I have been aware of Huawei for longer than most as I teach computer networks and Huawei are a global leader in providing the underlying infrastructure of the Internet. Most national carriers have Huawei providing the core routing which keeps the networks alive. Huawei of course are poised to become even more important as they are leading innovation in the roll out of 5G.
I have been privileged in recent times to attend Huawei events including Huawei Connect 2017 in Shanghai. This was all about platforms and ecosystems, focusing on practical application and hands-on experience. The event brought together members of the huge global ICT ecosystem in an interactive exhibition hall over 20,000 square meters in area. The last time I was there was in 2015 for Mobile World Congress 2015, which is one of the largest tech conferences in the world, yet Huawei had as much on display – and they are only 1 company. That more than anything shows you what a big player in the industry they are.
The latest event I was invited to was the launch of their cyber security and privacy protection transparency center. The Center has three functions: demonstration and experience, communication and innovation, and security verification. The Center provides Huawei products and software versions, technical documents, testing tools, testing environments, and necessary technical support. Huawei has built seven transparency centers around the world, which are located in the UK, Canada, Germany, the UAE, Belgium and China. Over the past 10 years, they have received a total of 700 batches of customer for exchanges. With broader coverage and stronger capabilities, the Center will provide governments, customers and partners around the world with stronger capabilities in cyber security and better support for cooperation. Based on the governance and technical capabilities of the HQ, the Center is open to their regional/country-level transparency centers for resources including remote tours and exchanges, technical experts, and testing and verification environment.
Huawei intends to drive the entire industry to join hands in managing cyber security and improve overall capabilities. This demonstrates Huawei’s advocacy of capacity building and value and is a reflection of Huawei’s role and contribution as a key player in the industry. The industry needs to enhance its cybersecurity capabilities however many stakeholders in the supply chain face challenges in technology and funding. Extending Huawei’s baseline from its core suppliers to across the industry can help improve the industry’s overall cybersecurity capabilities. Huawei holds its suppliers to the same baseline. By sharing this baseline, they intend to extend it from their core suppliers to the entire industry. The baseline can also provide a reference for their customers and serve as the requirements for their suppliers. This cybersecurity baseline is at the core of Huawei’s product management and has been developed and optimized based on Huawei’s 10+ years of continuous investment in research and development. Huawei’s track record in cyber security over the years has proven this management system effective. As an important part of Huawei’s end-to-end cybersecurity assurance framework, Huawei’s product security baseline takes reference of extensive external laws and regulations, technical standards, and regulatory requirements. With continuous research, they have developed them into basic requirements that guide Huawei’s product development. This baseline covers 15 categories, 54 requirements, and 112 specific implementation instructions and interpretations, ensuring the quality, security, and trustworthiness of Huawei products. These include 4 categories of legal compliance requirements (such as preventing backdoors, malware and malicious behaviour, protecting user privacy and freedom of communication), and 11 categories of security and functional assurance requirements (such as secure coding, compilation, sensitive data protection, encryption, secure boot, integrity protection, and lifecycle management).
I am also aware of the philosophy underpinning Huawei’s success. In a nutshell it is hard work. The company founder Ren Zhengfei has simply instilled a culture of putting the customer first. I never tire of telling people about an episode from their early years where in desert and rural areas in China, rats were gnawing the telecom wires which led to outages. The incumbent telecom companies providing service did not consider this to be their problem, but rather that of the customer but Huawei viewed the rat problem as one the company had the responsibility to solve. So, they researched how to develop more durable equipment and materials – such as chew-proof wires to solve the problem. Doing this later helped them win several large accounts in the Middle East, where similar problems stymied the telecom firms.
The journey is hard and joyful
I am impressed by the famous Huawei Ad which shows a ballerina’s feet. One of her feet is in a satin pointe shoe and the other is bare and battered, with bits of bandage clinging to it. The caption reads “The journey is hard. And joyful”. This of course is a metaphor for Huawei employees’ hard work to innovate for its customers.
Over the past few years, industry digitalization and new technologies like 5G and AI have made cyberspace more complex than ever, compounded by the fact that people have been spending a greater portion of their lives online throughout the COVID-19 pandemic. These trends have led to a rise in new cyber security risks.
Huawei opened the new Global Cyber Security and Privacy Protection Transparency Center in Dongguan to address these issues, providing a platform for industry stakeholders to share expertise in cyber governance and work on technical solutions together. The center is designed to demonstrate solutions and share experience, facilitate communication and joint innovation, and support security testing and verification. It will be open to regulators, independent third-party testing organizations, and standards organizations, as well as Huawei customers, partners, and suppliers.
To further a unified approach to cyber security in the telecoms industry, organizations like GSMA and 3GPP have also been working with industry stakeholders to promote NESAS Security Assurance Specifications and independent certifications. These baselines have seen wide acceptance in the industry, and will play an important role in the development and verification of secure networks. Mats Granryd, Director General of GSMA, spoke at the opening of Huawei’s new center. “The delivery of existing and new services in the 5G era will rely heavily on the connectivity provided by mobile networks and will fundamentally depend on the underlying technology being secure and trusted,” he said. “Initiatives such as the GSMA 5G Cybersecurity Knowledge Base, designed to help stakeholders understand and mitigate network risks, and NESAS, an industry-wide security assurance framework, are designed to facilitate improvements in network equipment security levels across the sector.”
At the event, Huawei also released its Product Security Baseline, the culmination of over a decade of experience in product security management, incorporating a broad range of external regulations, technical standards, and regulatory requirements. The Baseline, together with Huawei’s other governance mechanisms, helps ensure the quality, security, and trustworthiness of the company’s products. Over the years, Huawei has built over 1,500 networks that connect more than three billion people across 170 countries and regions. None of these networks have ever experienced a major security incident.
“This is the first time we’ve shared our security baseline framework with the entire industry, not just core suppliers,” said Sean Yang, Director of Huawei’s Global Cyber Security and Privacy Protection Office. “We want to invite all stakeholders, including customers, regulators, standards organizations, technology providers, and testing organizations, to join us in discussing and working on cyber security baselines. Together, we can continuously improve product security across the industry.” At present, the industry still lacks a standards-based, coordinated approach, especially when it comes to governance, technical capabilities, certification, and collaboration.
Ken Hu, Huawei’s Rotating Chairman, speaks at the opening of Huawei’s Global Cyber Security and Privacy Protection Transparency Center in Dongguan, China
“Cybersecurity risk is a shared responsibility,” concluded Ken Hu in his opening remarks. “Governments, standards organizations, and technology providers need to work closer together to develop a unified understanding of cyber security challenges. This must be an international effort. We need to set shared goals, align responsibilities, and work together to build a trustworthy digital environment that meets the challenges of today and tomorrow.”
As quoted in the third edition of Huawei’s cyber security whitepaper, Cyber Security Perspectives: 100 requirements when considering end-to-end cyber security with your technology vendors14, “If cyber security isn’t seen as a priority by the Board and senior officials, it won’t be seen as a priority by the organization’s staff. Ensuring that cyber security is embedded into the organizational design, governance and internal control framework of any organization is the starting point for the design, development and delivery of good cyber security.” Since 2010, Huawei has assigned a deputy chair, several board members, and multiple business department presidents to serve in the Global Cyber Security and User Privacy Protection Committee (GSPC) and to manage the development and execution of cyber security and privacy protection strategies. This gives board members and senior managers a clear understanding of security and privacy issues as well as their responsibilities and allows them to step up to the plate to tackle the issues. They make sure sufficient resources are provided to embed cyber security and privacy requirements into Huawei’s strategic design and governance structure.
It is also interesting to note that as early as 2000, Huawei was working on its cyber security. Now there are more than 3,000 cybersecurity R&D personnel in Huawei, and the cybersecurity R&D expenses in 2019 accounted for about 5% of the company’s total R&D investment in that year. Huawei now has 3,000+ cybersecurity-related patents.