February 4, 2014
When it comes to trust and sharing, cyber security is governed by the same rules as those applying elsewhere. Let me illustrate the practical aspects of this with an example: the family. Who can we trust more than our nearest and dearest?
I work away from home a lot but after 26 years of marriage, I trust my wife will not have an affair.
However my wife does not trust me to park her car.
I absolutely trust my children but I have never bought them a gun.
Even within our homes, trust and sharing is not straightforward and is not symmetrical – just because I trust you with asset “A” does not automatically mean that you trust me with asset “B”. Trust is based, for instance, on the maturity of the recipient, along with experience and track record – I have crashed my wife’s car on more than one occasion.
Therefore a similar set of rules needs to be defined before we can press ahead with the wide-scale sharing of cyber security information.
Let me start by defining what we mean by “information” in this context, which broadly fall into three categories:
- Threats. There are bad people out there, so we have a duty to inform the community of this. In this regard we need to be careful whether we want to scare or educate, while carefully tailoring the message to the recipients.
- Incidents. When an incident happens, we want to draw on the experience of others who have faced similar incidents – making these experiences available can significantly help others. But what about brand damage? We need to think about the roles of politicians, the industry and the media in creating incentives for positive incident reporting.
- Vulnerability information. This type is the most tricky one. All products from all companies on all networks have the potential for vulnerabilities. The sharing of this information can be the most damaging: if it gets into the wrong hands, everyone is exposed.
Therefore, we need to think about how we vet recipients. In the UK for instance, sharing of information is established via a voluntary unwritten code of conduct, where the time to build trust is shortened by the vetting process for key posts.
A more fundamental and basic question relating to information sharing is this: “what do we expect the recipient to do with this new information?”
We believe that 80 % of the current security breaches could be addressed if people just did the basics, like patching, using robust passwords and reducing access to administrator rights on a systemSo far, industry, policy makers and media have not managed to communicate this simple message properly.
If I am at risk of dying of thirst, drowning me in a lake doesn’t help. So why would we be more successful if we bombard each other with more information?
We need to look at why we have not managed to adequately communicate simple messages to the broad community before we rush to expose ourselves to sharing confidential information in an unstructured manner. Our initial target has to be overcoming our failure to address the basics.
In my view, the work of the Network and Information Security (NIS) Platform is important as it has set itself the task of ensuring that any proposed solutions must be able to scale down to small businesses rather than focusing on solutions that can only be implemented by large organisations.
We are as strong as the weakest link in our supply chain; therefore cyber security can only improve when we can raise the bar for everyone.
Find out more on Huawei’s approach to cyber security
Mr Francis has recently been appointed as Huawei’s Cyber Security Officer for the UK market.
He started his career with British Telecom as an engineer and has held several positions in the IT sector in the UK and the US since. Prior to joining Huawei, Mr Francis was a Chief Operating Officer with an eCommerce platform. He has worked for Symantec for over nine years, the last five of which as Vice President of Operations. At Symantec, he was responsible for the SaaS / cloud operations unit, consisting of over 300 staff globally.
Working closely with government and local authority customers, he has a vast experience with cyber security challenges and requirements for both the public and the private sector.