This is John Suffolk's Typepad Profile.
Join Typepad and start following John Suffolk's activity
Join Now!
Already a member? Sign In
John Suffolk
UK, China, Worldwide
Personal blog of The President of Cyber Security & Privacy at Huawei and former UK Government CIO and CISO (2006-2011) - Personal Thoughts
Interests: Travel, charity challenges, rare breed sheep farming! Fixing big issues.
Recent Activity
It is very hard for a company such as Facebook which is big, complex, relies on vast amounts of user data, thousands of third-parties and spans many legal jurisdictions to get it right all of the time. We should not be critical of them for this. We should remember that what was deemed "right" or "acceptable" ten years ago, or five years or even last year changes. In practice this is the essence of Facebook for its advertisers and third-parties in answering the question what do our target audiences like, dislike, buy, vote for etc. Perhaps Facebook should consider applying... Continue reading
Posted Mar 21, 2018 at John Suffolk
The BBC reports today that "IFS says worst of UK spending cuts yet to come" and indeed no matter how you do the maths, what political party you support, if any, there is indeed a long way to go to recover the UK financial position. Sadly listening to all political parties we seem to be in the throw ideas at the electorate and let's see if any of them sticks mode. There must be a better more systematic justifiable way for political parties to establish strategy over tactics and with this what should we protect and what could be cut.... Continue reading
Posted Feb 4, 2015 at John Suffolk
When we look around today it is fair to say that almost everything we see has been shaped by the combination of Governments, regulators, vendors and consumers continuously improving the products and services that we use. Your trip to the office, or home or school or shop today regardless of by car, bus, cycling, and yes even walking has sustained many years of functional and safety innovations and improvements. The room you are meeting in has been shaped by health and safety considerations on maximum room size versus the size of the exits to allow a timely escape in the... Continue reading
Posted Dec 3, 2014 at John Suffolk
It has been interesting to read of the potential bid by British Telecom for EE, or O2, or both networks in the UK. I was also interested to see EE might undertake a counter bid for the O2 network. Regardless of who acquires whom two things we can be sure of. (1) There will always be consolidation and (2) rural customers will suffer. Now I am assuming most of you will agree with number (1) but many of you might question the accuracy of number (2). Let me explain my logic, based purely on a single data-point the Suffolk household,... Continue reading
Posted Nov 29, 2014 at John Suffolk
Dear David thank you for your comment. I think we have the “chicken and the egg” situation here as to what comes first. In my humble opinion our ability to move forward with anything that will work at a whole of county level is predicated on recognising the different cultures and competences that are required. The Civil Service has brilliance at policy development but is not so good at execution nor delivery of the required policy outcomes. So let us start with recognising the different requirements and create an Organisational Design (OD), and all that goes with good OD, to create great capability in both competences – policy and execution. This gets us to the starting point to go onto phase 2. Phase 2 is at the heart of the policy problem that you see today, and the resultant chaos created in policy execution, that is what is it we should do for the good of the Country? How do you make policy decisions when resources (money, people, skills et al) are in short supply? Let me explain: What is more important for the country at large getting citizens to see their GP or free bus passes for pensioners? What is more important breast reduction or enlargement or cancer drugs to prolong someone’s life? What is more important an increase in resources at borders and immigration or foreign aid? Unless you can answer these questions and hundreds more you get policy by ego, guesswork, populism and fantasy – just look at the announcements at recent party conferences, just read your papers today. There is a way to answer such tough questions but I am not convinced political parties want to nail their policy colours to the election mast in such a clear and unambiguous way – I do passionately believe it what the electorate want though. My next blog post will be about how you prioritise such tough questions, and then maybe after that I will review the progress on the ICT strategy implementation. Don’t get me wrong what you say is valid and it has its place but first we must create the Government Infrastructure so that you thoughts can be executed.
1 reply
I have been intrigued to read many articles about the creation of a CEO for the Civil Service. Insiders, and many outside including me, have pondered how this change will work when you have the all powerful Cabinet Secretary and individual Permanent Secretaries reporting directly to their Secretary of State. My assessment is that creating a CEO position is unlikely to yield much result on its own, but by other significant transformations and the bringing together of other changes introduced by the coalition Government could yield a Civil Service fit for the next period of our history. First of all... Continue reading
Posted Oct 18, 2014 at John Suffolk
In the UK we are fast approaching an election period and political parties are coming up with lofty ideas and policies to tempt the electorate to vote for them. It doesn’t seem that long since the last election, and from what I can see, policy thinking does not appear to have moved forward. Same old same old… But what is missing, again, is any sense of what problem the political party is trying to solve and what value the policy will create for the country and its citizens. Let’s be clear policy pontificating has little to do with reality, it’s... Continue reading
Posted Sep 24, 2014 at John Suffolk
I am saddened to see that changes to the trustworthy computing group within Microsoft. I have dealt with them for many years, first within the UK Government as the Government CIO and now at Huawei. Scott Charney and the team (some who have, over time, gone to pastures new) have developed a world class reputation for excellence in security. They have been at the forefront of methodologies such as SDL, worked tirelessly to expand other technology vendor and user’s knowledge whilst at the same time dramatically improving the security quality of the Microsoft products. I can see no real advantage... Continue reading
Posted Sep 23, 2014 at John Suffolk
I was watching Jacob Applebaum’s presentation at the Chaos conference. It is well worth watching, you can see it here. Jacob is a passionate and talented man. This is a good presentation describing the latest revelations on the NSA’s bag of tricks. There are a few things that I would take issue with on the latest revelation and how it has been presented and written up. First we need to be careful that we vent any frustration and anger in the right direction. Questioning the morality or legality of TAO misses the point. The hugely talented men and women who... Continue reading
Posted Jan 3, 2014 at John Suffolk
I have just finished speaking at the Seoul cyber security conference, perfectly and warmly hosted by the Republic of Korea Government. About 100 countries, plenty of Ministerial support as usual. Sadly the conversation does not appear to have moved on in many ways relating to “international laws, standards, behaviours”. In fact it is what most Ministers asked for, yet I assume it is their job... Correct me if I am wrong but I have not seen since the first conference in London some three years ago any G8, G20, UN or other Government put this to the top of the... Continue reading
Posted Oct 19, 2013 at John Suffolk
Dear John thank you very much for the time and trouble you have taken to post a comment. My first response was “how would John know the truth? Would he be told the reality?” In terms of your statement how interesting I have heard similar statements from other vendors, which was duly ignored. Forgive me for being a little sceptical. You cannot deny that CISCO has been incredibly outspoken about blocking Chinese Tech vendors not just in America but globally; you cannot deny that CISCO gains the most, from business with the American Government and from the Chinese Government - you are deeply imbedded in both. You cannot deny that PRISM has indicated a close relationship between some American Tech vendors and the American Government. Logically one can reason that given CISCO and Juniper’s position in America, their spread of implementations in sensitive Government and enterprise infrastructures around the world questions should be asked about their relationship, If any, with the NSA (or other security agencies) and any other spying programmes that might exist. Quotes such as "The Post ( found a seven-page sales presentation called "Huawei's & National Security," which is meant to give ammo to Cisco representatives on why clients should avoid Chinese competitors and go with American companies" and your Piranha strategy implies a culture of - we will do anything to stop competition – does anything mean working for the NSA for example in a "you scratch my back, I will scratch yours" kind of way? I accept that you might have a different view on the perception and implications of this pervasive culture and indeed what I, and others, write is far from reality. So just as CISCO and Juniper have been active in questioning political links of non-American tech vendors and raising security fears, you should not be surprised if customers and Governments around the world, in the light of PRISM, now pose questions about American Tech vendors who hold a position where they have the means of contributing to NSA’s strategic arsenal of tools and techniques to exfiltrate data on their targets. CISCO and Juniper have both the means and the motive, however it does not, mean that you have taken the equivalent of the Kings shilling, but it is right for Governments to assess their risks based on this new information and ask is the risk worth it. Let me reiterate my personal view, I believe in open markets, innovations and competition. I do not believe companies or Governments should use cyber security as a trade barrier – we have a global challenge we must collectively address. I look forward to CISCO and Juniper positively promoting and welcoming free trade, innovation and competition in America. I look forward to America opening up its markets as China has done to CISCO and Juniper. There are no winners if other Governments adopt the “American Closed for Competition” model and limit access to their markets. All Governments can copy this and they have more reason to given the recent PRISM revelations.
1 reply
So the furore about PRISM is beginning to subside. What we know is that there is a programme; America does snoop, spy and hack in a large way and American Tech firms are complicit, but what next? First the revelations are not over. We have seen around 4 slides from 25 and Snowden and the Newspapers are claiming there is a lot more to come. We have seen all of those involved going into denial first, nothing to see here, all legal blah blah blah. Then watering down (it isn't really as bad as you think…) and now they are... Continue reading
Posted Jun 14, 2013 at John Suffolk
Thank you all for your feedback on my previous posts – LinkedIn is a marvellous email system. Let me summarise as best as I can the comments. First of all there were those of you who said I am a crazy man and need locking up for suggesting such terrible things; then there were the group of you who said I was an idiot for not recognising how far America had really gone and that "I don't know the half of it". Some of you were kind enough to send me copies of competitors sales manuals, one a particular favourite... Continue reading
Posted May 15, 2013 at John Suffolk
I came across this survey analysis which stated "Americans Are Pretty Cool With Politicians Cheating on Their Spouses As Long As It's Not With A Prostitute" but I couldn't find a question about would they vote for them if they, or their family, were perceived as personally gaining from their work in public office. As many of you know when I left Government I went through the standard review process before I joined Huawei. The review process sets out to ensure that I did not get my new job on the basis of doing my new employer a favour, i.e.... Continue reading
Posted May 12, 2013 at John Suffolk
It seems absolutely right that countries should promote their industries, promote their companies and encourage people to buy "local". We have Buy American, buy British and probably lots of others. I know there was talk of buy European. However I haven't heard of China promoting a "buy Chinese". I know if I have a choice I favour British first, European second. When countries introduce their buy local campaigns – in America the Buy American Act was passed by Congress in 1933 - no one assumes that this is a protectionist measure. Quite the opposite we all see this as something... Continue reading
Posted May 9, 2013 at John Suffolk
Dear Mikey thank you for the comment. You are right about the maths, that's why I sourced the figure from another article. I agree with you, based on the numbers more like 24 times. Best wishes John
1 reply
Dear Mr President, I have some bad news for you. I know in 2011 we spent 58 percent of the total defense dollars paid out by the world's top 10 military powers and we outspend China, the next-biggest military power, by nearly 6-to-1 or over two thousand times more per person on defence than China but we cannot defend our defence networks. What's more I think we should tell the world we cannot defend them and let us be at the mercy of these heinous hackers. Doesn't sound right to me, but actually this is what America says, but is... Continue reading
Posted May 3, 2013 at John Suffolk
I read a very wide ranging article quoting amongst others David Irvine who is the Head of ASIO, the Australian Security Intelligence Office and it details that "The ordinarily shadowy DSD has published a detailed study on its top 35 cyber "mitigation strategies". In research that won the 2011 National Cybersecurity Innovation Award in the US, DSD found that 85 per cent of intrusions were thwarted by its first four mitigants alone. DSD's Mike Burgess recalls that "a few years ago, one of my staff assisted ASIO in responding to a major incident on the network of one of Australia's... Continue reading
Posted Jan 3, 2013 at John Suffolk
Thank you for your comments. I was part of the team that hosted the Congressional study in our Headquarters in Shenzhen, as well as meeting the Committee in Hong Kong and one of the authors of answers to the many questions we were asked, and I have to say that our approach was as professional as I have seen throughout my business and Government career - I am sorry you have a different view. Two thirds of our business comes from outside of China and I think many of the Citizens and Governments in the 140 countries in which we operate in may take exception to you suggesting they are 3rd world. I would say that whilst they might not have the GDP of say the USA, in their own way many countries are using technology in very advanced ways. We pride ourselves on our transparency - after all who gets reviewed, audited and inspected as much as Huawei? - we are a private company who are under no legal obligation to publish information yet because we are a leader in transparency we have had our accounts audited by a world-class audit firm, KPMG for 8 years, we publish our accounts and a full range of other information. I note your point on “association" with the Chinese Government, yet there has never been any report that has identified any evidence of association with the Chinese Government other than that required under law for purposes of company formation and taxes etc - just like any company in the world. From my perspective I can honestly say that I have never had any of my cyber security work reviewed, modified, influenced by anyone other than colleagues in Huawei and our customers. Finally we fully support your point about third-party validation of our products – this is what we do, it was such a shame that the Committee did not agree with you or I on validation. If you are American perhaps you could lobby your Congressmen to introduce a bill that ALL technology should be subject to independent review. After all other Governments carry the same risk of using equipment not produced in their country. It is right for non-American companies and Governments to question what might lurk in American technology just as it is right for the American Government to question what might lurk in non-American technology. As I put in my recent White Paper one doesn’t need to look too hard for links between say the American Security Agencies and American technology companies, nor for conspiracy theories about known flaws being left open so that a Government can exploit them. This is why we favour and demonstrate openness, transparency and collaboration and do not wish to see cyber security being used as a protectionist measure – I hope you favour this approach as well. Once again thank you for your comment.
1 reply
As many of you will know when I left the UK Government as the Government CIO I joined Huawei. Some saw it as a mildly controversial move but those of you who know me knew that this is exactly the kind of company I would join. A company that is shaking up the world in terms of technology, a company committed to science, engineering and R&D, but fundamentally a company whose passion is for its customers and their customers to make the world a better place through the use of technology. I have just completed my first year at Huawei... Continue reading
Posted Dec 14, 2012 at John Suffolk
Well it has taken over a year to get the "system" out of my system and it is good to be writing again. I was pleased to see that the UK Government has run an event to urge business leaders to step up their response to the threats of cyber security and produced a number of guides to help them understand the challenges and what they can do about it – the details can be found here. Much of the advice centres on basic awareness and training, which reminds me of the challenges of mixing senior people and technology together:... Continue reading
Posted Sep 13, 2012 at John Suffolk
First of all a huge thank you to the hundreds of people who have texted, emailed, and sent LinkedIn messages of congratulations. However, as a civilian I have been chastised by the Cabinet Office and former colleagues so I have two apologies to make. The first is to my former colleagues in Cabinet Office where, due to my desire to keep words to a minimum, they are concerned that I have not detailed the full terms of the appointment. This has meant that they have had to make several calls to journalists so that they can add the fine detail... Continue reading
Posted Aug 1, 2011 at John Suffolk
Under the Civil Service Business Appointments Rules, on the 22nd February I applied for permission to accept an appointment from Huawei to be their first Global Head of Cyber Security reporting into the Group CEO, and founder, Mr Ren. On the 12th July the Prime Minister, on the advice of the Advisory Committee on Business Appointments and following a thorough investigation of the case approved the application, subject to me waiting for a period of 6 months from when I left the Civil Service. So I join on the 1st October. I have to say I am both thrilled and... Continue reading
Posted Aug 1, 2011 at John Suffolk
Sir Gus O'Donnell, the Cabinet Secretary, has announced my decision to leave the Civil Service after 7 years with almost 5 years being the Government Chief Information Officer and Senior Information Risk Owner. the full statement is "John Suffolk, Government Chief Information Officer at the Cabinet Office, has announced today that he will be leaving the Civil Service at the end of the year. John joined the Home Office in 2004 as the Director General leading the technology transformation of the Criminal Justice System and was appointed to the role of Government Chief Information Officer in 2006. John made his... Continue reading
Posted Nov 21, 2010 at John Suffolk
Philippa thank you for your posting. We have left the decision on whether departments should submit an exception request to the discretion of every department. Given that you are working to March 2013 I wonder if the department is taking a view that this decision does not need to be taken in advance of the completion of the spending review. If you believe that a decision needs to be taken question you should escalate your concerns to your manager/ SRO of the project. Best wishes John
1 reply