A post from Huawei’s CSO for the US, Andy Purdy, rates President Joe Biden’s sweeping May 2021 Executive Order on Improving the Nation’s Cybersecurity as “the bare minimum that companies should be doing”.
Purdy, a former White House adviser on cyber security, makes some decent points – especially when pointing out that the Executive Order is only binding on federal agencies and their private sector suppliers.
“For companies that don’t do business with the government, they’re simply guidelines,” Purdy wrote. The CSO therefore called for the US’s Securities and Exchange Commission to force businesses to adopt sound security frameworks like that offered by the National Institute of Standards and Technology.
“The US and other countries must work together more closely and share information more openly than they do now,” Purdy stated. “Governments and companies must also leverage the decades-long effort to develop norms of cyber conduct.
“This is an opportunity for the US to work collaboratively – not only with its G7 and the G20 partners, but with China and Russia and other countries – to build a more rules-based order for cyberspace that has requirements steeped in standards and best practices, transparency and conformance mechanisms, and meaningful accountability.”
The USA and China already have a mutual non-hacking pact but each nation regularly names the other as a source of hostile electronic attack. US President Biden has accused Russia of doing far too little to curb the activity of ransomware gangs operating from its soil.
While Purdy mentioned the UN’s Group of Governmental Experts on Advancing Responsible State Behaviour in the Context of International Security as an effort that could stop nation-state cyber-skirmishes if only big nations signed up, major powers aren’t exactly enthusiastic participants in its development.
They have also avoided engaging with similar entities like the Global Commission on the Stability of Cyberspace.
Why is Purdy tilting at diplomatic cyber-windmills? The following extract from his piece may explain why: It would be a major step forward if governments and global companies would subject themselves to auditable testing and verification processes for critical components and legal processes in the countries with whom mutual trust agreements are signed.
In The Register‘s opinion, that’s Huawei arguing that if the US and China had better infosec agreements, China would vouch for Huawei and the US could therefore shop with confidence.
Which sounds great in theory, but also naïve – we know the US targeted Cisco and Juniper devices to improve its intelligence prospects. And once the US, or any other nation, knew the rules, they’d also know how to step around them.
- The Register report