Professional Documents
Culture Documents
08-Huawei Cyber Security Guide For Partners
08-Huawei Cyber Security Guide For Partners
08-Huawei Cyber Security Guide For Partners
Contents
2
Technology and service Innovation increases attack surface and brings more security
risks and challenges
With the increasing ICT openness, IP-based network evolution,
Attacks and theft aiming at gaining economic interests keep According to industry research, 55% security threats are
terminal intelligentization, cloud computing, big data
increasing, hacker attacks become industrialized, and cyber from enterprise employees, and 37% security threats are
application, and multi-service convergence, technologies and
security incidents occur frequently, incurring great economic and from unauthorized access. Therefore, employee
services are more and more complicated, and attack methods
reputation loss of enterprises and organizations. education and preventive measures are very important.
become more diversified and complex.
3
Customer Requirement: Customers Poses Cyber Security Requirements to Equipment
Vendors Based on the Needs for Compliance, Information Security, and Brand Reputation
Cyber security risks like tampering, implantation, virus, unauthorized access, and illegal data transfer exist throughout the
Cyber security risks
entire supply and service processes that are not limited to equipment vendors but involve all parties in the supply process.
Work division
Of Various Business
organizations
R&D/ Cargo Delivery Cargo Network
production transportation service transportation operation
Customer network
security requirements Personnel security
Check/Audit
4
Contents
5
Strategy
cyber security
and privacy
R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
protection
"In light of the foregoing, Huawei hereby undertakes that as a crucial company strategy, based on compliance with the applicable
laws, regulations, standards of relevant countries and regions, and by reference to the industry best practice, it has established and
will constantly optimize an end-to-end cyber security assurance system… tackling the challenges of cyber security through
partnerships with governments, customers, and partners in an open and transparent manner. In addition, Huawei guarantees that
its commitment to cyber security will never be outweighed by the consideration of commercial interests."
"The Chinese government has already clearly said that it won't install any backdoors. And we won't install backdoors either. We're
not going to risk the disgust of our country and of our customers all over the world, because of something like this. Our company will
never undertake any spying activities. If we have any such actions, then I'll shut the company down."
Over the past 30 years, Huawei has served more than 3 billion people worldwide, supporting the
stable operation in over 170 countries and regions, we have maintained good cyber security
records worldwide, and our practices in cyber security have been recognized by customers.
6
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
A Board Level security committee. Further, all Huawei employees must “own” cyber security
GSPO
John Suffolk
Independent Cyber
>5% Security Lab
R&D investment in
cyber security PACD
Carrier Network BG
Procurementt Cyber
Supply Chain Cyber
Cyber Security Dept. LA
CCSO of Canada
CCSO of France
CCSO of Japan
Security Office
Security Office
Security Office
CCSO of USA
CCSO of UK
MKT
. . . .
Centre
Enterprise BG JCR
Cyber Security Dept.
CHR
Consumer BG BP&IT
Cyber Security Dept. Audit
7
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
consulting consulting
Customer Requirement
Requirement MM Charter IPD Realization
Customers
Input, Market Input Sourcing Plan
MM: Market Management | IPD: Integrated Product Development | ISC: Integrated Supply Chain | LTC: Lead To Cash
8
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
200M+ barcodes collected yearly; Compliance with the applicable laws, regulations, and
Software traced in 1 hour, hardware Traceability Laws & standards of relative countries and regions;
traced in 1 day Regulations 700+ legal experts, 170+ local lawyers
E2E Cyber
180,000+ educated and trained employees;
Issue, Defect, & Security H&R
Business Codes signed annually;
Product Security Incident Response Team Vulnerability
Resolution Assurance 2,300+ employees dedicated to security
System
GTAC, RTAC, and CTAC 5% of total R&D invested in security;
Delivering
Cover 170+ countries, 1,500+ networks, Services R&D 1.6% of R&D engineers, dedicated security teams in 7
1/3 global population Securely global R&D centers
Manufacturing Verification
ISO28000, TAPA, C-TPAT, AEO certified; Zero & Logistics
Third-Party
security risk been introduced inadvertently or 7,000+ security testing models, 2,000+ testing regulations,
Suppliers
intentionally 23,000+ testing tasks per day
9
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
Developed by IBM, IPD has been implemented and optimized in Huawei for the past 11 years.
OpenSAMM and BSIMM have been integrated into the IPD process.
BSIMM: Build Security in Maturity Model OpenSAMM: Open Software Assurance Maturity Model
10
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
A virtuous circle of “many eyes and many hands” ensures we continuously improve our
knowledge, technology, people, and processes
What we learn is updated to all Huawei processes, standards and policies and is applied to all
products and services – a virtuous circle
Independent Third
Penetration Test Independent Huawei Party
Customer Common
Cyber Security Test
UK CESC Criteria
Lab Independent
Independent Testing
Testing
11
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
8 Emergency 4 Security
response testing Auto ICT
7 Product 5 Open
Service source
Security software…
6 Delivery
Security
• Supplier cybersecurity agreement • Manufacturing process security & control tests • Factory to partner warehouse tracking
• Supplier audit • Separated & control production network • Electronic customs declaration, transportation route
• Review and inspection of goods • SW integrity verification & QC inspection design and monitoring of logistics process through
• Quality and performance test • Product 100% anti-virus inspection IT system
• SW integrity check • Regular equipment verification • Checking and monitoring integrity of shipments
• Materials pre-production authenticity & integrity inspection • Control of personal account & system authority • Seal management and correct sealing
12
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
Qualified engineers provide services based on processes to ensure customer data security
Customer staff
Customer network Customer network Faulty parts
13
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
Analysis, verification,
Vulnerability collection Severity evaluation Disclosure
and remediation
Customer
Internal Classify,
Vulnerability, Develop and Security Customer CERT
Vulnerability Huawei analyze, decide
Product patch, PDT verify Huawei advisory and
sources
on, and match
information vulnerability and/or other
PSIRT vulnerabilities
vulnerability release
LMT workarounds PSIRT security
stakeholders
notice
Supplier with products and solutions
library
Security
community
14
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
Industry security and privacy compliance and Audit and certification by mainstream Active participant in cyber security standard
3rd parties certifications standards & compliance organizations groups and organizations
15
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
A series of cyber security white papers under the heading Cyber Security
Perspectives provide open and transparent information about Huawei's policies, challenges, and
solutions
Making cyber security a part of
company's DNA-A set of 4th version of cyber
integrated processes, policies security white paper
and standards Focuses on supply chain
Introduces ways in which cyber security
Huawei resolves issue through
its end-to-end cyber security
assurance system
16
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
Toronto Dongguan
Canada China
Dubai
UAE
Communication Center
18
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
CEO
Independency
19
Strategy R&D Verification Supply Chain& Procurement Delivery CERT/PSIRT Openness
“I would be obliged to “The key point here, obscured by the growing hysteria over Germany's top cybersecurity
report if there was Chinese tech, is that the NCSC has never found evidence of official has said he hasn't seen
evidence of malevolence malicious Chinese state cyber activity through Huawei. any evidence for the espionage
... by Huawei. And we’re Assertions that any Chinese technology in any part of a 5G allegations against Huawei.
yet to have to do that. network represents an unacceptable risk are nonsense. The Arne Schönbohm, president of
So I hope that covers it.” UK and other European countries should hold their nerve and the German Federal Office for
Ciaran Martin, Head of base decisions on Chinese involvement in future telecoms on Information Security (BSI), the
Britain’s National technical expertise and rational assessment of risk, rather nation's cyber-risk assessment
Cyber Security Centre than political fashion or trade wars. We should accept that agency in Bonn, told Der
(NCSC) China will be a global tech power in the future and start Spiegel that there is "currently
Reuters, 20 February managing the risk now, rather than pretending the west can no reliable evidence" of a risk
2019 sit out China’s technological rise.” from Huawei.
Robert Hannigan, Director of the UK GCHQ from 2014-17, AFP, 14 December 2018
Financial Times, 12 February 2019
20
Contents
21
Basic Cyber Security Requirements on Partners
Basic Cyber Security Requirements
Laws and regulations: Comply with all applicable laws and regulations, including those related to personal data and privacy protection, communication freedom
1
protection, and cyber security protection.
Software tools: Obtain Huawei software and tools from legitimate channels (product package, Huawei official website http://e.huawei.com, and Huawei technical
2
support engineers).
Anti-tampering and anti-implantation: Never embed or implant illegitimate, unauthorized, or malicious code or software, as well as any backdoors, viruses, or Trojan
3
horses in products/software during warehousing, transshipment, and service.
Emergency response:
After learning about security vulnerabilities in Huawei products, try best to minimize security risks, report to Huawei (PSIRT@huawei.com), and cooperate with Huawei
to investigate and handle the vulnerabilities.
4
Do not spread vulnerability information publicly or leak vulnerability information to any third party before Huawei releases a security advisory.
Assume the responsibility to pass Huawei-released security advisory to downstream partners and end customers in a timely manner.
Actively cooperate with Huawei to handle security events and take necessary remedial measures.
5 Material return: Erase customer data (including end user data) in products and parts before returning them to Huawei.
Customer authorization: Obtain customer authorization for Huawei to access customer networks and data to fulfill requested services. Ensure that:
6 (1)The obtained authorization is fully consented by the customer.
(2)All instructions delivered to Huawei comply with all applicable laws. Partners shall be held accountable for failing to comply with applicable laws.
22
Cyber Security Code of Conduct for Engineers 1/2
1 Access to customer sites and facilities: Obtain customer authorization before accessing customer sites, equipment rooms, and office areas.
Onsite access: Obtain customers' written authorization before accessing customer networks. Do not use personal portable devices, endpoints, or
2
storage devices to access customer networks, including production, testing, and office networks.
Remote access: Obtain customers' written authorization before remote access to customer networks, clarify the purpose, scope, and time range for
3 the access, and ensure that the remote access environment requirements are manageable, monitorable, and traceable. (For example, only users with
management permissions can install and manage applications and record all operations performed during the access to customer networks.)
Software & tools: Obtain software, patches, licenses, and tools from legitimate channels (product package and Huawei official website
5
http://e.huawei.com). Do not run software or tools obtained from non-official channels.
Virus scanning: Before connecting PCs, endpoints, or storage devices to customer networks, scan viruses and ensure that no malicious software or
6
virus exists on them.
23
Cyber Security Code of Conduct for Engineers 2/2
Software and tools: Without customers' written authorization, do not download, install, or use any software or tool and do not use data collection or
7
performance analysis tools on customer networks.
8 Operation scope: Invite customer companion when performing operations on customer networks and do not perform any unauthorized operations.
Performing
operations on Customer data processing: Obtain customers‘ written authorization before collecting, transferring, storing, using, and processing customer network
customer data (including personal data).
networks 9
Without customers' written authorization, do not access or process user voice messages, short messages, accurate location information, or
keystroke records that may involve user privacy or personal data. Anonymize exported personal data.
Abuse of customer networks: Do not do non-work-related things on customer networks, for example, playing games, logging in to non-work-
10
related websites, or accessing non-work-related resources.
Transfer of customer data: Without customers' written authorization, do not take devices or storage devices that contain customer network data
11 (including personal data) away from customer sites, do not transfer customer data out of customer networks, and delete or destroy possessed
customer network data after customer authorization expires or tasks are finished.
Leaving
Account handover: After the implementation project is finished or the maintenance is complete, hand over accounts and passwords (including
customer 12
administrator account password) and remind customers to change passwords or delete accounts.
networks
Remote access: At the end of remote service activities, tell customers to close the remote service environment on their devices, such as tearing
13 down remote service connections and stopping remote service software, and remind customers to change the account and password used in the
remote services in a timely manner.
24
Liabilities for Cyber Security Violations
For partners that violate the information confidentiality and cyber security and user privacy requirements of the laws
and regulations of local countries, which causes severe crises, critical complaints, great losses, or major risks to
Huawei.
1. Deduct all the incentives of the current period, cancel the certification qualification of the channel partner, and
terminate the cooperation with the channel partner.
2. In serious cases, violators shall be transferred to the judicial organs for legal responsibility.
25
Appendix
26
Chinese laws does not require vendors to install “backdoors” in networks, equipment or
software
This point was clarified by the Ministry of Foreign Affairs of the People's Republic of China.
Reviewed and confirmed by Clifford Chance, one of the world’s leading law firms (UK based).
Their opinion confirms that relevant provisions of the Counterespionage Law, the Anti-
Terrorism Law, the Cyber Security Law, the National Intelligence Law, and the State Security
Law:
The Article does not refer to any empowerment to PRC government authorities to
order telecommunication equipment manufacturers to plant backdoors,
eavesdropping devices or spyware in telecommunication equipment
Published 5th March 2019
https://www.wired.com/story/law-expert-chinese- The Article of the laws does not have extraterritorial effect
government-cant-force-huawei-make-backdoors/
27
Huawei Doesn’t Allow Illegal Interception
“Huawei has not and will never plant backdoors. And we “Over the years that we've worked with Huawei, we've not
will never allow anyone else to do so in our equipment.” yet seen anything that gives us cause for concern,"
-- Marc Allera,
-- Guo Ping, Huawei Chairman
BT CEO Consumer Brands
Mobile World Congress
CNN, 8 February 2019
26 February 2019
Huawei is not required, has no reason, and will not allow illegal interception through Huawei's network
28
Enhancing customer trust and confidence
Customers have cybersecurity concerns about Huawei, how to enhance customer confidence and trust?
• Introduce Huawei Cyber Security Strategy and Approach covering the following topics:
– Cybersecurity vision and strategy, R&D security, supply chain security, vulnerabilities management
– No backdoors and security vulnerabilities,
– No laws in china requires vendor to plant backdoors
– Huawei data and privacy security
For any questions or requirements, please contact the local Huawei channel manager.
29
THANK YOU