John Suffolk ：collaborating together rather than working apart
--John Suffolk's speech at the 2013 Munich Security Conference
Good afternoon distinguished guests, ladies and gentleman.
It has been said “to err is human but to really foul up you need a computer” . It has also been said “To err is human but to blame someone else is politics” . So mixing technology, people, politics and then adding in cyber security is a heady mix and a mix that causes more heat than light and more emotion than fact.
Chairman I must apologise as the posed questions in the briefing for me do not improve the inherent security of our technology solutions. Security is not about international treaties or joint exercises or indeed enhancing cooperation, all of these are laudable and important initiatives but they do not inherently improve the security of technology; they tend to make progress at a glacial pace whereas technology progress is fast and criminals are equally fast in their exploitation.
The world has been blessed by the advancement of technology, it has fundamentally helped to improve the lives of mankind but with this advancement has come a darker a side, a side that wishes to exploit the inherent weaknesses within the technology and with the global supply chain that we now all rely upon.
My company for instance is headquartered in China, yet 70% of the components that go into our technology come from a global supply chain outside of Mainland China with the biggest provider of components being America at 32%. Those companies themselves have their own global supply chain and so on.
Collectively we have managed to create an economic world that intertwines economies, supply chains, products and services regardless of the inherent trust that might be between differing countries and cultures. This is something that we should protect and not allow cyber security to be used as an excuse for trade restrictions.
So what should we do? First of all we should recognise that we are all stronger when collaborating together rather than working apart. It is important that the good work on international cooperation, simulations, bi-lateral talks and the important role of the diplomatic community continues at pace – but this is not enough.
Collaboration, international laws and protocols are not much use if the technology we deploy is inherently insecure or we do not drive to achieve a much higher standard in all things related to security. Bad guys are no respecters of protocols, laws or geographic boundaries.
So let us be practical and not just highbrow in our approach, we must get our hands dirty taking practical steps to reduce security threats.
First governments should practice what they preach. They should not go out and say we believe something is best practice and then not take their own medicine by not implementing their own recommendations.
Governments and enterprises should not be afraid to use their inherent buying power and demand more from their technology vendors. If buyers do not set a high security standards bar, then they should not be surprised if they get technology that is not secure.
Particularly for enterprises, their aim should be to maximize product safety as this is the only way to earn consumer trust in the long-term and consequently secure continued success. This is why it is important that the companies introduce end-to-end security processes to evaluate their own products and the whole value chain.
Shareholders should also demand more in this respect. What is the company investing to protect their investment versus what is the potential loss through cyber crime? It appears we knowingly mislead shareholders on potential cyber crime losses, and external auditors do the same – as it is almost impossible to find any balance sheet being adjusted due to a cyber crime. Yet enormous figures are quoted for cyber crime losses.
Citizens should demand more – what is the safest internet browser? What is the most effective antivirus etc? We should all be embarrassed that 25 years after the invention of the www, we do not have any accepted answers.
We all should demand more. The time has come to stop talking about the threat, stop talking about the challenges and start talking about the actions we have taken and will take. If we change nothing, nothing will change.
As a company headquartered in China and a company that has gone through more audits, reviews and inspections than probably anyone else, we know what we have to do to gain acceptance in over 140 countries. We see this as a positive thing. If we are truly to increase the security of technology we believe all significant technology vendors should be under the same scrutiny, after all criminals will take the easiest route, not the hardest.
And finally Chairman, in times of global economic hardship we should be maximising innovation but we must recognise that the threat will never stop and nor should we in our pursuit to raise the safety and security of our technology and our supporting processes and standards.
Thank you very much.