Interviews

Huawei Europe’s CSO says cybersecurity is everyone’s responsibility

The landscape of cybersecurity is always evolving, says David Francis, Huawei's European Cyber Security Officer. In an interview, Francis expressed the need for wider acceptance of the role each of us has to play in combating cybercrime.

He said a major pivot point in cybersecurity was in 2003 - a time which became known as the industrialization of cybercrime. Before that point, there were "small communities" doing what they called "digital marketing" but were actually releasing spam, Francis explains. It all changed when the Sobig Worm virus on the 18th August 2003 transformed cybercrime into an industry.

The Sobig Worm was a computer virus that infected millions of internet-connected, Microsoft Windows computers. The worm was released in variations, including Sobig.A and Sobig.B, released in January and May 2003, which were followed that year by Sobig.C, Sobig.D, Sobig.E and Sobig.F. The worm was most widespread in its Sobig.F variant as a Trojan horse virus that appeared as an electronic email. The virus "caused an estimated $50 million of damage in the United States alone," CNN reported in 2003.

"That was when these groups figured out how to make profit from cybercrime. It was the point where virus groups monetized the virus industry," said Francis. Until then, Francis had always been involved in network security, since about 1980. Prior to joining Huawei, he worked at Symantec as VP of Operations. In his current role as Huawei's European CSO, Francis is responsible for cybersecurity strategy for the Huawei Western European Region, plus the support of non-European territories that require ad hoc support or assistance.

Looking back, Francis said before the 2003 Sobig virus, attacks were for all sorts of reasons, but no one was making money from it. That was the point when virus groups figured out that if they could infect a machine, they could sell it to spammers, because the business model for the spammers was similar to the business model for those on the other side. They bought servers and bandwidth, space, storage and datacenters, etc. Their cost model for sending spam was similar to the cost model for the people defending against spam and viruses.

"After Sobig, the cost model changed massively because now the machines are almost free," Francis explained. "This led to the creation of the botnets," a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g. to send spam. "That's when you started to get the industrialization of virus writers. Now, as the connected world has become even more connected, there is no segregation between what were traditional telecoms networks, and ICT networks. It's simply the connected world."

Changing people's mindset

Francis recently spoke at a Cyber Security Conference hosted by du, one of the UAE's leading telecom operators. The reasons Francis attends these forums is because he believes there is still a tendency to talk about ICT and cloud being a separate thing for people to worry about. There is a "common misconception that different groups of people should take care of cybersecurity," said Francis, and that you don't need to worry about it yourself.

"I call that failure. If we continue with that mindset, we are going to fail massively," he said. "It needs to stop being treated separately or things are never going to get better. One of my frustrations with the education system is that there is a tendency for universities to offer software development courses and then offer a separate cyber course. This needs to stop. If you are training bad software engineers, the problem is not going to get better."

If this trend continues, Francis explained, all we are doing is building a new industry called 'cyber-consultancy'. The result is an army of consultants earning big fees, but the problems are not being addressed because software engineers are not learning how to code safely. "We need to change the approach and we need to understand that cyber is no different to anything else," said Francis. Everyone needs to be trained to code properly - cyber needs to be built in from the start, not a separate part of the education.

"I think the name 'cyber' is a disadvantage because some people hear it and get scared by it," said Francis. "They hear the word and think it's something that needs to be pushed off for the IT team to deal with. This mindset needs to change. Huawei's founder, Mr. Ren Zhengfei, made a great statement about the fact that cyber is not about growth - it's about survival. If you can't conduct business in a secure manner, you can't conduct business full stop. It's about putting security ahead of short-term commercial interests, because if you don't, then you will have no long-term commercial interests."

Francis used an effective analogy to explain how lack of cybersecurity education for everyday citizens is contributing to a wider issue of increased risk. Growing up in East London during the 60s and 70s, Francis witnessed a tumultuous period for the auto industry in the UK. The issue was quality, he said. The approach that the British auto industry took was to station its best engineers at the end of the production line to check every car that came off. This concept proved to be ultimately inefficient and didn't solve the core issue.

The Japanese had a fundamentally different approach. Rather than having their best engineers checking cars after being built, the Japanese had their best engineers build the cars. They figured out that "if you're making cars out of second hand rusty tanks from the Korean War, the cars are going to end up rusty," Francis explained. "They made sure that the components - the bits going into the factory - were quality, and therefore, the cars coming out at the end will be higher quality. The Japanese won because of their ingenuity, and the UK car industry went into decline because they treated quality different to something as doing their day job."

The Japanese showed - as we need to do today - that lack of addressing the core issue is part of the problem we face today with cybersecurity. It shouldn't be "an extra part of peoples' role at work". It's everyone's job to make sure that their phone doesn't get hacked and that their personal material is kept safe. Security isn't somebody else's problem, Francis explained; it's your problem. "All of us need to participate, and understand our role, that we can have a positive impact on the security of all of our futures."

Focusing on Europe, and the issues of data sharing that have repeatedly been brought up by the European Commission, Francis said it once again comes down to education for the consumer. Data leakage has become a widespread issue today because the reality is that most data is given away for free by users who don't care or simply don't understand the risks. It's another example of the need for education, and the need for people to share in the responsibility of cybersecurity.

"One of the things the European Commission has got right is the right to be forgotten," said Francis. "When I was a kid, I could make mistakes and they were soon forgotten about. Today, I've got three children, and I worry that if my children make the same mistakes I made when I was younger, it could haunt them forever." The European Commission is driving people to consider what privacy really means in this digital age, says Francis.