Trusting Our Global Supply Chain

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

Steve King  00:13

Good day everyone. I’m Steve King, the director of cyber security advisory services here at CyberTheory. Today’s episode will explore the relationship between one of the world’s largest and most successful telecommunications companies and the United States and how it got to its current state and what it likely means for technology advances in an expanding global economy with increased competition intensifying daily. With me to explore the topic is Tim Danks man who couldn’t be much closer to the history having spent the past 12 years or so, at Huawei, US and most recently as the vice president of risk management and partner relations. In that role, Tim’s job was to engage with media partners and external audiences as an expert spokesperson on technical, operational and cybersecurity business practices to educate parties, people like us on corporate positioning in these areas and to create specific strategic messaging on technical topics that facilitated local and global reputational improvement programs and enhanced understanding and awareness in some of the key focus areas that Huawei was intending upon communicating to both the US and the rest of the world. So he were in my mind, Tim was kind of the outward face of Huawei and all things cyber. So welcome, Tim. Welcome to the show. Thanks, Steve. Thanks. Yeah,

Tim Danks  01:41

thanks. Yeah, thanks. I’m glad to be part of your podcast.

Steve King  01:44

Well, it’s interesting to meet him as how Huawei sort of got into this weird position as perceived pariah in spite of being one of the most revered technology telecoms on the planet, and one of the largest, even here in the US with a bunch of existing customers, and even here with extraordinary transparency protocols you’ve been willing and eager to adopt as a company. But before we dive into all of that, tell our audience a bit about your background and history, if you don’t mind.

Tim Danks  02:13

Yeah, sure. much. Appreciate it. And thanks for the intro so far. Well, you know, I’ve spent both 30 years in the telecom industry and large, high tech multinationals. Most recently, obviously, with Huawei, and then I’ve ventured out on my own now, but we’ll talk about that a little bit later, maybe, you know, I was there when when GE started, so the first rollout of cellular analog cellular way back in the day, and, and had been there through the 5g rollout. So, you know, my positions and experience starts, you know, way back when with engineering and in the late 80s, and 90s, all the way to executive leadership roles in the last, you know, couple of decades. So, most of that experience has really been around professional services, everything from installation through integration, right, all the way up to customer support and end of life. So, you know, this kind of a role in services for these telecom operators, a lot of it and throughout my career Arvixe I’ve had been around focused on process management, you know, risk management, change management, availability, incident response, all pieces of the puzzle that kind of led me into my current exploits with cyber privacy and risk.

Steve King  03:24

It’s certainly an appropriate background for what you ended up doing for these guys. And if we flashback to sort of circa 2010, as Huawei was becoming a large global tech company that customer pressures as as a driver and catalyst for investment and resources on security within Huawei. Didn’t that kind of trigger your foray into cybersecurity and privacy?

Tim Danks  03:48

Yeah, absolutely. You know, when I joined Huawei, back in 2009, I think it was really to kind of continue my prep professional services career on the service side. So what I didn’t realize at the time was there were so many parallels with cyber. But what happened is an event shortly after joining kind of pushed Huawei towards doing some additional thoughts on a thought and thinking into privacy, or and cybersecurity, for our US operations. And so I got the additional responsibility kind of a second hat if you were for managing all the cybersecurity related deliverables here in the US and Canada. And I’ve been doing or I was doing that for roughly 10 years. And along the way, I added, you know, privacy and risk management and so on. And unfortunately, I was lucky enough to have a friend and mentor of mine Andy Purdy, who am I sure I know you know, together he and I learned a lot from each other and and he helped me learn a lot of things along the way so

Steve King  04:53

well, and he’s a great guy and very competency so and one of my favorite guys in the space so You definitely did have a unique opportunity for mentoring in that regard. So, so yeah, thanks for that. Let’s dive back into the first question. If you don’t mind, I know you’re under strict NDA. And I don’t expect you to name names or any of that. But to sort of recap, if you don’t mind, I think Huawei was in this from my point of view, entirely. So you can correct me if I’m wrong, but was accused of IP theft, and then various other criminal acts after it had been successfully serving customers in the US for years and was about to sign I think, a couple of major deals with big telecom providers was that I think, and then what happened? I mean, this whole thing seems largely political to me No.

Tim Danks  05:47

Well, you know, politics or politics, or just that their politics, so I try and steer away from those. But I mean, historically, yeah, you know, way back in 2010, there were some major deals with some large carriers. And then, you know, 2012 timeframe, you know, a report came out from hypsi. So this is not something that is all new, you know, these, let’s say, the concerns around Huawei from Congress, and so on. And then, you know, 2012, shortly thereafter, 2013, these couple, these major deals just suddenly disappeared. While we really shifted, then back in that timeframe to refocus efforts kind of on on the rural communities. They’ve been largely underserved by the other vendors. And it was really a good fit for Huawei. At the time, you mentioned, you know, a lot of customers and kind of at the height of business growth for Huawei in the US, you know, they had, you know, over 70 customers, I think it was roughly roughly and, you know, they were very happy with the products, delivery services, I mean, while a deployed probably 20,000 plus nodes of network elements of different types, not just wireless, but wireline, and so on across the US over, you know, a 10 or 15 year span. So there’s quite a quite a big gear out there. And it was it, it was loved by many of these rural carriers, you know, I think 2017 2018, we saw the deal fall through for the handsets with one of the major carriers here in the US. And then, of course, along came a lot of the other stuff in the months and years that followed. I don’t know that there’s much to say about that. I think pretty much all public knowledge after that. But you know, I think that we need to question, you know, what was what was behind all of that? And what was driving all that? Was it? Was it purely cybersecurity or national security? Or was there more to it? You know, anyone’s guess? But, you know, from my perspective, I was there for quite a while. I never saw anything that was nefarious, or made me think twice. So

Steve King  07:49

yeah, sure. And I know, you know, that I’m, I’ve had quite a bit of direct experience with China and mainland and Beijing, and we had offices in Shanghai and Beijing as well. And, you know, we shut them down Wall company, you know, we all know that all Chinese companies are legally required. I mean, it’s an extension of the Ministry of Defense, essentially, right? So anytime you they want information, they get it. And so if I’m a paranoid Congress person, and I’m so inclined to think that Chinese are leaning closer than they have, right, and maybe I’m gonna make a find a way to make a big deal out of it. And then apparently, you know, I mean, the ring, Shang Fei or I think, who was the founder, right, pretty close to the Chinese military intelligence operation, he’s think he served a PLA in China, right. And it feels to me reminiscent of this Kaspersky ban was based solely on the fact their headquarters were in Moscow, in spite of being arguably the best cybersecurity research firm on the planet, the supply chain. And you and I have talked about this before the supply chain itself is so complex, that it’s virtually impossible to make sure that your devices are free from tampering or any other sort

Tim Danks  09:07

of I think it’s fair to say that about any device, right? I mean, we look at the complex global supply chains, as you say, in many ways, we have to consider, you know, the thoughts or we have to consider zero trust, because we can’t really trust any of these networks, we need to always be, you know, taking the necessary measures to protect ourselves. And that’s all the way down through the supply chain, and all the way into operations and delivery, and through change management and all of these aspects. Yeah. So it’s important that we understand our entire supply chain, and you know, where necessary, we do need to take additional steps. We definitely have to identify what needs to be done to protect our critical infrastructure as an example, is that flag of origin is that country of origin? Is that a data factor? Absolutely. It’s a fact But is it the only factor? Absolutely not, we need to consider a lot more there because it’s a complex issue. And it needs to be managed through public and private partnership, through standards through third party verification and a lot of the things that need to be done in order to protect ourselves, but at the same time, we need to balance that, you know, with the right approaches, and we need to apply it to all, let’s say, to all suppliers to, to that particular industry, whatever that one, that industry may be,

Steve King  10:34

yeah, and you’re getting to the point that I was trying to get to sort of my rambling style here, which is that when accused of all of this stuff, many companies, you know, would say, Well, you don’t get to look at our source code. But you guys, you guys did exactly the opposite, I think, right? I mean, you kind of pulled back the curtains and raincoat and said Here, take a look however you’d like. Can you tell us a little bit about some of the things you guys did and make sure that you had established? What is essentially a bulletproof, trusted delivery mechanism? Via I know, you had a third party verification model, and you did a bunch of other stuff, and, you know, consumer cloud related to GDPR, and all that stuff. Can you talk about?

Tim Danks  11:19

Absolutely, yeah, absolutely. I love that touch on that. In fact, this is the, this is the kind of thing that I really love to talk about. Because these are some of the great things that we did, based on these external pressures that you know, Huawei in the US was receiving, you know, it really created this kind of need for the company to be somehow beyond reproach, right, we have to prove something, we have to prove or disprove a negative. So it’s, that’s kind of a challenging thing to do. You know, so our focus was really on putting in a program in place that would provide the necessary controls administratively, technically, and so on, to provide assurances to all the stakeholders, whether it’s the customer or governments or so on, that it can be trusted, that it’s safe, certainly, we put a vast number of things in place. And these pressures, they actually created some internal focus, and thus, some funding and resources, which is always nice to drive some changes, you know, in circa, I think, 2012 timeframe, we established a thing that we call the secure network access solution. So it was a self contained private cloud. And it was really built by a third party US company, it was isolated from the corporate infrastructure, it was managed by US citizens and ministered manage, we put that in place to isolate it from the rest of Huawei corporate to essentially try and create, you know, put in place things like least privilege microsegmentation, engineers can only access the stuff that was related to what they were doing and, and only to the customers they were working with, and, and also creating a non reputable trail, right, like an audit trail that, you know, we could see down to transaction level so we can see anything and everything and provide that to the authorities or to the customers on request, which we did, in many cases, not really to third party government or to the government, but definitely to customers to show what was going on and what were what was happening within their networks. So you know, every interaction with customers network through went through this system, and related controls, but you know, the data couldn’t be removed from this system. It was actually there was strict controls in place to manage if something needed to be taken out of the system. How did that happen? We even had, you know, we had field work that has to be done. So we created something, even back in 2012 is timeframe. We called it a zero laptop. It was ultimately part of the same system. It was a laptop that was hard, you know, let’s say locked down from a hardware and software perspective, basically, almost making it a dumb terminal, you know, running some antivirus software and VDI software. And that’s pretty much it. Engineers, of course, they weren’t too happy about carrying around two laptops. But you know, it was necessary to you know, segregate operations from daily corporate work. Ultimately, I think it was, I would call it a zero trust system, although we didn’t recognize it at the time. And, and the term wasn’t well known at the time, but it was definitely leading edge. And you know, we had many positive comments from the customer. And I think you alluded earlier to something else called trusted delivery. And this was something in part due to a particular customer arrangement as a result of an m&a activity. But ultimately, it was a third party company doing an independent verification of the source code and hardware design. Essentially, the software was reviewed and tested before deployment, including any updates and so on, and then that software was delivered directly to the customer from the third party themselves. So it never, you know, while we would never be involved in the network operations in any way, the hardware was also designed and very designed, verified. And then random inventory selection, while this stuff was being rolled out to make sure that the hardware that was being sent to the customer from the manufacturing facility was indeed the same hardware designed according to the same methods and had the same software loads and so on. This was later replicated in several other places. And some of those are stolen in process today. But I think they are I was, it’s been quite a few months, it’s been eight months since I left Huawei. But, you know, we drove really hard to put things in place, what we thought were necessary and sufficient to provide those assurances I talked about earlier, but and you asked about it being frustrating. You know, that’s probably the frustrating part of anything is creating, you know, a leading edge best in class system, without knowing what is actually necessary and sufficient, because we never received the, you know, requirements or are told, or we’re told what was needed, but we had to build something to prove it anyway. So it was very challenging. I mean, ultimately, it was never sufficient and never really known about that’s why I like talking about it, because it’s something that didn’t get much play time out there. And, you know, certainly the challenges with that flag of origin. I think, many of the reasons why, or at least one of the reasons why it never, you know, was never talked about very much back in the day, but,

Steve King  16:42

but frankly, the whole thing so stupid, it just blows my mind. He couldn’t have been more open kimono, about all of this. And you have what 70 Plus customers I think today in the United States, what what of those customers, you know, how long do they get to continue? You know, you know, and then we have Lenovo Laptops coming from God knows where we don’t even know where our chipsets come from. We don’t know where the fab is being done. Supply chain so complex, no one knows where anything is. And yet, we’re gonna ban Huawei, one company, one company, from doing business with us, even though we’re doing business with them across seven, eight different companies here already, and they have forever to, you know, disengage, I guess, this whole thing seems to me to be political theater. And the more we do this, the stupid or we look, as far as I’m concerned, and we and we lose any leverage opportunity, we have to do kind of the right thing from a technology point of view in the company, from my point of view, 100 billion dollar revenue company earning 12 billion net I think, pretty amazing success story. And, and I know that, you know, Western nations don’t have any trouble at all Canada’s got large telecoms seeming, seemingly having no problem. It’s embarrassing to me that our Congress has made this determination. And I’m either the last guy to defend the Chinese Chinese company. Right, you you’ve seen what I feel about that. But on the other hand, we are shooting ourselves in the foot here from my point of view?

Tim Danks  18:23

Well, I think I think on the technical merits, which there are none coming from the side of our political motivations here in the US, I think we need to consider that we’ve got to protect our most critical assets, we need to understand what those the aspects of our supply chains that are at my most risk, but these measures need to be balanced, they need to be equally applied within a given sector, thinking that you know, something that us is safer without a company like Huawei. Well, but are we Is this a false sense of security? I mean, I think it’s something that’s interesting to note is that the other major vendors in the same space do a sizable amount of r&d, manufacturing, component procurement, etc, from China and other countries, as do most tech companies. So the question is, are they any safer because their headquarters is under a different flag, it’s a questionable measure, right? We need to take the pragmatic approach is to look at the supply chain on its technical merits which means we need to build we need to make sure we have the standards we that are appropriate for the industry appropriate for the particular you know, the critical infrastructure, whatever that may be, have, you know methodologies to verify through third party authentication and so on and ensure that you know we don’t try and avoid them by just saying you know this guy good that guy bad so you know, we don’t get because it just doesn’t work that way. Because you know, the these global we spent years building global supply chains. And now here we are saying well You can’t trust them. So, which is true, you can’t. But we need to work together to figure out how we can have a level of comfort that and risk management that is suitable. Yeah, that’s a lot to unpack that one part was a lot to unpack.

Steve King  20:15

Yeah. Oh, wow. All right. And we could talk about this for an hour. So I’m going to set aside Joe Rogan here and ask you about your own career since leaving Huawei. Now, what eight months ago, you started a new consulting company, leveraging your 30 plus years, I think experience in the space with risk and operational environments and your knowledge of a whole array of current technology platforms. Tell us about your objectives for the company and, and how you can help others move to a secure global digital transformation business model.

Tim Danks  20:54

Yeah, great. Thanks for the opportunity to talk about that. I mean, you know, I did leave while we about eight months ago, I took about six months off to just kind of decompress, and I actually converted a van, a sprinter van into our camper during the pandemic. So we traveled a bit around and, and then I said, you know, what, you know, what is it to do next, right, what are we going to do next, and I wasn’t quite ready to retire. And after gaining so much experience, kind of over these last few years, it just seemed time to try and give back and help help smaller, medium sized businesses in their efforts, you know, insecurity, we often talk about the supply chain risks and neater and we need to recognize that, you know, as a collective, we are only as strong as our weakest link, as the saying goes. But small and medium businesses are resource and cost constrained. But they’re really faced with many of the same challenges as the larger enterprises. So we need to help them and you know, a data data breach on either side is, is a challenge for everyone, right. So as an advisor and consulting the company I recently started, I’m hoping I can leverage my experience with that technology operations services background, to try and help some of these smaller companies where they struggle with understanding the risks and having the resources to implement things around cybersecurity and privacy, really, to help them better protect themselves. So I think that’s kind of where we’re going. And that’s what we’d like to do. I’m really open to working with companies and any aspects of you know, whether it’s Operations and Services, deployment technology, you know, cybersecurity, because I do have a pretty broad background and can bring all those things together. So

Steve King  22:42

yeah, indeed you do. And I guess we can all find you on LinkedIn. Right? So absolutely, yeah. All right. Cool. So I’m conscious of the time, Tim, as I always am here. We’re trying to do this in a half an hour. And I think we got a little insight into what the truth, I think is about Huawei, and about our relationship with our federal government folks. Last question Yanni predictions about the future for Huawei and their relationship with the US. Do you think that a more business friendly Congress that maybe appears likely this midterm may have an impact on their future here? I know it’s a tough question for you. But yeah, it’s

Tim Danks  23:24

really a tough question. I mean, I don’t have a crystal ball. So I can’t really see, unfortunately, a near term solution to the challenges that they’re facing here in the US, you know, the legislation, geopolitical issues, and a lot of it specifically here in the US is around FUD, right, fear, uncertainty and doubt, that’s been sowed by all the issues and the things that have been going on, and specifically in the last few years, so I don’t see it voting well, for them near term. I mean, maybe there’s a longer term objective, but I’m sure they you know, that they will, will adapt and survive elsewhere, shift into other technologies or or shift their focus in their business. So best of luck to them with that, but for now, I’m moving on I’ve I’m looking to help us companies, you know, focus on what, what we can do here to help protect themselves. So

Steve King  24:18

yeah, and that’s a term just give you an example is the diplomatic skills as he slid out of that question. But thank you, Tim. I appreciate it. And I hope that a company like Huawei, which has amazing technology, frankly, especially around 5g Are, are able to, you know, recover from this craziness that we’ve imposed and continue to be successful as they have been throughout the rest of Western Europe, for example, many of our allies are certainly customers, but, but nonetheless, again, I appreciate your insight, and wish you all the best. And thank you for for spending time here with us, and I’m going to check in back in with you in a few months and see how your business is doing and we’ll see if anything changed in the Huawei sort of us relationship posture in the meantime as well.

Tim Danks  25:16

Absolutely. Let’s do it against the appreciate your time today.

Steve King  25:20

All right, thanks.

Tim Danks  25:21

It was fun. Yeah.

Steve King  25:22

I enjoyed it. And I hope that our listeners did and until next time, I’m Steve King, your, your affable host here, signing off, and we look forward to seeing you in the next episode. Take care.