As science technology advances and organization scale expands, network complexity grows and attacks become more diverse and covert. This inevitably results in the unceasing extension of cybersecurity borders, and supply chain attacks become increasingly prominent. Recently, ENISA released its Threat Landscape for Supply Chain Attacks report.
The report mentioned that the number of supply chain attacks is increasing and the complexity of attacks is multiplying. This poses a significant risk to end-users affected by attacks on product and service suppliers and causes significant negative impact from system downtime, financial loss and reputation.
ZTE, as the upstream supplier to its customers, is committed to not only the security of its products and services but also constantly exploring how to deliver them by adhering to the rules of “confidentiality, integrity and availability.” While pursuing that no virus (such as Trojan) resulting from personnel or operational reasons is introduced and the possibility of data breach and service interruption due to external attacks and product vulnerabilities is greatly reduced, ZTE successfully assists end users in perceiving satisfactory network quality and then trusting the security of the entire network operation in turn.
“Security is the paramount task” is a philosophy that ZTE adheres to in its R&D and delivery fields, and that is consistently practised in the design, coding, testing, commissioning, software deployment, configuration, and maintenance phases. To effectively prevent, detect, and respond to any virus infection, data breach and other known risks in the delivery field, ZTE has implemented the industry-recognized National Institute of Standards and Technology Cybersecurity Framework (also known as NIST CSF) recently. This framework fully covers personnel, access terminals, network operations, remote access, assets, and incident response. After two consecutive years, good governance has been achieved in the delivery security capabilities of global sites, and the cybersecurity of its customers is reliably guaranteed.
While being the security guardians, people are also the creators of problems. In most cases, organizational issues caused by poor security awareness are more severe than the consequences of cyber-attacks or equipment faults. The ENISA report concluded that among the attack technologies targeted at damaging suppliers, social engineering featured by the deception of victims ranked second, followed by software vulnerabilities and configuration defects.
To effectively cope with the social engineering risk, ZTE has set up professional security teams under the leadership of management cadres both at home and abroad. Security experts regularly carry out security education, random security assessment in the form of emails and phone calls, and even walk-through testing to ensure that the security awareness of personnel is satisfactory and important data related to delivery is protected.
Under the sweeping tide of globalization, the mutual interconnection levels between organizations are unprecedented, and security relies more upon collaboration among multiple parties. Nowadays, ZTE collaborates with thousands of third-party partners worldwide, and a series of measures are taken to guarantee the security interests of its customers. Before providing high-quality services on behalf of ZTE, all third-party partners shall undergo a series of assessments, including engineering quality, information security, cybersecurity, and compliance, to ensure they are always secure and trustworthy.
According to the traditional philosophy “In terms of security, 30% relies upon technology, and 70% relies upon management”, comprehensive and complete coverage of security specifications across business processes is therefore fundamental to effective risk management. Up to now, delivery risks have been scientifically identified by following industry-recognized risk assessment methodology, and relevant security control measures have been enforced. Under the prerequisite of legality and compliance, asset risks are explicitly identified and controlled, access terminals are protected, data access is restricted, transmission is encrypted, software is obtained from secure and reliable sources, services (operations) are authorized, processes can be traced back (audited), and vulnerability/incident response procedures are available.
With the continuous variation and growing complexity of internal and external threats, if security measures are kept unchanged or become outdated, the protection capabilities of network equipment will be gradually degraded or even become invalid, thus unavoidably resulting in security incidents. Therefore, security technologies need to vary with threats.
ZTE has made great efforts to safeguard the products about to be or are already delivered to customers. All ZTE products pass internal security redline reviews before official release and undergo the baseline check and configuration reinforcement before delivery. In some cases, the products can be put into commercial use only after passing the checks originated by customers or customer-appointed third parties. Moreover, as mutually agreed between both parties, ZTE technical engineers regularly carry out security checks (for example, attack detection) and provide security assurance for major network guarantee activities in collaboration with customers.
“Absolutely secure” systems never exist. When a security incident occurs, ZTE technical engineers immediately trigger the incident response procedure. Based on the emergency plan of the corresponding products, the engineers collaborate with security experts to rapidly isolate the network and carry out a series of predefined actions such as mitigation and eradication of risk sources. During the whole process, the attack evidence is retained and the attacked object is traced along the attack chain to minimize any negative impact or damage resulting from the incident, while still ensuring that Service Level Agreements (SLAs) are met.
Cybersecurity is forever a process of constantly dynamic balancing between attack and defence. Sound management and control before, during, and after incidents under the assistance of the proper cybersecurity governance system is ZTE’s eternal exploration theme. In the future, ZTE will keep on working with its customers to build an integrated cybersecurity ecosystem, actively responding to cybersecurity threats and challenges along the way.