Governments across the world are looking for the right answer to how they should balance cybersecurity with privacy, said John Suffolk, president and global cyber security & privacy officer, Huawei. He said we should expect an answer in the next 3-5 years. He also talked about the use of Chinese telecom equipment, artificial intelligence, Aadhaar and India’s cybersecurity preparedness. Excerpts:
How would you view cybersecurity in India, compared with what’s being done globally?
Everyday, you see news about a big data loss or someone’s critical infrastructure being attacked. Because so much of the world now is digitised, cybersecurity which also has a privacy angle, becomes more and more important.
So, security will continue to be, and rightly so, uppermost in people’s minds. The challenge is that in technology we have all this legacy that we have to maintain and secure. We always talk about the boring mundane work of security, such as making sure your machines are updated; but with the next generation of technology, it becomes substantially more complicated.
India is no different from any other country. It has some areas where it is substantially advanced, because of Indian heritage in terms of the technology industry, its software development, and its services…all that is far advanced from many other countries. But also, other countries are more advanced in terms of how they have digitised their public services faster. We don’t compare country A is higher or lower than country B. The reality is strategy for India is strategy for India. It does not compare with strategy for France or the strategy for Mexico. It’s what India is doing in the next period which is, from what I can see, quite a substantial digitisation programme. And I think India is well placed for that.
What India is doing right, is it is taking a pretty holistic approach to cybersecurity. It is thinking about how it wants to handle policy, how it wants to operate in a multi-vendor world, because as you know, the world is made up of millions of vendors.
India has unique challenges of geographic spread, in terms of scale, and in the number of citizens. And if you look at some of the technological achievements that India has done… Its biometric program [Aadhaar] is world-class. I remember coming over here as a U.K. government official, talking to Indian officials about it, how you are going to do biometrics?
Because we were looking at biometrics in the U.K., and technically it is really challenging to do at scale. The U.K. is [on] this little scale, and India is [on] this massive scale, and look what has been achieved. It’s very impressive.
Questions are being raised over privacy, with Aadhaar. How do you balance security and digitisation with privacy?
This is the question that everybody is asking around the world, and everybody is looking for this magical answer, and there isn’t one. There is a challenge for governments in terms of ‘how do you balance the whole issue between security and privacy? How much control do you give to the citizen?
How much do you actually automate? Do you want everything automated?’ Everybody is now saying that because all of our data is going online, with all the public services being digital, where you have criminals themselves using digital services to attack other digital services, there has to be this balance. I think what most people in the world would say is there has to be a balance, but no one really at the moment can say, ‘This is how we strike the balance.’ And India, like many other countries, is asking the question as to that right balance. Even in America, the government is asking the tech industry to build back doors and the industry is saying it’s never ever going to happen... this is just people trying to work out a balance. My belief is that an answer will come over the next three to five years.
What is your take on the EU’s General Data Protection Regulation (GDPR) and its impact?
I lead privacy as well.Much of my time is currently spent in Europe on GDPR. We see GDPR as a great help.
Many people look at cloud computing as a commercial option, because they can have typically three data centres in the world, reducing infrastructure cost. The problem is your data is then located in one of those three infrastructures, and if there are no privacy laws, your data is not safe. Europe has come along and said, ‘You must protect EU citizen data.’ We don’t transmit much of our European data outside of Europe. However, some things like employee data goes back to China. We have to prove to regulators that the data has the same level of protection as does data stored in Europe. So, we have seen privacy as a very good opportunity, because it reinforces clarity of what is right and what is wrong.
I see privacy as a positive thing, not a negative thing.I think firms should embrace it as a positive thing. For some companies, where they would prefer to be able to do anything with the data captured, it will be a big challenge for them.
For security and privacy, who do you think should be the driving force — the government or the industry?
Well, it depends. The answer to privacy and security is different. Often, privacy is enshrined in law. So, the driving factor is the law. You can do this, you can’t do that. In security, there are actually very few security laws. There are many best practices. And there are many technical standards, but not laws.
But, you cannot do good privacy, without having the best practices in security. If I do not encrypt data on my mobile devices, I lose my device and [others] have access to it. Privacy and security, they go hand-in-hand. You can’t have one without the other, you can’t have good privacy without good security.
In India, there is discussion on equipment and devices from Chinese firms.
It’s an approach which has been discussed for the last 7-8 years, but let me just give you a single statistic.
If you open up a Huawei telecommunications equipment, 70% of what’s in there is not Huawei. Typically, the biggest providers of components to Huawei’s telecommunications equipment are American technology companies. So, you are not banning Huawei or singling out Huawei, you are singling out a set of global supply chain, in which only 30% is Huawei.
You could argue that that 30% could be bad. We understand that. This is why offer full transparency, we offer this thing called ‘many eyes and many hands’. We don’t care how many people come and look, we give them access to everything, to every facility, every manufacturing [bit], every piece of source code, they can look at all of our tools, they can come and test themselves. Singling out any particular vendor doesn’t work because it’s just a label. Even for mobile phones, what’s in there is the Android operating system, which is American.
Yes, it may be running on a Huawei chip but all the permissions that you have there is controlled predominantly by Google. With mobile devices, because they are so open to the public [and] to the security community, it’s really hard to hide anything that’s going on there. And if you do something foolish, it’s going to ruin your reputation. In telecommunications, it’s harder... So, it’s right for people to ask the question about the safety and security of equipment going into critical infrastructures.
India is working on a policy to secure mobile phones, triggered by reports of data leaks from Chinese vendors.
Yes, they did. Let’s not be embarrassed about this. Every government should have the right to ask any of these questions. Citizens of a country would think less of their government if they didn’t ask these kinds of questions… you tend to find that most countries will have an open policy of all vendors, but they might actually have certification schemes and testing schemes in there because they also need to satisfy themselves and the citizens of their country that they are taking appropriate measures to reduce any risk. It’s pretty common around the world. We will always support a government doing that.
For mobile phones, who is liable for security certifications? Will it be hardware versus software?
It depends on what they write in the policy. The moment you put an application on base Andriod, Google has no liability, because they don’t know what these applications are going to do. Maybe the consumers should be liable as they are the ones who have downloaded the application. But they are not going to accept liability. So, these things are easy in theory to say, ‘Well, we are going to certify,’ but what am I going to certify? Is it an empty phone, is it base Android? What do I do with applications? And you suddenly find a simple concept actually turns out to be almost impossible.
If you are trying to ensure that the applications are not stealing the data...the standard Android permissions enable you to turn off access to microphone, video camera, contacts etc. That actually works.
Some of that is pure bad application design. Rather than saying, I only need access to A, the application wants to access everything because it is easier from a development perspective. So, I think over time, we will see more control of applications, more validation that the application is locked down to doing only what it does.
Many of the mobile phones, even Apple phones, use common components, so certifying anything will prove nothing. There isn’t a great deal of difference between iOS and Android...sometimes iOS will be better, sometimes Android will be better. So, I think it comes down to making sure the end user of the device has total control in what the device does.
How is security changing with artificial intelligence?
The debate on security and things like AI, it is polarising. You have the Elon Musks of the world saying that unless we begin to get a handle on artificial intelligence — his words, not mine — this becomes an existential threat to humanity. You get the others who are saying, ‘No, AI could only be a good thing’.Today, we know that things like artificial intelligence, robotics, big data, will be a fundamental change to the way that we use technology but we can’t actually see what all of the ways will be.
Of course, there may be some bad things that artificial intelligence or robotics could be used for... we don’t see artificial intelligence as a thing on its own. We see artificial intelligence being embedded into our system. We are building AI into the device because you own this device, you control this device, you control what goes on it and your data is on it. We are looking to build AI into devices that help our customers have an easier life.
We support over a third of the world’s population... that is millions and millions of locations and sometimes there are errors, the hardware fails or the software fails.
The old way of doing that is to send someone to have a look at this problem. We are now building AI into our global network that will help us identify where a problem ‘might’ occur.
This is all about efficiency and effectiveness. If we do not have to send tens of thousands of engineers all over the world, it means we can provide a better service to our customers at a lower price, and that price is then reflected back to the customer.
We see artificial intelligence as a way of making individual lives easier, but also making the mundane work of companies be more efficient, where intelligence can do that work for you. And that ties in with big data.
What about security and privacy? The answer is, you don’t know because you cannot second-guess every kind of invention or innovation. Policy does come in, but policymakers are saying, ‘If we don’t understand what the new invention is going to be, how can we write a policy?’ And you can’t. Therefore, this is why sometimes policy lags the invention.
This whole issue of the privacy and security is coming to the fore, because people are beginning to think about, ‘We don’t know where the next innovation is going to come from. We don’t know what law that innovation is going to be based on. We don’t know where it’s going to be operated from...where the data is going to be stored. If the data is stored in multiple legal jurisdictions, whose law is dominant?... No one country can say, ‘My law is king,’ because technology may not be there.