by EDISON XIE
JOHANNESBURG – OVER the past two years, Huawei has reviewed the approach to security and privacy, analyzed the directions in which new technologies are heading and the current and future challenges facing our customers.
As a consequence, we have enhanced our cyber security and privacy frameworks, operating on the assumption that in this globally intertwined world, the cyberspace will face constant attacks.
Throughout 2019, the frameworks guided the way in which we continued to drive process transformation, solutions, security engineering capabilities, security technologies and standards, independent verification, supply chain, and personnel management. This has enabled us to proactively enhance our end-to-end cyber security assurance capabilities. Some of our key activities are highlighted here:
Heavily invested in software engineering capability transformation to ensure secure, trustworthy, and high-quality products: we have simplified our products and solutions as much as possible, implemented the latest security architecture and development, and we are progressively upgrading all appropriate products and solutions to reflect the latest thinking, technology components, and partners.
We have systematically built and deployed resilient architecture design methods, and have launched the distributed automatic binary vulnerability mining platform. Moreover, we have improved our security design tools, code security scanning cloud, security test cloud, and fuzz test cloud. These initiatives greatly enhanced our security engineering capabilities enabling us to help our customers safely digitize their businesses and create value for their customers.
Maximizing the use of AI in developing security products and solutions: We have launched a series of security products and components centering on AI-powered security risk identification, security situational awareness, security risk prevention and response, and security ecosystem. These tools are integrated with our 5G, IoT, and cloud solutions to provide intelligent network boundary protection and defense, real-time situational awareness, and efficient closed-loop handling of security risks, helping customers build network resilience and protect themselves and their customers.
Maximizing technological innovation to reduce risks to customers: We have introduced full-stack security technologies into ICT products to enhance product security and resilience. These technologies include host intrusion detection, sandboxing functionality, container security, CPU side-channel attack detection, web application security, and intelligent risk control.
We have also deployed memory code integrity measurement on 5G base stations, ensuring runtime code security. Furthermore, we have enhanced kernel integrity protection on mobile phones, and applied key security technologies such as the real-time detection of kernel attacks and AI-based detection of unknown threats to improve mobile phone security.
Another area that we have innovated in is mobile apps. Dynamic and static privacy data access compliance detection technologies will detect exceptions in mobile applications, such as permission abuse, malicious behavior, and pirated applications.
This not only ensures that the AppGallery complies with Android Green Alliance 2.0, but also provides for a clean and sustainable application software ecosystem.
Strengthened the independent verification mechanism: We have fully supported the independent verification of Huawei cyber security by stakeholders. In addition, we have assured and verified our cyber security management systems, products, services, and personnel through quality monitoring, internal and external auditing, and standards certification, meeting stakeholders’ cyber security requirements across all of our business processes (e.g., R&D, sales, service, and supply) helping us to enhance external confidence in Huawei’s overall approach to cyber security.
Supply chain cyber security risk management and capability building: Huawei’s comprehensive supply chain security management system is ISO 28000-certified, enabling us to identify and control security risks throughout the supply chain lifecycle. We produced 28 types of industry-leading material security specifications and security sourcing test standards, along with 11 sets of industry-leading standards for the certifications of our suppliers’ cyber security systems. Our suppliers must pass a rigorous security sourcing test and obtain system certification before they are accepted.
In 2019, we assessed, tracked, and managed the risks of more than 3,800 suppliers worldwide. We signed data processing agreements (DPAs) with more than 3,000 suppliers and continue to run due diligence to ensure compliance with privacy obligations.
We released the supply availability security baseline and implemented it in all of our 145 newly developed products. Furthermore, we developed an in-transit exception dashboard to provide real-time warnings about exceptions such as abnormal stay and route deviation. We restructured the product delivery tracing system, allowing us to trace software information within one hour and trace hardware information (from incoming materials to delivery to customers) within one day to facilitate the fast and transparent resolution of issues and to eliminate risks.
Employee awareness and skills enhancement: We conducted training across a range of cyber security and privacy protection topics and held exams for all Huawei employees, with a 99% success rate. Employees continue to be encouraged to improve their cyber security and privacy expertise through external training and professional certification.
To date, more than 500 employees have obtained external professional certifications such as IAPP (privacy) and CISSP (cyber security). Huawei has the most IAPP-certified employees in the world. Our Cyber Security & Privacy Protection Knowledge Center, a one-stop learning and training platform was launched and is already helping employees improve their skills and enhance their knowledge.
Over 620,000 hours of coursework has been completed by our employees, with a total of more than 290,000 individual enrollments in our 111 courses. This means the average Huawei employee spent more than two hours taking cyber security and privacy training.
User privacy protection obligations: Huawei remains committed to complying with privacy protection laws and regulations around the world. We have adopted industry-recognized best practices, and have embedded Privacy by Design into product and service development processes. These initiatives contribute to a holistic framework for personal privacy protection policy.
We have increased our investment in the management of data subject rights assurance, developed explicit management requirements and processes, and deployed them in a unified IT system, ensuring that we can promptly process data subjects’ requests. To date, we have handled more than 10,000 data subjects’ requests.
In addition, we completed 26 internal audits to ensure that our personal privacy protection policy has been implemented in a consistent and effective manner, and we passed five external audits as well as one professional inspection by a regulator.
AI governance: In 2019, Huawei released the Thinking Ahead About AI Security and Privacy Protection white paper, setting out Huawei’s viewpoint on the current security and privacy challenges surrounding AI. The paper explores key topics such as technical reliability, societal applications, and legal requirements and responsibilities.
In addition, the paper proposes a number of feasible governance models, including planning trustworthy technical solutions, and adopting a shared responsibility model for AI security and privacy. The paper calls on all stakeholders to work together towards shared goals and for the healthy development of AI into the future.
Our experience tells us that no one has a monopoly on good ideas. The more we share and discuss the challenges we all face, the more we can improve solutions, standards, and approaches to raise the bar for everyone. Huawei remains determined to communicate and cooperate with stakeholders in a manner characterized by openness and transparency; integrity and trustworthiness; and accountability. We strive to address cyber security and privacy protection challenges through technological innovation, standards development, and management improvement. We are relentless in our mission to help customers establish their own cyber resilience and risk mitigation strategies.
NB: Edison Xie is Director of Media Affairs, Huawei Southern Africa Region.
– CAJ News