Out-Law / Your Daily Need-To-Know

Development of standards could help improve cyber security, says Huawei

Out-Law News | 22 Oct 2013 | 10:11 am | 2 min. read

The development and implementation of global cyber security standards could improve businesses' ability to fend off hackers' attacks on their systems, a leading Chinese technology company has said.

Huawei said that it has been involved in developing cyber security standards in the telecoms market, but said that often standards are developed in isolation and that it would be best for "a standard or set of standards for cyber security in the telecommunications context" to be developed. It said most of its stakeholders agree.

"It is difficult for stakeholders to come to an agreement on what those standards should be, or if new standards need to be developed," Huawei said in a cyber security white paper (50-page / 6.71MB PDF). "Huawei believes that we must collectively (vendor, carrier, and government) address these common challenges in a broad, rational manner that addresses the most commonly held concerns. While there is no global consensus about cyber security evaluation standards, Huawei believes that by building a fair and objective cyber security assurance environment, many of the common cyber security challenges can be overcome."

"The creation of a global conformity assessment program for ICT products would contribute greatly to the ability of purchasers of ICT products to make more informed decisions about ICT products and provide additional incentives for manufacturers and vendors to make products with fewer vulnerabilities and higher assurance characteristics," it said.

There needs to be a "common agreement" on what the problems are, in the context of cyber security, and how those problems can be solved, Huawei said.

"The reality is that the problem with standards is that they are not standard," it said. "We stress that this is a universal and industry-wide challenge. Just as the ICT industry has exploded around global technical standards and disciplines, so too must the industry work together to ensure the benefits of digital society through common and standardised approaches to security. We believe that one of the biggest challenges that vendors and buyers of technology share is a plethora of standards and best practices."

In Europe there are a number of initiatives relating to standardisation on matters such as data, information and systems security that are currently under development.

In accordance with the European Commission's cloud computing strategy, the European Telecommunications Standards Institute (ETSI) is to help set out what new standards are required for the way that cloud services work. Those standards could relate to data security, interoperability and data portability, the Commission previously said.

Earlier this year the European Central Bank also set out new security standards for internet payments that payment service providers, such as banks and credit card companies, as well as "governance authorities", have until 1 February 2015 to implement.

In the UK specifically, the British Standards Institute (BSI) has backed a new security certification programme for cloud service providers. The STAR Certification programme is based on the BSI's ISO/IEC 27001:2005 management system standard and criteria set by the Cloud Security Alliance (CSA), the international industry-led body for promoting security standards within cloud computing.

The UK Government is also currently in the process of developing industry-led cyber security standards for companies.

In August SAP's global head of banking industry development Don Trotta told Out-Law.com that there was a drive from within the banking and IT worlds to develop banking IT standards that would help cut the time and costs involved in upgrading and maintaining legacy systems.