By Dr. Andreas Kuehn and Jan-Peter Kleinhans
Originally published in Digital Frontiers, Observer Research Foundation

Growing geopolitical tensions combined with society’s ever-increasing dependence on technology, especially from Information and Communication Technology (ICT) vendors headquartered in adversarial states, create unprecedented security concerns. As 5G, artificial intelligence, and other emerging technologies have turned into strategic assets, technological complexities and divisive international politics render conventional approaches to ensure ICT security less reliable. Trust has become the deciding factor in cybersecurity.

This warrants new institutions to assess whether vendors and their complex web of sub-suppliers operating global ICT supply chains are trustworthy. Scrutiny of ICT vendors is desperately needed since we all rely heavily on ICT. Vendor-established or independent trust centres play a key role in assessing trustworthiness by providing much-needed insights and transparency to make objective, cost-effective procurement, and operations decisions, while minimising third-party risk.

In today’s global political environment, policymakers advocate for bans and restrictions targeting vendors from abroad and call for technology alliances amongst like-minded, democratic states who seek to reduce risk, avoid reliance on foreign suppliers and push domestic industrial policies. Yet, country of origin is by no means a reliable indicator for robust cybersecurity, and hard facts that support alleged security threats remain absent. Ultimately, adversaries will hardly discriminate between domestic or foreign ICT security flaws and will exploit all technical or human weakness in reach. In a world where global supply chains and all-pervasive ICT have the potential to jeopardise physical and digital security and safety resulting in major disruption and harm, trustworthiness of ICT suppliers is essential to security.

Vendor-established or independent trust centres play a key role in assessing trustworthiness by providing much-needed insights and transparency to make objective, cost-effective procurement, and operations decisions, while minimising third-party risk.

Complexities Necessitate New Ways to Trust ICT Vendors

Historically, governments and companies relied on standardisation and certification of ICT systems to scrutinise technology and protect against security weaknesses. Common Criteria, for example, provides an internationally agreed-upon framework to test and certify product security; it defines a product’s security requirements and an independent testing lab certifies if these criteria are met. ICT certification is a static approach—a certification attests to the software’s state of security at a certain point in time.

Unfortunately, today’s reality is that software is continuously developed—frequent, remote updates to large, highly-interconnected systems render the one-time certification of a software component obsolete. The uncertainty concerning ICT security is exacerbated further by the growing complexity of software and hardware and their wide-ranging applications in novel industries. A modern car runs with more than 100 million lines of code; today’s general-purpose processors contain several billion transistors.

This complexity makes it improbable to systematically guarantee, let alone prove, the absence of malicious or exploitable code. To increase confidence in risk management, the risk calculus must shift from a singular to a multiple-method ICT security assessment in which trustworthiness of ICT suppliers must be front and centre.

The uncertainty concerning ICT security is exacerbated further by the growing complexity of software and hardware and their wide-ranging applications in novel industries.

Earning Trust Through Continuous Verification

Leading ICT vendors have established trust centres as a way for governments and corporate customers to assess the security of their products and services. If done right, trust centres can provide the transparency needed for evaluating vendor trustworthiness. Buyers gain insights into a vendor’s secure software development lifecycle, quality management, and security measures, as well as business processes and third-party vendor management. Outside experts benefit by having the opportunity to inspect the security and quality of the code. Trust centres provide first-hand insights into how well a vendor applies common industry security best practices and allow buyers to assess whether these products and services meet their security requirements, or if additional assurances are needed to make residual risk acceptable. Over time, trust centres help build trust between vendors and buyers.

Trusted Relationships Between Governments and ICT Vendors

Currently, operating trust centres are a result of government pressures on vendors to demonstrate whether their products are trustworthy; it is a commonality they share, despite differences in operation and setup. Microsoft’s Transparency Centre in Beijing was instrumental in securing access to the Chinese market and to making it possible to sell Windows operating systems to the Chinese government. The Huawei Cyber Security Evaluation Centre (HCSEC) in the UK was critical for the initial decision to allow the Chinese telecom equipment manufacturer to sell its 3G and 4G network equipment to British telecom operators. Kaspersky, a Moscow-based anti-virus firm, is the most recent tech firm—and the only cybersecurity firm—opening trust centres following a 2017 ban over alleged espionage concerns to sell its products to the US government. Since the inception of Kaspersky’s Global Transparency Initiative in 2017, the company has opened transparency centres in Zurich, Madrid, Kuala Lumpur, and Sao Paulo, with New Brunswick, Canada to follow in 2021.

The Huawei Cyber Security Evaluation Centre (HCSEC) in the UK was critical for the initial decision to allow the Chinese telecom equipment manufacturer to sell its 3G and 4G network equipment to British telecom operators.

As an illustration, HCSEC afforded the British government insight into Huawei’s engineering maturity, resulting in the National Cyber Security Center’s conclusion that the Chinese equipment manufacturer is a “high-risk vendor.” HCSEC annual’s oversight report identified several shortcomings in Huawei’s software development practices that led the UK government to question the cybersecurity of Huawei’s network equipment and the quality and consistency of its software development processes. In response, Huawei announced that it would invest US $2 billion to revamp its engineering processes and strengthen cybersecurity. Such insights would not have been possible without a trust centre like HCSEC; these centres provide the leverage to hold suppliers accountable and trigger corrective actions that strengthen security, ultimately increasing a vendor’s trust capital. To raise the bar across the industry, however, risk-informed assurance measures must be applied equally to all vendors: Country of origin is not a determining factor in technical security.

Improving Trustworthiness as the Ultimate Goal

The recent rise of trust centres supports the reality that governments and buyers need better indicators of vendors’ trustworthiness to enhance overall cybersecurity, especially in light of rising stakes concerning national security and broader geopolitical tensions. Just as trust is not a given, the industry’s approach to security must move beyond secure ICT systems to transparency-enabled trustworthiness of all vendors and trusted vendor-government relationships. Trust centres are essential in determining the trustworthiness of ICT vendors. Strengthening cybersecurity through continuous verification and effective, risk-informed mitigation measures is a shared responsibility that ICT vendors, operators and buyers must jointly fulfill to secure ICT for all members of society.