Aloysius Cheang, Chief Security Officer at Huawei UAE, tells Anita Joseph, Editor, Security Advisor Middle East in an exclusive interview, how the company has adopted a secure-by-design philosophy that incorporates cutting-edge security into all of its products and services.
Tell us about the cybersecurity landscape in 2022-what are the trends we must be aware of?
Ransomware will continue its onslaught in 2022. So, this will be a key issue. And it’s likely that ransomware will be evolved into targeting certain applications and OT/IoT, and even autonomous vehicles could be hit. So that’s one of the things we’ll see developing and shifting gear this year. Additionally, Metaverse is something that cannot be ignored-either the convergence of the different worlds in the Metaverse will bring forth a new era, or everything will crash and burn with nothing left to spare. With the Metaverse becoming a reality in the near future, the boundaries of this universe are going to be very, very hard to define with a lot of grey areas with the entire ecosystem going to be more and more fragmented. So that’s one of the reasons why regulators are always trying to catch up, because it takes a lot of efforts to keep pace with all these new technology developments.
Therefore, I say that when all the dust settles, cyber security will be the key to deciding how we are going to address the adoption of Metaverse and what our strategy will be in supporting immediate digital transformation needs and our Metaverse future.
With remote and hybrid working becoming the trend now, the security of connected handheld devices is a huge concern. How is Huawei addressing this issue and what’s your approach there?
I think our approach is very simple – promote a culture of cyber hygiene and build a culture of security within the companies, so that you will know how to maintain a cybersecurity green pass for not only our cloud but also all the endpoints. These days, every person will carry at least eight IoT devices with them. Personally, I have more than one mobile phone, and that means that I have more than one potential risk that I need to be aware of and address. So having a good cyber hygiene will help build a culture of security as the first key step.
Step two will be automation – relying on the power of the cloud to bring AI-powered security that will have you make the right decisions at the right time in the right place. Look at it this way: you have so many things to address, particularly the collision of the physical and digital worlds. Therefore, it becomes extremely difficult to track the cybersecurity loopholes that open up every now and then. As a result, you need something that will help you and this is where automation will come, in the form of AI-powered cyber security capabilities that are supported by vast storage and computing capabilities of the cloud. This is what it takes to address the threats brought about by the new norms of working today, and that means we’re constantly building capabilities for information sharing and coordination to address any cyber security threats real-time and holistically.
We’re not trying to say that we can do information sharing and coordination at a global level; that would be unrealistic. However, we can do that at the regional level or at the sectorial level-that is actually possible. So, this is where we will be pivoting towards-that will support establishing the UAE as a trusted digital oasis for the region.
Other than ransomware, what do you think would be a few areas of concern this year?
Well, as I said before, one of the key targets of ransomware will be IoT. Hence, I would say that this is also going to be the era of the Internet of Vulnerable Things. This includes devices from mobile phones and smartwatches to laptops or even self-driving vehicles. At the end of the day, there is a maturity of security of endpoints today. 10 years ago, the security of the cloud was the talking point. Everybody was concerned about migrating to the cloud and risking losing all their applications, their control, and privacy. But today, the conversation is going the other way of the spectrum, which are the endpoints. Here again, the problem is magnified multi-folded, because when you look at the cloud, there’s only a few providers like HUAWEI CLOUD and some others, but when you talk about endpoints, we are talking about billions and trillions.
Do you think 5G or any of the networks will add to the security concerns?
5G and cloud are the two fundamental pillars supporting digital transformation that we need to safeguard, in order for us to have a secure and resilient ecosystem as we move to the digital era. So obviously, we need to address the security of 5G and cloud, looking at them from different aspects.
The security landscape of 5G and the cloud is forever evolving. And that is why we shouldn’t rest on our laurels. We thought that we know what cloud and cloud security are, and we’ve also heard a lot about the need to build security for 5G recently. Like for example, the GSMA together with 3GPP has issued the NESAS & SCAS certification for 5G equipment. So that’s why last year at GISEC, we announced the formation of a 5G security working group with OIC-CERT and just a couple of weeks ago we have completed the development of the 5G security framework that is ready-made for OIC member states within 8 quick months. The OIC 5G Security Framework is a living document that we will continue to maintain and update to address the evolving needs of the new technology because whether is it 5G or cloud computing, these are new and emerging technologies that one cannot hope to solve the problem using traditional standardisation routes- because international standardisation are most effective when it comes to mature technologies given that any standard developed will stay relevant for the next 3 to 5 years minimally with very minor needs for any update. For emerging technologies such as 5G or cloud, we have to consider and expect that things will evolve every 18 months or even less.
So, to summarise, we need to look at 5G security as something new, every day. And for that reason, we have worked with OIC-CERT to develop the 5G security framework that was announced weeks ago to address the needs of OIC nation states especially in this region and that Framework will only get more relevant in time as we incorporate localised elements in the Framework as a living document
Have you planned any new security initiatives or strategies for 2022?
In Huawei, we have a long-term cyber security strategy, where we are still executing the strategy. In essence we have adopted a security- first mentality within the company, making cyber security the top most priority within the company that permeates from person to process to department and business units, in the process implementing layered security or defence-in-depth, supported by a strong zero trust security model. As such, as we embrace the Metaverse, we have to ensure that all our products and services are secure by design. This means that we have to ensure that cyber security and privacy and protection mechanisms are inbuilt by design right from the beginning rather than as an afterthought.
We need to return to fundamentals by optimising and streamlining our processes. This includes looking at some of the issues and readdressing them based on our key strategy. Thus, we’re going to make sure that when we look at any one of the new products or services that we’re offering right now or any new products or services that will be offered in future, cyber security and privacy protection will be guaranteed out of the box to meet any compliance requirements or regulatory regime.
More importantly, from the perspective of the user, we will ensure that our users will have peace of mind when using our products and services, because their peace of mind is our peace of mind.
Cybersecurity will never be something that we can compromise on. So we remain committed to ensure that it’s given the topmost attention and addressed at the highest levels. Because in security, there is no compromise. This is our strategy for 2022.
