Dr. Aloysius Cheang - Chief Security Officer at Huawei UAE.
While 5G promises unprecedented benefits to carriers and end users, 5G network vendors and operators nevertheless face unique security challenges that demand stringent standards-based security protocols for the telecom industry.
The Arab world has taken the lead in implementing such common standards, as demonstrated in the broad adoption of the OIC-CERT 5G Security Framework that is built on Network Equipment Security Assurance Scheme (NESAS)/ Security Assurance Specifications (SCAS) standards. The OIC-CERT is an affiliate member of the Organisation of Islamic Cooperation (OIC). It was established in 2009 as a platform for member countries to explore and develop collaborative initiatives and potential partnerships in matters pertaining to cyber security to strengthen self-reliance in cyberspace. To date, the OIC-CERT has 55 members from 27 countries. The organisation is critical because OIC member states need their own standards and guidelines to build regional multilateral norms, which are essential to ensure continuity, availability, resilience and cyberspace sovereignty for Islamic nation-states in this increasingly fragmented world.
As an OIC-CERT commercial member, Huawei's partnership with this vital international initiative reflects our vision of open collaboration to tackle security challenges, where we worked with other stakeholders to develop and deliver the 5G Security Framework.
Huawei's admittance into this programme is based on our global expertise in cyber crisis management and our work with carriers to secure networks. In the past 30 years, Huawei has worked with carriers to build more than 1,500 networks, serving more than three billion people in over 170 countries and regions without major cyber security and privacy protection incidents. Moreover, Huawei has endeavored to ensure that its technologies meet the highest security principles, based on shared standards. Last year, Huawei became the first vendor to pass 3GPP 5G Core (5GC) Security Assurance Specifications (SCAS) testing, followed by passing GSMA's complete NESAS evaluation.
The evaluation itself is a GSMA/3GPP joint framework for mobile network equipment security assessment. Based on security standard guidelines for vendors' product development and lifecycle processes, NESAS provides a security baseline to ascertain that network equipment satisfies a series of security requirements. Together with the OIC-CERT 5G Security Framework, NESAS offers a measurable and controlled environment with a Plan-Do-Check-Act guided actions for managing 5G security chaperoning rapid digital transformation needs of Arab nations.
As a shared standard, NESAS delivers benefits across the board. For equipment makers, NESAS provides recognised accreditation from the world's leading mobile industry representative body. It also delivers a world-class security review of security-related processes while offering a uniform approach to security audits. Equally important, the NESAS framework avoids fragmentation and potentially conflicting security assurance requirements in different markets. For operators, NESAS offers peace of mind that vendors have implemented appropriate security measures and practices by setting a rigorous security standard requiring a high level of vendor commitment. The framework also delivers tangible cost-saving opportunities by eliminating the need to spend money and time conducting individual vendor audits.
We have also noted that the UAE is leveraging OIC-CERT 5G Security Framework and GSMA/3GPP NESAS/SCAS standards in their latest initiative to raise the bar for cybersecurity in the UAE. In his recent interview, Dr. Mohamed Al-Kuwaiti, head of cybersecurity for the UAE Government, discussed how the country has developed the UAE Telecom Cybersecurity Guidance, which defines a defense-in-depth, zero trust-driven multi-layered framework based on OIC-CERT 5G Security Framework that builds security incrementally from physical layer security to application layer security based on internationally recognised standards and best practices. The first layer targets equipment security, mandating GSMA/3GPP NESAS/SCAS certification as a baseline requirement. It also defines a world-first telecom information security management system or T-ISMS based mainly on GSMA 5G Cybersecurity Knowledge Base and other global standards such as ISO 27001.
Speaking at this year's Telecom Review Leaders Summit, Dr. Al-Kuwaiti said that the acceleration of digital transformation would incorporate the adoption of 5G and cloud in a holistic and systematic manner and that self-healing telecom network and multilayer framework guidelines have to be effectively implemented. He stressed the importance of developing IT and cybersecurity standards based on international standardisation bodies such as ISO and GSMA, among others. Dr. Al-Kuwaiti also lauded the contribution of platforms such as OIC-CERT, which he said were necessary for the cybersecurity of the UAE and the entire Arab world.
Despite this progress, cybersecurity remains a constant challenge and therefore, continuous engagement with the industry and information sharing across the ecosystem is vital to maintain and advance 5G security standards. With this in mind, Huawei took part in the recent Arab International Cybersecurity Conference and Exhibition 2022 in Bahrain, an event that attracted the highest level of participation from government, industry, and business verticals, including BFSI, oil and gas, energy, utilities, IT and telecom, manufacturing, education and more.
Afke Schaart, chief global impact officer and senior vice-president of global government affairs at Huawei, delivered a keynote at the conference addressing cybersecurity building, collaboration, and unified standards at the summit. She observed that both product vulnerabilities and operational lapses could be addressed through well-established standards and regulations. Schaart also lauded the efforts of the OIC-CERT 5G Security Working Group, noting that the 5G Security Framework it developed provides a systematic, defense-in-depth approach that can be utilised to accelerate ICT development.
5G faces security challenges and opportunities brought by new services, architectures and technologies, as well as higher user privacy and protection requirements. The industry needs to understand the requirements of diversified scenarios and better define 5G security standards and technologies to address associated risks. At the Regional Cybersecurity Week that was held in Muscat, Oman recently, Huawei reiterated its commitment to the region, with its commercial membership in OIC-CERT and efforts to drive 5G security standardisation, highlighting its localised approach to supporting partners to enhance their network resilience as 5G and Cloud emerge as critical pillars in accelerating digital transformation brought about by the pandemic. Huawei also called upon Arab nations under the OIC to implement the OIC-CERT 5G Security Framework, where the NESAS standard, the joint GSMA and 3GPP framework for the security evaluation of mobile network equipment, shall be the fundamental security baseline.
Moving forward, Huawei remains committed to building confidentiality, integrity, availability, traceability and user privacy protection in 5G equipment based on 3GPP security standards and collaborating with operators to build high cyber resilience in networks from the O&M perspective. As cloud, digitisation, and software-defined everything become more prevalent and networks become more and more open, Huawei R&D has initiated the transformation for enhancing software engineering capabilities to continuously build trustworthy, high-quality products and solutions.
Ultimately, Huawei believes cybersecurity is a shared responsibility that cannot be addressed by one person, organisation, or nation alone. We are ready to contribute our know-how and collaborate in an open, transparent and collaborative platform with all cyberspace stakeholders to ensure end-to-end cybersecurity that will be critical to realising our vision of building a fully connected, intelligent world.