Ladies and Gentlemen, it is indeed a pleasure to be able to participate in such an important and wide ranging conference that is taking place in Melbourne over these few days.
One only has to read the general media, and not even the technical media, to understand that cyber security and its influence on emerging technologies are being cast as global issues now and in the future. As I will refer to shortly, there are changes taking place that are making some of the established and traditional large players uncomfortable. There does not appear to be a willingness to discuss and develop global processes to deal with this changing environment; but more, a want to protect the status quo, a reaction to say NO first rather than HOW, how can we integrate new developments within a new security assurance framework.
Thus this conference, along with others I know many of you are participants in, takes on more importance than perhaps ever before. Because if real experts in technology, academia, legislation and global protocols, cannot come together and design processes and frameworks, then the practice of electronic governance of which cyber security is an important part, will remain the domain of intelligence agencies, militaries and agenda driven politicians.
To not address a global governance framework for ICT governance and particularly the aspect of cyber security, will see the growth and development we have worked hard to achieve globally splutter, and this will impact on the efforts to raise the world’s less well off to a better standard of living. Global coordination of infrastructure and technologies, and the benefits of a growing global economy through global trade, are essential for all of our futures.
HUAWEI AND THE GLOBAL ENVIRONMENT
Huawei is a private technology company which prides itself on building high quality, secure products for its customers. It is a highly innovative and globally competitive technology pioneer. Through foresight, hard work, and integrity it has become the world’s largest end to end ICT infrastructure company, annually being in the top five of global patent applicants and in the top five companies in R&D expenditure globally. Its products have helped over 170 different countries enjoy the mobile communications we now take for granted. It has been poked and prodded by national security agencies worldwide, and not once has there been any evidence of a security issue. In fact, Huawei has received many rewards for the quality of cyber security of its products.
But somehow Huawei has found itself in the middle of a global Technology War, with Australia banning the use of Huawei equipment in its 5G networks and the United States of America endeavouring to collapse the Company’s global business. It has become embroiled in national security debates through inference and accusation, rather than fact or proof. From this singular perspective, the West must reject eastern technology and deny access by the East to western technology.
But West v East is over-simplified. What is happening is that all countries are being offered new innovation and technology from non-traditional countries of origin. For many past decades, leading technologies came from the US and Europe. But now we see an emergence of companies from China, and soon more of Asia, who are leading in areas of innovation and technology. Some traditionally minded countries are scrambling to accommodate this inevitable change. A global Technology War is being nurtured, and nobody can predict where it will end.
One thing is clear, however, is that it will have a substantial economic impact on all nations, not only the protagonists. It is not just a 5G Technology War. The scope will expand as new technologies emerge. Smart cars, Robots, Artificial Intelligence and Virtual Reality technologies will be added to the list of infrastructure which is considered under a national security threat.
We live in a global world – Research & Development and Innovation. Chinese companies are now producing some of the world’s best and lowest cost technology and so it is inevitable that manufacturers the world around are using them as a source for their components, and businesses globally are purchasing Chinese products. Chinese companies leading in some technologies are just the start. In 2015 sixty percent of the world’s middle class lived in the United States or Europe. Some forecasts are saying that by 2030, sixty percent of the world’s middle class will be living in Asia – not just China, but India, Indonesia, Vietnam etc. This will drive economic growth and education, which will feed the growth of more and more innovation, technological development and ultimately leadership from within Asia. The global community needs to recognise this, encourage it, and manage it for the benefit of all.
We live in a global world – Supply Chains. In March 2012, a report published by the US Government Accountability Office examined the risks in the Government’s supply chain. The report identified that a simple laptop might contain components from 18 separate companies. Other reports on supply chain components have confirmed the global nature of technology products. Huawei itself expends an enormous amount of effort managing the quality and security of its supply chain. A broad rule of thumb for Huawei’s supply chain is 30 percent from the US, 22 percent from Taiwan and Asia, 30 percent from China, about 15 percent from Europe. But it is worth it, this diversification – the benefits of global sourcing enable us to produce better products, more economically. Closing the door on global technology sourcing to mitigate a speculative risk to national security will be painful. We are already seeing the bans on Chinese technology spilling over to reciprocal bans in other areas of trade. It will also affect manufacturing – many western companies have outsourced their manufacturing to China and repatriating it will be a long, difficult, and expensive, process. And is that what we really believe is the best solution?
Supply chains are global, trade is global, and solutions to problems need to be global.
ELECTRONIC GOVERNANCE IN THE NATIONAL SECURITY DEBATE
You may well now be wondering what all this has to do with your theme Electronic Governance. Well 24 months ago I did too. Then, there were a handful of global players endeavouring to be the absolute best at cyber security. Trying to provide their customers – companies, businesses, utilities and even governments, with the best cyber security defences in their products.
But then the debate started to change. A nationalistic theme emerged where some of these leading global players were accused of being so good that they could engineer their products and damage national security. No discussion, no industry and government dialogue, but just a singular shrill call of the dangers to a country’s security.
Of course they really were misusing the term national security, they were alluding to specific areas of security, such as physical, supply or data security. A nation needs to be safe (secure), but it also needs to be prosperous. To have real national security, it also needs national power to be able to achieve its objectives. A key part of national power is a nation’s economy. And to be truly economically robust requires use and optimisation of innovation and leading edge technologies in the infrastructure, commerce and core of a country’s structures.
By banning a global leading player, in Australia’s case Huawei from participating in its 5G future, Australia has accepted the dual penalties of delays in its digital future and substantially more cost, and furthermore is eroding global trade norms for overseas investment and trade.
There is no doubt that the cyber environment contains many threats, and ICT infrastructure can be a key vulnerability. However, banning competition in technology is not the best way of addressing such infrastructure risks. The UK has decided that it can mitigate some infrastructure risks through using a Cyber Security Evaluation Centre (CSEC) to reduce risks through testing. Likewise, Germany has also addressed how it can manage the risks for infrastructure from companies with innovation and technology from non traditional sources. The Governments of the UK and Germany, and many across Europe, are actively working with Huawei in doing advanced security evaluation in Huawei-funded Labs. This is a risk mitigation strategy to any perceived cyber risk in the use equipment in national infrastructure. However, this does not mitigate the risk from all suppliers so is only a partial solution. All equipment going into the national infrastructure should be evaluated in a consistent manner, within a framework applicable to the whole of industry.
This was the vision that the five western nations forming the group “Five Eyes” had when they established the Common Criteria evaluation scheme in the late 1990s. This scheme was designed as an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they met an agreed upon security standard for government deployments. Australia has its own Common Criteria capability – the Australasian Information Security Evaluation Programme, or AISEP. We, Huawei, have enthusiastically adopted the Common Criteria scheme for key products. However, even with recognized Common Criteria certification, we find ourselves unable to supply Australia’s telecommunications infrastructure.
Clearly the Common Criteria scheme is not working to achieve its intended outcome. Either the Common Criteria process needs to be revised or an alternative scheme needs to be established to replace it. Such a scheme needs to be driven by international standards, applied to all suppliers equally, and managed through a formal convention which is binding on member countries.
And this is where a body such as this is so important. The theory and practice of Electronic Governance does require a broad debate. It should not just be the intelligence and defence communities, but the ICT industry, academic institutions, broader industry bodies, and most importantly the UN and Nation States need to be involved. It needs to be broad, transparent and focussed on outcomes to ensure solutions proposed are trusted and measurable.
A WAY AHEAD FOR GLOBAL BENEFIT
Cyber-diplomacy is diplomacy in the cyber domain; in other words, the use of diplomatic resources and the performance of diplomatic functions to secure national interests in the context of cyberspace. In 2017, Australia issued an update to its cyber security strategy which included an objective of: “Defending the international rules based order and influencing emerging norms of state behaviour in cyberspace”. This suggests a diplomatic approach to managing risks in cyberspace, and an alternative to the black or white strategy of Technology War.
In 2018, in follow up to the revised cyber security strategy, Australia released its International Cyber Engagement Strategy. This included the establishment of a Cyber Ambassador. This is a broad ranging strategy which covers many aspects of cyber diplomacy and international engagement. A key goal is to “Shape an enabling environment for digital trade, including through trade agreements, harmonization of standards, and implementation of trade facilitation measures”. This strategic objective is focused on delivering optimal economic benefit through cyber diplomacy.
However, after setting out what is a great vision for Australia to take to the world, the Cyber Diplomacy voice has been silent. At no point in the continuing attacks on Huawei have we seen cyber diplomacy come into play. Even today, with a panel on Cyber Diplomacy at this UN conference, Australia has no representation. If this voice continues to be silent, then we can expect a continuation of technology warfare rather than cyber diplomacy, to the very great detriment of every Australian. As Asian innovation grows, and more new non-traditional providers enter the technology market, it will be highly detrimental for a country to just say NO to the new technology innovators.
In Australia’s case, It’s been suggested by those much isolated from the real world of economic growth and global trade, that Australia would be prepared to accept the economic costs that come with its present policy of blocking technologies from new countries of origin on national security grounds. This is very niaive. Of course we need national security, but I would suggest that adopting a strategy of cyber diplomacy would increase national security through stronger and robust economic growth. Australia has one cyber diplomat. We need more cyber diplomats to take the lead before it’s too late, and we need to turn up the volume on Australian cyber diplomacy.
In 2013 and again in 2018 during nationally televised speeches at the National Press Club in Canberra, I called for partnerships as the most effective way to enhance cyber security for all actors. Huawei believes the best cyber security is achieved through the combined efforts of service providers, vendors, the ICT industry and Governments. Government alone through legislation and blocking of some providers has not improved cyber defence if recent attacks on Australia’s government systems are an indication.
Australia needs to be secure and prosperous. We need to build an effective cyber defence capability to contribute to our national security.
Australia needs to reprioritize its cyber activities and focus on developing the capability to mitigate supply chain risks and stop cyber breaches occurring. But enhancing cyber security for our critical infrastructures is not a single game of saying NO if unsure. We must develop a framework where we embrace new innovation and technologies within a security assurance framework. We see the UK, Germany, Canada and other European countries doing this, and we too, must find a practical way.
In closing, I proffer a 3 step process which suggests how Australia might take a cyber diplomacy approach to Chinese and other countries technologies, and through its example, set the pattern of behavioural norms in cyberspace.
Firstly, Australia’s Cyber and International Cyber Engagement Strategies are fine pieces of work and reflect a positive contribution by Australia in helping address some of the global cyberspace issues through diplomacy. Let’s see them come to life in an Action Plan that drives towards enabling a technologically rich future, enabling all to have access to the latest advances in technology irrespective of country of origin. Australia should redouble its efforts at the UN Group of Governmental Experts on ICT and push harder to establish a globally acceptable law for cyberspace.
Second, in 2017, Australia and China agreed not to conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information. Again, through cyber diplomacy, Australia should build on this agreement to ensure that it covers all aspects of cyber espionage and critical infrastructure attack. This will substantially reduce the risk facing Australia and enable us to shift from the current adversarial posture with China. If there are violations, they should be called, and called loudly. But it is just plain wrong to have an agreement and then for both players to act outside of that agreement rather than trying to build trust. The International Cyber Engagement Strategy calls for establishing practical confidence building measures to prevent conflict in cyberspace. We need these measures to be in place urgently, and so I would suggest that Australia take the lead in developing a mutual assurance scheme with China for monitoring cyber activity. For Australia to do this would provide an example for the rest of the world and do much to resolve the global risk of cyberspace.
And thirdly, it has been pleasing to see Australia establish the Prime Minister’s Advisory Council on Cyber Security to discuss issues. However, this needs to be given real teeth and real issues need to be discussed and advice given to Government. This group was not consulted, not asked for any advice prior to the decision being made by the Australian Government to restrict access to build the Australian 5G infrastructure. The decision was made without Government, service provider, vendor and industry dialogue. It was an internal decision by Government alone and its effectiveness in the long term needs to be questioned.
Australia, although small in population, is a G20 member and is a sophisticated and advanced economy. It needs to develop a more robust cyber assurance and defence capabilities if it is to maintain its national security, continue to grow its economy and be an effective participant in the global digital future. It can and should take the lead in using Cyber Diplomacy as a tool to allow access to all the new innovations and technological advancements and so reduce the threat to Australia. In talking of Australia’s role, I can only say to such a global audience such as this, the global environment following a similar path is absolutely essential. At this conference are the technology experts, academic experts and legislative experts who can drive such diplomacy globally.