ORLANDO, Fla. -- In the face of a recent congressional report warning U.S. companies against using equipment provided by Chinese telecommunications vendors Huawei and ZTE, Huawei Technologies CSO Donald "Andy" Purdy said that his firm is committed to working with the United States to help solve the many complex cybersecurity issues facing its critical infrastructure and the private sector.
We are willing to work to help address the very difficult challenges of global supply chain risk.
Donald "Andy" Purdy, CSO, Huawei Technologies
In remarks Thursday during a wide-ranging panel discussion on critical infrastructure protection, cyberespionage and the theft of intellectual property at the 2012 Cloud Security Alliance Congress, Purdy reaffirmed his company's commitment to cybersecurity, in part by intimating that his company's fortunes are tied to U.S. interests. Purdy said 32% of all Huawei components come from the U.S. He said the vendor works with at least 400 U.S. companies that supply capabilities for its telecommunications equipment.
"Those are thousands of jobs," Purdy said. "We are willing to work to help address the very difficult challenges of global supply chain risk."
At times, when pressed by other panelists on China's role in addressing cybersecurity issues and putting an end to China-based attacks targeting U.S. firms and their intellectual property, Purdy appeared to fall back on prepared remarks. He applauded discussions between U.S. and Chinese governments that have focused on solving the issues and said "critical agreement can be reached in what can be appropriate forms of behavior" with respect to cracking down on organized cybercriminal operations.
"We agree with the administration that the risks in the supply chain are very significant," Purdy said. "We need to come up with solutions and models that work internationally and we are prepared to play a role in that with other countries and governments to do something about it."
An October congressional report warned that Huawei and ZTE pose a significant threat to the United States and their products should be barred from U.S. government networks. The report also recommended that enterprises avoid the vendors' equipment, citing the potential for "malicious Chinese hardware or software implants."
The panel discussion also included security industry heavyweights Paul Kurtz, Tom Kellermann and Marcus Sachs. Kurtz, managing director of the international practice at security engineering company CyberPoint International, warned that a massive amount of intellectual property is being stolen from both U.S. companies and firms abroad. The former White House advisor on national security issues, he said the private sector is going to play the biggest part in solving the problem.
"I don't think government is going to come save the day here," Kurtz said. "It's been so easily to get in and out of systems because of poor coding that it has created a tremendous amount of opportunity for wide range of players."
Internet service providers may need to play a bigger role in securing the Internet, said Kellerman, vice president of cybersecurity at Trend Micro Inc. Kellerman, who served on The Commission on Cyber Security for the 44th Presidency, called for a more fluid mechanism to facilitate the shutdown of blocks of IP addresses that are the source of denial of service attacks.
Sachs, vice president for national security policy at Verizon and a former White House cybersecurity official, called for more industry conversation, specifically regarding the security expectations that should be set for Internet service providers.
"An open debate is something we really need to get engaged on as to what is the appropriate role of the ISPs," Sachs said. "I don't want the balance to be where the ISP becomes the police department."
Purdy said the federal government and the private sector should work together to create a strategic plan on cybersecurity laying out milestones. He said resources need to be put in place to hold individuals accountable to the milestones.
"A piece of our strategy should be how to coordinate how to block malicious attacks as early as possible," Purdy said. "When folks see malicious conduct coming from a particular IP address, I'm suggesting the ISPs be the ones that shut down the malicious activity rather than having the government do it."