Huawei Cyber Security Guide for Partners

Contents

 Challenge of Cyber Security

 Huawei Cyber Security practices and resources
 Cyber Security Requirements and Code of Conduct
on Partners

2
Technology and service Innovation increases attack surface and brings more security
risks and challenges
With the increasing ICT openness, IP-based network evolution,
Attacks and theft aiming at gaining economic interests keep According to industry research, 55% security threats are
terminal intelligentization, cloud computing, big data
increasing, hacker attacks become industrialized, and cyber from enterprise employees, and 37% security threats are
application, and multi-service convergence, technologies and
security incidents occur frequently, incurring great economic and from unauthorized access. Therefore, employee
services are more and more complicated, and attack methods
reputation loss of enterprises and organizations. education and preventive measures are very important.
become more diversified and complex.

Who are the bad guys?

Spam 23.5% Inadvertent actor

Phishing Unauthorized
website access The US IRS system was Ukraine power network
hacked, causing $50 million suffered from a malware 31.5% Malicious insiders
Traditional Forgery loss. attack, resulting in the power
virus failure for hundreds of
thousands of users. 45.0% Outsiders
Trojan Tampering
horse/Worm Network
Top 3 cyber security threats
Eavesdrop
Botnet /DDoS ping
37% Unauthorized access
…
APT The networks of US enterprises The network of UK
Malware/ and organizations, such as Carphone Warehouse was 20% Malicious code
Spyware Anthem, UCLA, and CVS, were hacked, leading to
hacked, leading to disclosure of disclosure of personal
information (including credit information (including 20% Sustained probe/scan
card information) about over credit card information)
84.5 million customers. about approximately 2.4
million customers.

3
Customer Requirement: Customers Poses Cyber Security Requirements to Equipment
Vendors Based on the Needs for Compliance, Information Security, and Brand Reputation

Cyber security risks like tampering, implantation, virus, unauthorized access, and illegal data transfer exist throughout the
Cyber security risks
entire supply and service processes that are not limited to equipment vendors but involve all parties in the supply process.

Equipment Logistics service Logistics service

vendor provider Partner provider Customer

Work division
Of Various Business
organizations
R&D/ Cargo Delivery Cargo Network
production transportation service transportation operation

Product security Logistics security Service security Operation security

Customer network
security requirements Personnel security

Check/Audit

4
Contents

 Challenge of Cyber Security

 Huawei Cyber Security practices and resources
 Cyber Security Requirements and Code of Conduct on
Partners

5
 Strategy
cyber security
and privacy
R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
protection

Cyber Security and Privacy Protection is Huawei's Top Priority

"In light of the foregoing, Huawei hereby undertakes that as a crucial company strategy, based on compliance with the applicable
laws, regulations, standards of relevant countries and regions, and by reference to the industry best practice, it has established and
will constantly optimize an end-to-end cyber security assurance system… tackling the challenges of cyber security through
partnerships with governments, customers, and partners in an open and transparent manner. In addition, Huawei guarantees that
its commitment to cyber security will never be outweighed by the consideration of commercial interests."

– Statement on Establishing a Global Cyber Security Assurance System

"The Chinese government has already clearly said that it won't install any backdoors. And we won't install backdoors either. We're
not going to risk the disgust of our country and of our customers all over the world, because of something like this. Our company will
never undertake any spying activities. If we have any such actions, then I'll shut the company down."

Mr Ren Zhengfei, BBC News, 19 February 2019

Over the past 30 years, Huawei has served more than 3 billion people worldwide, supporting the
stable operation in over 170 countries and regions, we have maintained good cyber security
records worldwide, and our practices in cyber security have been recognized by customers.

6
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

A Board Level security committee. Further, all Huawei employees must “own” cyber security

Chairman of GSPC CEO

Ken Hu Ren Zhengfei

GSPO
John Suffolk

External Cyber Director of GSPO Office

Security Lab Sean Yang

Independent Cyber
>5% Security Lab

R&D investment in
cyber security PACD
Carrier Network BG

P&S / 2012 Lab Cyber

Security Competence

Procurementt Cyber
Supply Chain Cyber
Cyber Security Dept. LA

CCSO of Canada
CCSO of France

CCSO of Japan
Security Office

Security Office

Security Office

CCSO of USA

CCSO of UK
MKT

. . . .
Centre
Enterprise BG JCR
Cyber Security Dept.
CHR
Consumer BG BP&IT
Cyber Security Dept. Audit

7
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

A “built-in” strategy – our corporate processes are the foundation stones

consulting consulting

Customer Requirement
Requirement MM Charter IPD Realization

Service Engineering Manufacture NPI

Customers

Customers
Input, Market Input Sourcing Plan

Leading, Opportunity, Product or

Contract Order-Related Process Contract ISC Service

Operation and Maintenance Process consulting

Issues CRM/ LTC Service

HR Finance IT Quality Control

consulting
consulting

MM: Market Management | IPD: Integrated Product Development | ISC: Integrated Supply Chain | LTC: Lead To Cash

8
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

Huawei focuses on 12 areas – End-to-End assurance system

Prioritized and embedded within the entire organization

Yearly internal audits; Strategy, ISO9001/14001/27001/28000, TL9000, OHSAS18001, etc.;

third-party and customer audits Governance,
360+ standards organizations, hold 300+ chairs
and Control Standards &
Audit
Processes

200M+ barcodes collected yearly; Compliance with the applicable laws, regulations, and
Software traced in 1 hour, hardware Traceability Laws & standards of relative countries and regions;
traced in 1 day Regulations 700+ legal experts, 170+ local lawyers

E2E Cyber
180,000+ educated and trained employees;
Issue, Defect, & Security H&R
Business Codes signed annually;
Product Security Incident Response Team Vulnerability
Resolution Assurance 2,300+ employees dedicated to security

System
GTAC, RTAC, and CTAC 5% of total R&D invested in security;
Delivering
Cover 170+ countries, 1,500+ networks, Services R&D 1.6% of R&D engineers, dedicated security teams in 7
1/3 global population Securely global R&D centers

Manufacturing Verification
ISO28000, TAPA, C-TPAT, AEO certified; Zero & Logistics
Third-Party
security risk been introduced inadvertently or 7,000+ security testing models, 2,000+ testing regulations,
Suppliers
intentionally 23,000+ testing tasks per day

100% suppliers signed security agreement

9
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

R&D security development models – Integrated Product Development process (IPD)

Developed by IBM, IPD has been implemented and optimized in Huawei for the past 11 years.
OpenSAMM and BSIMM have been integrated into the IPD process.

BSIMM Assessment 2018

Huawei’s BSIMM assessment results

rank top level among BSIMM assessed
companies

BSIMM: Build Security in Maturity Model OpenSAMM: Open Software Assurance Maturity Model

10
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

A virtuous circle of “many eyes and many hands” ensures we continuously improve our
knowledge, technology, people, and processes

What we learn is updated to all Huawei processes, standards and policies and is applied to all
products and services – a virtuous circle

IPD: Integrated Product Development Process

Concept Plan Development Qualify Launch Lifecycle

TR1 TR2 TR3 TR4 TR4A TR5 TR6 GA

Independent Third
Penetration Test Independent Huawei Party
Customer Common
Cyber Security Test
UK CESC Criteria
Lab Independent
Independent Testing
Testing

11
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

Supply Chain Security: from material and production to customers

Supplier and materials security Security of Factory (EMS) Trusted LSP

1 Security
agreement IQC PCBA ICT FT
2 security
10 Personnel
assurance
management
system
Cut into slices X-ray Manual ICT Functional test
3 Product
9 Traceability check
Security

8 Emergency 4 Security
response testing Auto ICT
7 Product 5 Open
Service source
Security software…
6 Delivery
Security

• Supplier cybersecurity agreement • Manufacturing process security & control tests • Factory to partner warehouse tracking
• Supplier audit • Separated & control production network • Electronic customs declaration, transportation route
• Review and inspection of goods • SW integrity verification & QC inspection design and monitoring of logistics process through
• Quality and performance test • Product 100% anti-virus inspection IT system
• SW integrity check • Regular equipment verification • Checking and monitoring integrity of shipments
• Materials pre-production authenticity & integrity inspection • Control of personal account & system authority • Seal management and correct sealing

Huawei possess no greater or lesser risk than other ICT vendors:

• Nokia products produced at factories partially owned by the Chinese Government (Nokia Shanghai Bell).
• Ericsson products produced at factories parially owned by the Chinese Government (Ericsson Panda
communications).

12
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

Protect Customer Data and Privacy in Support and Service Delivery

Qualified engineers provide services based on processes to ensure customer data security

Huawei official website Computer Huawei

• Virus scanning
Huawei service Clear stored data
• Obtain the customer's authorization
engineer Integrity check • Operations can be backtracked and
audited Clear stored data

Customer staff
Customer network Customer network Faulty parts

Strict remote access management to

avoid cyber security risks
Huawei does not operate customer equipment.
• Authorized by customer.
All data generated belongs to the customer.
• Accounts provided and managed by customer.
Only the rightful owner has access to it.
• Must be performed on Huawei Citrix remote access platform.
• Violators will be punished.

13
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

Through vulnerability management and responsible disclosure process, Huawei coordinates

suppliers, CERT organizations, and security researchers to jointly handle product vulnerabilities

Analysis, verification,
Vulnerability collection Severity evaluation Disclosure
and remediation

Customer

Internal Classify,
Vulnerability, Develop and Security Customer CERT
Vulnerability Huawei analyze, decide
Product patch, PDT verify Huawei advisory and
sources
on, and match
information vulnerability and/or other
PSIRT vulnerabilities
vulnerability release
LMT workarounds PSIRT security
stakeholders
notice
Supplier with products and solutions
library

Security
community

LMT: Lifecycle Management Team

PDT: Product Development Team
Security level labeling Authorization Retention Clearance PSIRT: Product Security Incident
Response Team

• For responsible disclosure, visit PSIRT website: http://www.huawei.com/en/security/psirt/

• Learn from the industry's vulnerability management best practices: CVSS, CPE, CVRF, etc.
• PSIRT responds to vulnerabilities found in self-developed, open source, and third-party components and speeds up the response to the vulnerabilities
already in the wild.

14
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

Products Independent testing and certification, Standards compliance audit and

certification, Active Standards Participation

Industry security and privacy compliance and Audit and certification by mainstream Active participant in cyber security standard
3rd parties certifications standards & compliance organizations groups and organizations

Common Criteria FIPS 140-2 PCI ISO27001 ISO9001

Certification Encryption Payment Card Information Security Quality Management
Modules Industry Management System

CSA ePrivacy ISO28000 ISCCC

Cloud Security GDPR based Supply Chain Security Qualification of Information
• 17 chairmen or vice-chairmen
Management Security Service Provider
• 54,000 proposals submitted in 2017

15
 Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

A series of cyber security white papers under the heading Cyber Security
Perspectives provide open and transparent information about Huawei's policies, challenges, and
solutions
Making cyber security a part of
company's DNA-A set of 4th version of cyber
integrated processes, policies security white paper
and standards Focuses on supply chain
Introduces ways in which cyber security
Huawei resolves issue through
its end-to-end cyber security
assurance system

2012 2013 2014 2016

21st century technology and 100 requirements when

security-a difficult marriage considering end-to-end cyber
Shares with the industry and security with your technology
the general public how Huawei venders
perceives cyber security Provides customers with
suggestions on how to mange
and improve cyber security

16
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

Huawei’s Cyber Security Transparency Centers

Brussels Banbury Bonn

Belgium UK Germany

Toronto Dongguan
Canada China

Dubai
UAE

Openness + Transparency + Collaboration

17
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

Cyber Security Transparency Centers in Brussels, Belgium

Executive Briefing Center

Executive Briefing • Security solutions: cloud, 5G, IoT

Center
• Security assurance practices
• Security engineering capabilities

Communication Center

Transparency • Security conferences and events

• Security leader’s lecture
• Collaboration and innovation on cyber security
standard

Communication Evaluation Center Evaluation Center

Center
• Huawei products and solutions’ security
test on source code level
• Certification collaboration

18
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness

Independent Cyber Security Lab in Dongguan, China

Execute Huawei products security Support customer/3rd party to

verification verify Huawei products
• Source Code review • Provide facility and technical
• Penetration test support: equipment, code…
• Compliance test: test cases, CC, • Sharing security evaluation report
FIPS, OWASP… with customers
137 Employees

Organization independency Customer test area

CEO

Products & Global Security &

Solutions Privacy Officer
ISO/IEC17025:2005 Standalone Network Access
ICSL Space Isolation control

Independency

19
Strategy R&D Verification
Security experts comments
“I would be obliged to
report if there was
evidence of malevolence
... by Huawei. And we’re
yet to have to do that.
So I hope that covers it.”
Ciaran Martin, Head of
Britain’s National
Cyber Security Centre
(NCSC)
Reuters, 20 February
2019
20
Supply Chain& Procurement Delivery CERT/PSIRT Openness
“The key point here, obscured by the growing hysteria over Germany's top cybersecurity
Chinese tech, is that the NCSC has never found evidence of official has said he hasn't seen
malicious Chinese state cyber activity through Huawei. any evidence for the espionage
Assertions that any Chinese technology in any part of a 5G allegations against Huawei.
network represents an unacceptable risk are nonsense. The Arne Schönbohm, president of
UK and other European countries should hold their nerve and the German Federal Office for
base decisions on Chinese involvement in future telecoms on Information Security (BSI), the
technical expertise and rational assessment of risk, rather nation's cyber-risk assessment
than political fashion or trade wars. We should accept that agency in Bonn, told Der
China will be a global tech power in the future and start Spiegel that there is "currently
managing the risk now, rather than pretending the west can no reliable evidence" of a risk
sit out China’s technological rise.” from Huawei.
Robert Hannigan, Director of the UK GCHQ from 2014-17, AFP, 14 December 2018
Financial Times, 12 February 2019
Contents

 Challenge of Cyber Security

 Huawei Cyber Security practices and resources
 Cyber Security Requirements and Code of Conduct on
Partners

21
Basic Cyber Security Requirements on Partners
Basic Cyber Security Requirements

Laws and regulations: Comply with all applicable laws and regulations, including those related to personal data and privacy protection, communication freedom
1
protection, and cyber security protection.

Software tools: Obtain Huawei software and tools from legitimate channels (product package, Huawei official website http://e.huawei.com, and Huawei technical
2
support engineers).

Anti-tampering and anti-implantation: Never embed or implant illegitimate, unauthorized, or malicious code or software, as well as any backdoors, viruses, or Trojan
3
horses in products/software during warehousing, transshipment, and service.

Emergency response:
 After learning about security vulnerabilities in Huawei products, try best to minimize security risks, report to Huawei (PSIRT@huawei.com), and cooperate with Huawei
to investigate and handle the vulnerabilities.
4
 Do not spread vulnerability information publicly or leak vulnerability information to any third party before Huawei releases a security advisory.
 Assume the responsibility to pass Huawei-released security advisory to downstream partners and end customers in a timely manner.
 Actively cooperate with Huawei to handle security events and take necessary remedial measures.

5 Material return: Erase customer data (including end user data) in products and parts before returning them to Huawei.

Customer authorization: Obtain customer authorization for Huawei to access customer networks and data to fulfill requested services. Ensure that:
6 (1)The obtained authorization is fully consented by the customer.
(2)All instructions delivered to Huawei comply with all applicable laws. Partners shall be held accountable for failing to comply with applicable laws.

22
Cyber Security Code of Conduct for Engineers 1/2

Scenario No. Cyber Security Code of Conduct

1 Access to customer sites and facilities: Obtain customer authorization before accessing customer sites, equipment rooms, and office areas.

Onsite access: Obtain customers' written authorization before accessing customer networks. Do not use personal portable devices, endpoints, or
2
storage devices to access customer networks, including production, testing, and office networks.

Remote access: Obtain customers' written authorization before remote access to customer networks, clarify the purpose, scope, and time range for
3 the access, and ensure that the remote access environment requirements are manageable, monitorable, and traceable. (For example, only users with
management permissions can install and manage applications and record all operations performed during the access to customer networks.)

Accessing Use of accounts:

customer (1) Use only customer authorized accounts and do not use others' or unauthorized accounts to log in to customer devices.
networks (2) Do not share or disseminate accounts or passwords. Do not enter customers' business accounts or passwords when creating or processing
4
trouble tickets in IT systems.
(3) Configure dedicated accounts and passwords for different users and abide by password strength rules.
(4) Confirm with customers and ensure that accounts are granted with only necessary permissions based on the minimal privilege principle.

Software & tools: Obtain software, patches, licenses, and tools from legitimate channels (product package and Huawei official website
5
http://e.huawei.com). Do not run software or tools obtained from non-official channels.

Virus scanning: Before connecting PCs, endpoints, or storage devices to customer networks, scan viruses and ensure that no malicious software or
6
virus exists on them.

23
Cyber Security Code of Conduct for Engineers 2/2

Scenario No. Cyber Security Code of Conduct

Software and tools: Without customers' written authorization, do not download, install, or use any software or tool and do not use data collection or
7
performance analysis tools on customer networks.

8 Operation scope: Invite customer companion when performing operations on customer networks and do not perform any unauthorized operations.
Performing
operations on Customer data processing: Obtain customers‘ written authorization before collecting, transferring, storing, using, and processing customer network
customer data (including personal data).
networks 9
Without customers' written authorization, do not access or process user voice messages, short messages, accurate location information, or
keystroke records that may involve user privacy or personal data. Anonymize exported personal data.

Abuse of customer networks: Do not do non-work-related things on customer networks, for example, playing games, logging in to non-work-
10
related websites, or accessing non-work-related resources.

Transfer of customer data: Without customers' written authorization, do not take devices or storage devices that contain customer network data
11 (including personal data) away from customer sites, do not transfer customer data out of customer networks, and delete or destroy possessed
customer network data after customer authorization expires or tasks are finished.

Leaving
Account handover: After the implementation project is finished or the maintenance is complete, hand over accounts and passwords (including
customer 12
administrator account password) and remind customers to change passwords or delete accounts.
networks

Remote access: At the end of remote service activities, tell customers to close the remote service environment on their devices, such as tearing
13 down remote service connections and stopping remote service software, and remind customers to change the account and password used in the
remote services in a timely manner.

24
Liabilities for Cyber Security Violations

For partners that violate the information confidentiality and cyber security and user privacy requirements of the laws
and regulations of local countries, which causes severe crises, critical complaints, great losses, or major risks to
Huawei.

1. Deduct all the incentives of the current period, cancel the certification qualification of the channel partner, and
terminate the cooperation with the channel partner.
2. In serious cases, violators shall be transferred to the judicial organs for legal responsibility.

25
 Appendix

26
Chinese laws does not require vendors to install “backdoors” in networks, equipment or
software

 This point was clarified by the Ministry of Foreign Affairs of the People's Republic of China.

 Independently verified by Chinese law firm, Zhong Lun

 Reviewed and confirmed by Clifford Chance, one of the world’s leading law firms (UK based).

 Their opinion confirms that relevant provisions of the Counterespionage Law, the Anti-
Terrorism Law, the Cyber Security Law, the National Intelligence Law, and the State Security
Law:

Published 5th March 2019
https://www.wired.com/story/law-expert-chinese-
government-cant-force-huawei-make-backdoors/
 The Article does not refer to any empowerment to PRC government authorities to
order telecommunication equipment manufacturers to plant backdoors,
eavesdropping devices or spyware in telecommunication equipment
 The Article of the laws does not have extraterritorial effect

27
Huawei Doesn’t Allow Illegal Interception

The Ministry of Foreign Affairs has made it clear that

Huawei, as a 100% private enterprise, the only way to
China's laws and regulations do not authorize any
survive is the trust of its customers. Allowing illegal
agency to force enterprises to install”compulsory
interception through Huawei's network is tantamount to
backdoors”
suicide, so Huawei will never allow such a thing to happen.
-- Lu Kang, Foreign Ministry spokesman of China

“Huawei has not and will never plant backdoors. And we
will never allow anyone else to do so in our equipment.”
-- Guo Ping, Huawei Chairman
Mobile World Congress
26 February 2019
“Over the years that we've worked with Huawei, we've not
yet seen anything that gives us cause for concern,"
-- Marc Allera,
BT CEO Consumer Brands
CNN, 8 February 2019

Huawei is not required, has no reason, and will not allow illegal interception through Huawei's network

28
Enhancing customer trust and confidence

Customers have cybersecurity concerns about Huawei, how to enhance customer confidence and trust?
• Introduce Huawei Cyber Security Strategy and Approach covering the following topics:
– Cybersecurity vision and strategy, R&D security, supply chain security, vulnerabilities management
– No backdoors and security vulnerabilities,
– No laws in china requires vendor to plant backdoors
– Huawei data and privacy security

• Third party expert opinions and positive media statements

• Invite customers to visit manufacture center with cyber security or independent cyber security lab (ICSL) in Shenzhen
Customer doubts have been greatly mitigated. How to build long-term security mutual trust with customers?
• Follow up with in-depth discussion about Huawei products and solutions cybersecurity capabilities
• Focus on what Huawei and the partner can do for the customer in regards to building trusted security solution architecture
• Provide customer with evidences of products security capabilities such as cyber 3rd party security certifications
• For large projects and key customers, suggest source code evaluation
• Share relevant success stories and reference case studies

For any questions or requirements, please contact the local Huawei channel manager.

29
 THANK YOU

Copyright©2017 Huawei Technologies Co., Ltd. All Rights Reserved.

The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future
product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or
implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.