Colm Murphy, Cyber Security Advisor at Huawei is the new guest in this new interview series for citiesabc. Hosted by Dinis Guarda, both technology specialists discuss some of the main challenges in today's technology world, including the development and implementation of 5G, the importance of Cyber Security and addressing the rising concerns around transparency.
Colm Murphy is a Cyber Security Advisor working from Huawei's Cyber Security Transparency Center in Brussels. Prior to joining Huawei, Colm was the International Director of BSI Group's cyber security and Information Resilience professional services business, responsible for this business units growth beyond the UK and Ireland. Before that he worked with Deloitte and McAfee.
Colm Murphy, CSO from Huawei Brussels Office Interview Focus
- Can you tell us about your Profile and background?
- What are your views on how businesses and governments can cope with digital transformation?
- How do you see the cyber security industry best practices?
- There is no doubt about the importance of cyber security, so how do you cope with that and prepare?
- How to protect cities and governments from cyber threats?
- 5G is out there with a lot of challenges and opportunities. How do you see that?
- How do you see the unified or verified security standards in the 5G or telecom industry?
- What kind of challenges the industries are facing when the security standards are missing and the development progress of some security standards, such as 3GPP, NESAS?
- How could we measure cyber security? Both for countries, cities and businesses and what is the meaning of developing the security standards for public and industries?
- Can you tell us about Huawei’s progress in cyber security and security verifications, especially the ERNW Reviews Source Code for Huawei 5G Core Network UDG?
- Can you share some case studies that you highlight as good practices?
Colm Murphy Key Takeaways
About Colm’s professional background:
I started in a small company in Dublin, Ireland. After graduating from college, I was interested in learning more about business: sales and marketing, human resources, and international relations. After a while I moved to cyber security, which back then, it was mainly focused on network security, data security, etc., on a business level.
I started my professional career just as the digital transformation began to take off, amid the dot-com bubble and the commercial Internet. I have always been interested in computing and IT and specialized in cyber security solutions, working initially setting up firewalls and helping to implement this type of security solutions.
My journey took me throughout Asia-Pacific, auditing large companies in security screening, penetration testing, and ethical hacking. Some of the companies I have been involved with are Network Associates (now known as McAfee) and Deloitte.
In 2002, some of my friends from Ireland asked me if I wanted to join them in their new company and I came on board as the cyber security technical specialist. So I did it. The company grew and expanded abroad and I was part of their incredible journey. Eventually, BSI acquired this business that became the heart of the enterprise’s cyber security business.
In 2019 I wanted to do something different. Huawei approached me and I joined its global office for cyber security and privacy.
Views on how businesses and governments can cope with digital transformation
When we think about digital transformation, we point to specific events that turn our world upside down. However, digital transformation is much more than that. Digital transformation is a journey that needs to be funneled by leaders, companies and users altogether. Sometimes things happen that aren't transformative in the big sense, but with time it may become clearer. Eg: Cloud- security risks, privacy problems.
Likewise, some things happen under the radar and take some time to stick and to be implemented. Cyber security has been seen as an obstacle for digital transformation but, actually, it can be an enabler. Without a proper cyber security in place, every digital system isn’t complete and at risk of being shut down. If that happens we are actually moving backwards in the digital transformation journey.
Cyber security industry best practices
First word that comes to mind is ‘fragmented.’. In terms of best practices, it's difficult to keep up - consolidate them, validate them, meet the security requirements- hence the word fragmented. Eg: Huawei has more than 240 different certifications for various products and dozens of management certifications. This is enough to provide assurance that they follow best practices. If it's hard for us, think about how hard it is for SMEs and startups.
There are so many tools, standards, procedures, technologies that need to work together to truly build a functional cyber security system. It is difficult to pinpoint a specific thing that makes for a truly secured cyber security. What we need is to approach it holistically. One success story of best practices is probably the GDPR. Prior to that there were 28 different privacy laws, one for each country in the EU. After that, it standardized what was allowed to do and whatnot while putting the user in at the center of it all.
About the importance of cyber security, how do you cope with that and be prepared?
In today's world, being hacked has more to do with how to handle, respond, contain and learn from that threat. In terms of coping, it's a shared responsibility, especially regarding security in networks. Huawei, as a multinational tech company, plays a part of that shared responsibility. Then, there are other operators that manage these networks and are experts in doing so, and then you have service providers, the consumers, the government, the policymakers, all stakeholders. One good example of this shared process could be financial institutions. They built a sophisticated learning and threat sharing mechanism which had all players involved.
As such, cyber security is also about rules, literacy, awareness, and technology solutions. What cyber security experts are trying to do is raise awareness and provide the right tools for users, governments and industries to operate more safely in the digital space.
How to protect cities and governments from cyber threats
It is certainly very crucial to maintain cyber security and to continue to manage risks. Especially with things and systems that are going well. The way to do that is by using the best practices standards aforementioned, have a third party to assess the product/service/network (governments for example) and gauge if it is in line with the best practice standard. Then, we offer a certificate which can offer a buyer/service provider user.
5G is out there raising a lot of challenges and opportunities
First of all, 5G is an evolution of 4G working on standards and protocols first implemented in 4G. In fact, 5G is much more secure than 4G; it has better protocols and better encryption. The 5G network architecture is much more like a traditional IT network. It uses a lot of software to function properly better. We are talking about a wireless network that is a step ahead of what we have now, it is an evolution and there are many eyes and people working behind it from different operators to ensure that all protocols, standards and best practices are in place.
Experts have been securing such networks for over 20 years. Operators are very sophisticated and good at securing their networks. They are very well prepared to secure their networks. It is secure and highly configurable.
There are conversations out there about 5G, some of which spread fear and alarm against 5G, but I can say that the industry and all the key players in the supply chain are well prepared to implement and keep this new wireless network safe.
Again, this is a parallel conversation between decision makers and experts, but what I can say is that the cyber security industry is very well equipped to take on most of the challenges.
How do you see the unified or verified security standards in the 5G or telecom industry?
There's never been a globally adopted cyber security standard for the telecommunications industry, although there are some security standards that are pretty much adopted by important players. I am talking about the NESAS Security Assurance. 3GPP, along with their colleagues in the GSMA, came together and created this standard that caters to the needs of the telecom service.
NESAS was created to serve this purpose –operators globally were part of it and independent governments approved labs that were used to perform these checks. It was done for them to test this.
In fact, Huawei is the first in the world to undergo this certification for its 5G products. Phase 1 is complete, phase 2 will be completed very shortly.
What kind of challenges the industries are facing when the security standards are missing?
Standards are essential. Consumers assume that when they buy a service/product, or they use a specific device connected to the internet, all checks and cyber security measures are in place and they are secure to go.
The UK has an interesting scheme regarding standards called Cyber Essentials. In order to work with the government, you're supposed to comply with these standards. It's like the basic level of cyber security hygiene. Long story short, Cyber Essentials is a simple, but effective, government backed scheme that aims to protect organisations, whatever its size, against a whole range of the most common cyber attacks.
How could we measure cyber security for countries, cities and businesses? What is the meaning of developing the security standards for public and industries?
How can we measure cyber security and develop cyber security standards? The cyber security act from the EU is trying to address this point. Decision makers play a really important role in all this but also the companies that develop the certification protocols and that make sure that all companies and industries follow these certifications and standards to create a safe digital environment. The government expects their providers to have these certifications and protections in place. There are a whole range of key points that have to be addressed such as privacy, how they adhere to legal obligations, etc.
Cyber security ratings is an emerging area too that is gaining traction lately. Basically, this practice is based on monitoring the public Internet to identify potential risks. Some companies are already providing this kind of service and they do some real good work from developments in the SS chain, risk management, due diligence. Any given company can get a cyber security rating from this organisation.
Can you tell us about Huawei’s progress in cyber security and security verifications, and specially the ERNW Reviews Source Code for Huawei 5G Core Network UDG?
At Huawei we are truly concerned about cyber security. We do a lot of internal research and work before releasing our services/products to the public. And before that, we send our products and tools to specialized third-party companies for further testing. There is a complete and step-by-step process and testing before launching a new product or service. Our doors are open if someone wants to see our code, our protocols and our technology. From now on, we feel the pressure to be better and I think it's good for us and our customers because it means we can provide a more polished product and service.
Hernaldo Turrillo is a writer and author specialised in innovation, AI, DLT, SMEs, trading, investing and new trends in technology and business. He has been working for ztudium group since 2017. He is the editor of openbusinesscouncil.org, tradersdna.com, hedgethink.com, and writes regularly for intelligenthq.com, socialmediacouncil.eu. Hernaldo was born in Spain and finally settled in London, United Kingdom, after a few years of personal growth. Hernaldo finished his Journalism bachelor degree in the University of Seville, Spain, and began working as reporter in the newspaper, Europa Sur, writing about Politics and Society. He also worked as community manager and marketing advisor in Los Barrios, Spain. Innovation, technology, politics and economy are his main interests, with special focus on new trends and ethical projects. He enjoys finding himself getting lost in words, explaining what he understands from the world and helping others. Besides a journalist, he is also a thinker and proactive in digital transformation strategies. Knowledge and ideas have no limits.