Security through obscurity no longer works
To avoid tipping off hackers, many companies are secretive about their network defences. Being open is a better approach
Netflix has a lot of valuable data it needs to protect from hackers. Tens of millions of households entrust the company with their personal information, including credit card details and the viewing habits of each family member. Netflix also wants to keep its popular TV series beyond the reach of those who try to view the content without paying.
For a company with so much digital treasure, Netflix hasn’t had many security mishaps. The worst incident occurred in 2017, when a group called Dark Overlord broke in and released some new episodes of Orange is the New Black on the Internet.
Of course, many companies have digital assets to secure. What makes Netflix unusual is how transparent it has become about its cyber defences. In response to the Dark Overlord hack, it developed dozens of open-source cybersecurity products that other companies are allowed to use freely. Netflix saw that harnessing the world’s pool of programmers to build its security software actually made the company, and its data, more secure.
You might expect that companies would be better off keeping their cards close to their chest. The less hackers know about how a company guards its data, the safer the data becomes, according to this line of thinking.
In fact, the opposite is true. Secrecy in cyber security puts everyone at risk: the company, its customers, and its suppliers.
Electric vehicles serve as a good example of the value of openness in cyber security. Many models require extremely sophisticated software that has to be updated frequently. For example, Tesla distributes updates to owners at least once per month.
To deliver updates, an electric car maker requires worldwide access privileges to the on-board computers on its cars. Naturally, car owners want certainty that this does not expose them to hacking, remote carjackings and shut downs, or being spied on as they drive. For this reason, makers of electric vehicles need to be extremely open about their cyber security so that owners, or trusted experts, can assess if the company’s systems offer effective protection.
Although they do not themselves manage data, telecom equipment makers take their responsibility in supplying network operators just as seriously as makers of electric cars. The industry now provides a model of openness – one that could inspire practices in other industries.
For several years now, equipment vendors have been constantly developing new ways to meet the concerns of both governments and customers through more transparency. Increasingly, independent laboratories issue globally recognised security certificates for a growing range of telecom products.
Yet, the dawn of the 5G era has posed a particular challenge, because as all devices are progressively connected to the Internet, security standards for telecom have needed to become more stringent. To secure networks and devices, the industry has developed security assurance systems that are constantly being strengthened further.
The best one we have currently, although it still has room for improvements, is the Network Equipment Security Assurance Scheme, or NESAS. This globally-recognised system tests not only products, but also how they are developed and maintained (including the installation of firmware updates). NESAS also features a dispute resolution mechanism to deal with grievances from companies that believe their products, or those of competitors, were not fairly evaluated.
Some telecom equipment makers are going further to make themselves more open. Huawei, for example, has opened Transparency Centres in China, Canada, and four European countries where customers or governments (this varies by location) can inspect the inner workings of its products, including their source codes. These centres operate under the philosophy that involving more eyes and more hands will make cyber security stronger. For this reason, much of the company’s security software is open source, much like Netflix’s.
Cyber security has become too important to leave to a few nameless IT experts working deep in the bowels of a bank, government agency, or hospital. As our lives are increasingly digitalised, companies and other organisations must share how they protect their networks. Open cooperation is the best way to secure what needs to stay secured.
Mika Lauhde is global vice president for cyber security and privacy at Huawei Technologies