Huawei

Navigating the Complex Landscape of Cyber Security: A Shared Responsibility.

We live in a highly interconnected world, where the physical and digital realms are converging and network boundaries are increasingly blurred. Over the past few years, a succession of critical vulnerabilities, supply chain attacks, and advanced persistent threats (APTs) have emerged. Cyber security threats have become ubiquitous, arising in products and services, operations, internal IT systems, supply chains, code, and personnel. Governments around the world are paying greater attention to cyber security, and have adopted laws and regulations to strengthen the governance of cyberspace.

With digital transformation picking up pace, cyber security has become a cornerstone of the future digital intelligent world. Business success will not be achieved without it. New technologies – such as cloud computing, artificial intelligence (AI), 5G, and big data – bring with them many opportunities. But clearly there are also risks.

Such cyber security risks are a common challenge, one that all stakeholders – including governments, industry and standards organisations, enterprises, infrastructure operators and technology suppliers – have a shared responsibility to confront.

But what does this shared responsibility actually look like in practice?

One the one hand, it is relatively easy to define the roles and responsibilities of each of these stakeholders. Governments create laws and the regulators oversee and enforce them. They also set the standards and requirements of compliance, drawing best practice guidance from the global standards ecosystem. Standards organisations can tell us what “good” cyber security looks like. They also define what checks and tests should be performed to demonstrate compliance to a given standard. Service providers and operators in turn should implement secure and trusted infrastructure, in accordance with laws, regulators’ requirements, and compliant to the various standards. They must of course monitor for security events and build robust awareness and education programmes. Product manufactures, like my company, must build secure and resilient products using a secure-by-default and secure-by-design philosophy, and certify the products where possible. This also requires on-going awareness, education and a strong culture of security across the entire organisation. Last but not least, enterprises and citizens have their own responsibilities, and should also follow best practices in all aspects of cybersecurity and maintain good cybersecurity operational hygiene.

However, in reality and in practice, the world is a little more complicated. ENISA, in their Methodology for Sectoral Cybersecurity Assessment (September 2012) explain that we must face these challenges in a context of complex systems containing multifaceted interactions between components, products, infrastructures and services. It is particularly complex for sectoral systems that include all functions that are specific to the provision of services to a particular market sector targeted at end-users. Sectoral ICT systems usually rely on ICT infrastructure services for specific functions. These ICT Infrastructures are made up of a variety of products. Products are a set of complex components. Therefore, the security of a system relies on all of the actors taking responsibility for their obligations.

Consider the cloud. Cybersecurity at a traditional data centre is tasked with protecting all that data centre’s technology assets so that all applications and services can operate without risk of outage in a stable, secure, and high-performance manner, ranging from internal-facing data centre operations and maintenance (O&M) to customer-facing IaaS, PaaS, and SaaS cloud services. However, cloud security services typically support the customisation of a variety of advanced security settings as per each tenant’s security needs. A Shared Responsibility Model provides clarity around who is responsible for the security of each element.

Consider AI. AI Systems come about following a complex set of interactions and technologies provided by various and numerous actors. AI Technology and AI Platform Providers are very often not the same entity as the creator of an AI algorithm. These entities are in turn very often not the same entity as the actual deployers of the algorithm for a specific use case. The data used to train the algorithm may have been collected and provided by another entity. It is important to fully map and understand all of these interactions in order to have absolute clarity about the different roles in an AI system and therefore to be in a position to clearly understand each of the different actors’ responsibilities. Of course, this will be an essential element of demonstrating compliance to the AI Act once finalised.

In order to have an effective Shared Responsibility Model in place for the security of any given IT system, the first step is to break down and understand the actual reality of various roles and responsibilities within that system. The telecoms industry has taken some steps to do this for 5G via various initiatives underway within the GSMA, the global telecommunications association. The Network Evaluation Security Assurance Scheme (NESAS), aimed at equipment manufactures, and the Security Knowledge Base, aimed at network operators and service providers, provide practical and useful cyber security advice for all of the actors across the entire 5G ecosystem.

It is also true that for any Shared Responsibility model to succeed, a number of elements will need to be in place. The first and obvious element is a platform that will allow the different stakeholders to work together, to collaborate, to actually share. The GSMA example mentioned above is a good example of such an industry specific collaboration platform. Of course, platforms can facilitate cross sector and cross industry collaboration too. To effectively manage and mitigate risks, a holistic and truly collective viewpoint is always better.

I can think of one industry that does shared responsibility very well and from which I believe we can all learn. That is the aviation industry. Aircraft manufacturers, airlines, airports, and the passengers all play their part. Safety regulations, safety standards, security measures, safety culture are all now taken for granted. This is shared responsibility in action.

We should all welcome this Shared Responsibility Model and look forward to cooperating together to build better cyber security protection capabilities, to share value, to embrace both the challenges and opportunities, and to foster a better life for everyone in our future digital world.