with reference to international standards, laws, and regulations, thereby fostering good security awareness for all employees and emphasising the security of the entire process.
In order to achieve an end-to-end secure delivery of products and services, ZTE integrates security policies and controls into every phase of the product life cycle, establishing a cyber security assurance mechanism covering areas such as product development, supply chain and manufacturing, engineering services, security incident management, and verification and audits. Meanwhile, ZTE has also built the 'three lines of defence cyber security governance structure' to implement baseline, process-oriented and closed-loop security management.
In terms of organisational structure, ZTE has adopted the 'three lines of defence cyber security governance model' to implement and review cyber security from multiple perspectives. The business units act as the first line of defence to achieve cyber security self-management and control, while the company security laboratory functions as the second line of defence to implement independent security verification and supervision. The external professional institutions and customers act as the third line of defence, auditing the effectiveness of the first and second lines of defence.
ZTE's Product Security Incident Response Team (PSIRT) identifies and analyses security incidents, tracks incident handling processes, and communicates closely with internal and external stakeholders to disclose security vulnerabilities in a timely manner to mitigate the adverse effects of security incidents. As a member of the Forum of Incident Response and Security Teams (FIRST) and a member of the CVE Numbering Authority (CNA), ZTE is collaborating with customers and stakeholders in a more open manner.
ZTE has passed ISO 27001 certification for information security management systems in 2005 and updated its certificate every year. In 2017, ZTE passed the ISO 28000 (specification for security management systems for the supply chain) certification.
In terms of security assessment, the company has internationally certified professionals with CISSP, CISA, CCIE, CISAW, and CCSK to enable mature multidimensional security assessment capabilities in the aspects of code review, vulnerability scanning, and penetration testing.
Please refer to the below part for the detailed Q&A:
Question 1: The 5G era has arrived. Cloud computing, the Internet of things, big data, artificial intelligence, and other technologies are triggering a new round of industrial changes. Under such a background, the greater challenge that the telecommunications industry is facing is to resist the evolving cyber security threat. As a global telecommunications equipment and solution provider, what position does ZTE take for cyber security assurance?
Answer: ZTE believes the security value it provides customers is greater than that of commercial interests, and the security features of products are the first. Cyber security threats are a common issue that customers are facing. In my opinion, the biggest concern for customers is whether we have sufficient security control measures to ensure the security operation of their equipment and services. ZTE's ongoing cyber security governance, in the past few years, has provided customers with a holistic end-to-end security assurance mechanism that makes products and services be able to withstand cyber attacks.
ZTE is willing to communicate and co-operate with operators, regulators, business partners, and other stakeholders in an open and transparent manner, comply with relevant laws and regulations, respect the legitimate rights and interests of customers and end-users, and continuously improve management and technical practices to provide customers with secure and trustworthy products to create a good cyber space security environment.
Question 2: Recently, some governments have raised concerns about cyber security. From your point of view, how can ZTE protect the security and confidentiality of information for customers around the world? In other words, how do you help customers achieve the goal of jointly resisting cyber security threats, and how do you dispel customers' concerns about cyber security?
Answer: This question should be answered from two perspectives. One is of our own, what should we do to guarantee cyber security and how to do it; the other is the customer perspective, how could our initiatives gain customer recognition and trust.
First of all, I think security is the intrinsic property of a product, so we put security in the top position. Secondly, on the one hand, we should fully understand the security needs of our customers, and on the other hand, we need to let our customers know that our products are secure. ZTE is running a long-term and continuous cyber security assurance programme, which is called "ZTE Cybersecurity Governance". Its vision is: "Security in blood, trust through transparency." The ultimate goal is to provide customers with end-to-end trustworthy cyber security assurance.
At the strategic level, cyber security is one of the highest priorities for product development and delivery. That is to say, in the key decision-making points in the process of R&D and engineering services, when we need to make choices, we will give priority to ensuring the security of the products. For example, in the product development process, we set the release gate. If a product fails the security test, the version will not be allowed to release. In the engineering services process, the technical and management methods are used to ensure the security operation of the customer network. For example, account management applies the need-to-know and the minimum privilege principles; all operations involving access to customer networks and data must be authorised in advance by the customers.
At the organisational level, ZTE has adopted an industry-recognized three-lines of defence security structure. Based on the principle of separation of duties and responsibilities, ZTE oversees product security from multiple perspectives: the first line of defence achieves cyber security self-management and control; the second line of defence implements independent security verification and supervision; and the third line of defence audits the effectiveness of the first and second lines of defence.
In the product development process, the deployment of a multi-layer security verification mechanism ensures that security is reviewed from multiple perspectives. In the field of engineering services, according to regional, national, and project dimensions, the company has established a multi-level product security management team and a cyber security monitoring and incident response mechanism. The second and third lines conduct on-site inspection and audit in the field of engineering services to ensure the operation and maintenance of online products are secure and trustworthy.
At the tactical level, the cyber security assurance programme adheres to a six-point policy: standardisation, strict implementation, traceability, strong supervision, transparency, and trustworthiness.
1. Standardisation: the developed security policies and process specifications are infiltrated into each product and process. We regularly review the security specifications against the industry's maturity model and ensure they are enforceable and effective.
2. Strict implementation: the daily work of each business department is strictly implemented in accordance with the regulations. The company has issued a "Product Security Red Line", which drew an insurmountable security bottom line for customer network operations and personal data processing, mandatory for both organisations and individuals.
3. Traceability: the components of the product, the distribution of the product's location, and the record of the execution process constitute a complete picture of the product, helping us visually manage the product, for example, security incidents can be traced back and reviewed.
4. Strong supervision: check the effectiveness of the implementation of the regulations and specifications through internal and third-party security audits. The audit results are reported to the Audit Committee; rectification and review must be followed up.
5. Transparency: cyber security initiatives should be transparent to customers, and we have deployed a series of initiatives to make the process transparent.
In 2017, the company has become a CVE Numbering Authority; the relevant parties can be aware of the handling process of vulnerabilities in our products through the formal vulnerability disclosure policy. In the first quarter of 2019, we are expecting to release a new version of the "Cybersecurity White Paper" to let stakeholders understand ZTE's understanding, attitudes, and initiatives on cyber security assurance. In the meantime, the company has begun to build overseas security labs, which allows customers to review our products online; in addition, we are seeking strategic partnerships with third parties to acquire industry-leading technologies and services for security laboratory preparation, independent evaluation and security audits.
6. Trustworthiness: the premise of winning customers' trust is to respect and understand the values of our customers by making the process transparent and regulated. ZTE has passed ISO 27001 certification for the information security management system in 2005 and updated its certificate every year. In 2017, ZTE passed the ISO 28000 (specification for security management systems for the supply chain) certification. Since 2011, more than 10 products have been certified by the Common Criteria (ie, ISO 15408). In the past two years, ZTE has been working closely with customers, third parties and overseas regulators to conduct activities, such as source code review, security design review and supplier audit.
In terms of personnel training, we believe the success of the cyber security governance programme depends largely on personnel and security awareness. We have built security teams and trained security professionals. In the past year, we have added 27 certificates consisting of CISSP (Certified Information System Security Professional), CISA (Certified Information Security Auditor), CISAW (Certified Information Security Assurance Worker) and CCSK (Certificate of Cloud Security Knowledge). We have also organised various levels of learning, training, workshops, hands-on practices, and exams, and have educated security personnel of more than 600 people. But, most importantly, the development of security awareness begins with management. The Cyber Security Committee (CSC) is headed by the CEO, with the CTO as the executive deputy director, and the CSO as the deputy director, the members of the Standing Committee of the CSC is represented by the ultimate responsible persons from the business unit of Supply Chain, System Products, and Engineering Services. The organisation of cyber security assurance has been deployed throughout the management level.
Question 3: Could you please introduce more on the preparation and release plan of the security labs?
Answer: The security labs being built will be operated in a "1+N" mode. The centre lab will be located in China, and multiple remote access points will be deployed at home and abroad.
The security labs will preset three functions:
1. View and evaluate the source code of ZTE products in a secure environment;
2. Provide access to important technical documentation of ZTE products and services; and
3. Provide manual and automated security testing of ZTE products and services.
The construction will come in phases: two security labs are expected to be built overseas in Belgium and Italy in 2019. Moving forward, ZTE will be considering the establishment of new labs in accordance with the customers' needs and business development.
Question 4: Recently, there is a concern about national security spreading around the world that the credibility of Chinese telecommunications equipment manufacturers has been questioned by foreign governments and enterprises. Some people believe that Chinese telecommunications vendors provide co-operation for government intelligence work. What opinion do you hold on the issue?
Answer: ZTE has never received any requests from relevant agencies to set up backdoors in our products; the source code of our products can be opened to security audits by customers and professional organisations through our security labs.