PACD Basic Knowledge Course

Overview of Cyber Security and Privacy Protection

Public Affairs and Communications Dept

June 2021

1 Huawei Confidential
 Contents

1. Why – Importance of cyber security and privacy protection

2. What – Essence of cyber security; PACD's role and objectives

3. How – PACD's plan for communications about cyber security

3.1 Global public action plan map
3.2 Country-specific insights
3.3 Key stakeholder management

4. How – PACD's practices for communications about cyber security

4.1 Confident communications
4.2 Trust building
4.3 Knowledge map

5. Overview of privacy protection

Huawei Confidential 2
More emphasis on cyber security

Cyber security is no longer just a technical issue, but a legal and political as
well. We must address the political risk and legal consequences caused by
cyber security issues which could lead to harm the company.

Cyber security issues may create customer concerns about Huawei products
and solutions, affecting sales. We need to ensure customer trust in Huawei's
security, address their concerns, and remove sales barriers.

Cyber security issues are becoming more complex in the new era, presenting
more complex challenges. There is an increasing need for public and private
partnerships. Huawei is engaging governments more broadly on the topic of
cyber security.

Huawei Confidential 3
Cyber security and privacy protection trends in the new era
There are huge differences
between developed and
developing countries in terms
of their cyber security
concerns, goals, and technical
capabilities.
More and more governments
are putting cyber security on
its national strategic agenda
and taking stronger controls
through legislation and
executive orders.
With the development of 5G,
IoT, and other new
technologies and vertical
industries, the notion of cyber
security has been broadened
to "broad security", covering
national, social, and
infrastructure security, as well
as personal safety. Meanwhile,
state sovereignty also extends
into the realm of digital
sovereignty .
EU, US, Russia, and China work
Polarized Closer ties more closely on cyber security
through dialogs and cooperation,
between
spanning cyber security law
countries enforcement, security assurance,
etc.
Regulators and law makers in
US, EU, UK, France, and
Politicized New tech
Title concerns
Australia shifting focus to critical
information infrastructure (CII)
and new tech such as IoT, AI, and
big data
More complex political
environments and stricter data
privacy regulation: More
countries are introducing GDPR-
Data like regulations to ensure
Broad-based
protection adequate protection with cross-
border data transfers. For the
consideration of national
sovereignty, more countries
require that national security
related data be localized.
Huawei Confidential 4
US containment of Huawei's 5G: Painting Huawei as a security threat through
political and diplomatic actions
The US government's The US's actions
views on Huawei against Huawei
Diplomacy
Congress and the rest of the Ongoing attacks in all aspects
strategy
government share the same
Energy Defense worldviews and hold a consistent 1. Strategy: Included Huawei on
strategy strategy attitude towards Huawei. national security agenda
2. Politics: Pressed allies to
1. Huawei equals China. exclude Huawei (the key goals
2. The rise of China is a threat to
Cyber National national security of the US.
of local embassies and military
Military bases)
security security strategy 3. Both the Chinese government 3. Legislation: Abused legal
strategy and its companies wish to
strategy procedures
dominate the world by 2049. 4. Economy: Excluded Huawei
from its supply chain
Note: Michael Pillsbury's book – The 5. Technology: Blocked the
Strategy Other
Hundred-Year Marathon: China's Secret inflow of innovation elements
promotion strategies
Strategy to Replace America as the Global 6. Reputation: Defamed Huawei
Technology Superpower – reveals the worldviews of in terms of business ethics and
development most members of the Congress. legitimacy
strategy

Huawei Confidential 5
Geopolitics and 5G: Tougher external environment and mounting security
challenges
• Mar 26, 2019: European Commission released its "Recommendation
EU on Cybersecurity of 5G networks"
• Mar 12, 2019: European Parliament passed the European
Cybersecurity Act, establishing an EU framework for cybersecurity
certification
Denmark • Mar 2019: TDC picked Ericsson over Huawei for its 5G network and
will replace Huawei's 4G network with Ericsson's equipment
• Chairman of the Norwegian Communications Authority (Nkom) said
Norway whether or not to ban Huawei like its allies was a political issue
• Closely monitors Huawei's improvements on the problems identified in
the last OB report and requires Huawei to provide proof of progress
• Dec 2019: BT excluded Huawei from 5G core
UK • Mar 28, 2019: 2019 OB report released
• Nov 2019: Bonn Security Innovation Lab (in cooperation with BSI)
opened
Germany • BMI/BSI believes that it is not an appropriate protection mechanism to
bar some vendors from the public network infrastructure
• Mar 2019: Angela Merkel postponed the Huawei ban (which would
otherwise prohibit Chinese companies from providing equipment for
Germany's 5G networks)
• Mar 7, 2019: BNetzA announced that it would update the catalog of
security requirements for telecom operators
• ANSSI tightened up 5G test on Huawei and planned to conduct
France
security certification for 5G systems to be commercially used in
France
• Dec 2018: Czech cyber watchdog NCISA warned network operators
against using products made by Chinese telecom equipment
Czech
suppliers Huawei and ZTE
• Dec 21: Czech National Security Council issued a statement
correcting the false warnings against Huawei
•
South Korea
The Ministry of Information and Communication has
had substantial interference in 5G projects. SKT and
KT have excluded Huawei from the 5G vendor list.
• Dec 2019: Ministry of Internal Affairs and
Communications essentially banned the government
from purchasing telecom products from Chinese
Japan
vendors
• Mar 29, 2019: Chief Cabinet Secretary: "We will not
require that specific countries and enterprises be
excluded from the next-gen 5G technology"
Vietnam • Negative media coverage circulates, but the
government has not made any statement
• Sep 27: Government invited Huawei to be a part of
India's 5G trials
India
• Cellular Operators Association of India endorsed
Huawei
• Aug 2019: Government banned Huawei from 5G
Australia • Mar 2019: New ambassador to China appointed;
AUD$44 million invested to establish the National
Foundation for Australia-China Relations that replaces
the long-standing Australia-China Relations Council
• Nov 2018: GCSB rejected Spark's proposal to use
Huawei's 5G equipment
• Feb 2019: New Zealand said China's Huawei was
not excluded from 5G, and GCSB began to
New Zealand communicate with Spark about the security risk
control mechanism for 5G
• Apr 1, 2019: New Zealand's PM Jacinda Ardern
stated her position in an interview with China
Central Television during her visit to China. The
visit also led to an upgrade in bilateral trade
relations with China
Huawei Confidential 6
• Nov 2019: The Globe and Mail reported
that the federal government said it would
not rule out barring Huawei from supplying
equipment for Canada's next-gen 5G
Canada mobile networks
• Dec 2019: Trudeau Government again
dismissed US security warnings against
using Huawei equipment in Canada's next-
gen wireless networks
• Mar 2020: US-Canada trade tensions
intensified
• Jul 2018: US and its allies agreed to
contain Huawei at a Five Eyes meeting
• Aug 2018: Trump signed the National
Defense Authorization Act which prohibited
US
US government agencies from purchasing
Huawei equipment
• Oct 2018: Two US senators urged the
Canadian Prime Minister to bar Huawei
from Canada's 5G networks
• Feb 2019: US Vice President and
Secretary of State called on its European
allies to ban Huawei
• At 2019 MWC: The Federal
Communications Commission (FCC)
delegation called for exclusion of Huawei
from 5G networks
Contents

1. Why – Importance of cyber security and privacy protection

2. What – Essence of cyber security; PACD's role and objectives

3. How – PACD's plan for communications about cyber security

3.1 Global public action plan map
3.2 Country-specific insights
3.3 Key stakeholder management

4. How – PACD's practices for communications about cyber security

4.1 Confident communications
4.2 Trust building
4.3 Knowledge map

5. Overview of privacy protection

Huawei Confidential 7
Huawei's cyber security vs. baseline of industry-standard cyber security
In the industry, cyber security is understood as carrying and protecting data/privacy with robust
networks and defending against hacking. Huawei extends cyber security baseline to cover evidences
proving that we are not a security threat

Business continuity
Exploiting vulnerabilities and network Suspected of exploiting "backdoors"
Hackers Huawei
robustness
Confidentiality Data/User Political aspect: dispel doubt
Integrity privacy Legal aspect: prove Huawei is not a security threat
Availability
Traceability
Counterattack
Industry-standard cyber security Prove that Huawei is not a security threat

Huawei's cyber security

Cyber security refers to the practices designed to protect products, solutions, and services against cyber attacks to ensure data availability, integrity,
confidentiality, traceability. This includes protecting user communications, personal data, privacy, and flow of public information.
Achieving cyber security will:
1) Protect Huawei and its customers' reputation and prevent economic losses;
2) Exempt a doer or Huawei from undertaking civil, administrative or criminal liabilities;
3) Prevent cyber risks from being an excuse for trade protectionism or a trigger for international political crisis.

Huawei Confidential 8
Cyber security milestones at Huawei

Providing trustworthy
products and solutions to
E2E security assurance help customers build
system resilient networks
• Made cyber security Huawei's top
• Issued Mr. Ren's Statement on
priority
Establishing a Global Cyber
Security Assurance System • Released Mr. Ren's open letter to all
Product security Security mgmt in Huawei employees: Comprehensively
• Established the Global Cyber
& solution R&D processes Enhancing Software Engineering
Security and User Privacy
Capabilities and Practices to Build
security • Established the Network Protection Committee (GSPC)
Trustworthy, Quality Products
Security Engineering • Appointed the Global Cyber
• Released 1st batch of • Opened the Huawei Cyber Security
Technology Committee Security Officer (GCSO)
security technical Transparency Centre in Brussels
to build security into
specifications. Started to • Established the Internal Cyber
focus on product security.
R&D • Initiated the software engineering
Security Lab (ICSL)
transformation program
• Established the Network • Released the CERT process
Security Solution Dept
• Built the E2E security assurance
under R&D to design
system, incl. strategies, policies,
security solutions.
processes, baseline, etc.

1999–2005 2006–2009 2010–2017 2018–

Huawei Confidential 9
Cyber Security 2.0: Security as part of our business competitiveness to create
value for customers
Comply with laws and regulations. Lead standards development and increase trust. Translate
security into a core competitive advantage of Huawei products, solutions, and services.
Cyber Security 1.0 (reactive) Cyber Security 2.0 (proactive)
Building basic quality and Proactively creating and sharing
ensuring Huawei is secure value

Compliance Business value

End-to-end security and

Solution competitiveness
quality

Product security design,

development, and Solution resilience
deployment

Management- and control- Capability-based

based governance model governance model

Value to customers: We share the same goal as our customers, which is to build cyber security
and resilience, address cyber security risks, and ultimately contribute to a fully
connected, intelligent, and secure world.
Huawei Confidential 10
Huawei's Cyber Security Framework 2.0: Helping customers build
network resilience by using trustworthy and independently verified
products and solutions

Help customers build network resilience

Governance, Risk, and Audits
A holistic approach
Trustworthy products/solutions with network resilience • Top down
• Bottom up
Customer requirements and insights

Customer value and communication

Security management Security control Security analysis • E2E

the media, supply chain partners, etc.

platform platform platform
Customers, governments,

Resilience & trustworthiness

Customers, governments
technology, industry,
supply chain, etc.

5G Cloud IoT Video Safe city Device • NIST CSF IPDRR and BSI trustworthy
Ecosystem software model
service
partners • Invest US$2 bn to improve software
engineering capabilities

… Collaboration
Wireless Switch Transmission Server Storage Smartphone … • Work with the best partners to deliver the
most comprehensive security solutions
Basic quality, engineering, and technology and services
• Strengthen cooperation and trust with key
Culture, organization, and talent external stakeholders

Compliance

Huawei Confidential 11
PACD's objectives, role, and responsibilities in cyber security
Objectives: Gain the trust in countries; partner with
governments and industries to explore new ways to tackle
security risks posed by new technologies; identify
discriminatory provisions/hidden rules; remove sales
barriers; and support business growth.
Role: PACD is the owner for managing relationships with
the media and governments, including government-
backed industry organizations. We need to win
government and media's trust in Huawei's cyber security and
privacy protection.
Responsibilities: Manage PR risks, earn government trust,
build a positive image, and establish competitive advantages.
Take responsibilities for the results of business
environment improvement for rep offices.
Three aspects of PACD's role: (1) gaining insights into policy
environments (similar to Marketing roles); (2) managing
stakeholder relationships (similar to account manager roles);
(3) managing solutions (similar to solution manager roles).
Huawei Confidential
Responsibilities of the PACD GA CSPP team
• Planning: Generates insights into CSPP trends in key
countries and regions; develops PACD's annual plans on
the CSPP topic.
• Policy: Develops Huawei policies, position papers,
presentations, and other documents on CSPP for
government stakeholders; helps local teams develop
solutions for trust around CSPP with their government
stakeholders.
• Ecosystem: Engages with standards organizations,
industry associations, think tanks, etc. Makes them an
effective alliance to influence policy on CSPP and
catalyzes consensus between Huawei, governments, and
the broader industry.
• Public opinion: Develops messaging materials for the
media on CSPP, including text, videos, and websites.
Actively promotes Huawei's messages at international
forums and in the media, proactively presenting a positive
image of Huawei on the CSPP issue.
• Crisis communications: Develops messages for crisis
communications for governments and the media, and
coordinates with other departments on strategies to control
the spreading and escalation of crises.
12
Contents

1. Why – Importance of cyber security and privacy protection

2. What – Essence of cyber security; PACD's role and objectives

3. How – PACD's plan for communications about cyber security

3.1 Global public action plan map
3.2 Country-specific insights
3.3 Key stakeholder management

4. How – PACD's practices for communications about cyber security

4.1 Confident communications
4.2 Trust building
4.3 Knowledge map

5. Overview of privacy protection

Huawei Confidential 13
 Country classification Country-specific insights Stakeholder mgmt

Global public relations action plan map

Country PR Goal Owner

First priority: tier-1 Addressing
countries that are UK, France, Germany, Japan/South Western political
Led by PACD
more challenging but Korea, Canada, US, EU, China and public
more crucial opinion issues

West Europe: Italy, Spain

Northeastern Europe: Turkey, Poland
Eurasia: Russia
Second priority: tier- Middle East: Saudi Arabia, UAE, Pakistan Fostering the
2 countries that have Northern Africa: Egypt business Led by regions with support from
regional influence Southern Africa: South Africa, Nigeria, environment • Subsidiary BODs
and are major Kenya, Zambia and supporting • PACD (training, etc.)
sources of revenue Southeast Asia: India, Thailand sales
South Pacific: Indonesia, Philippines,
Malaysia
Latin America: Brazil, Mexico

Third priority: tier-3 Internal and

Profit-making countries in Asia Pacific, Latin Led by subsidiary BODs
countries that are external
America, Middle East, Africa, Latin America, Supported by PACD, including providing
also big sources of compliance and
Europe, and Eurasia training
revenue sales support

Huawei Confidential 14
 Country classification Country-specific insights Stakeholder mgmt

PACD's key tasks regarding cyber security

Cyber security goals in the next 3–5 years

Cyber security goals in the next 12–18 months

Assessment and
preparation
1. External environment
insights
Y
① Local govt's strategic
requirements and concerns
② Local cyber security
maturity level
N approval)
2. Internal cyber security
insights
① Does Huawei meet local
strategic requirements?
② Is cyber security an
advantage or disadvantage
for Huawei in the country? Y
Maintenance and
Execution and monitoring
enhancement
3. Develop a 6. Maintain customer
5. Develop a comms relationships
comms strategy 4. Determine
plan and content ① Clarify customer requirements
(obtain AT/ST comms objectives
①The plan should include by customer segment and meet
① Stakeholder their requirements wherever
comms time, audiences,
① map possible.
key steps, and expected ② Establish a customer
Proactive/reactive ② Stakeholders' relationship database and maintain
outcomes.
response attitude towards good customer relations.
② Comms content should ③ Fully communicate with
② Local or global Huawei
include KMs. customers to avoid
communication misunderstanding.

Externally: Be competent to communicate on cyber security matters and build trust

Internally: Improve awareness and support employee competence
Huawei Confidential 15
 Country classification Country-specific insights Stakeholder mgmt

Insights into the external environment: Political sensitivity of the

government of your country with Cyber security
Item for assessment Description
1. Which departments are concerned with cyber security? What are they concerned about?
2. Does the government of your country conduct auditing, inquiry, or investigation on cyber security of companies?
Government concerns over 3. Is the government of your country part of a cross-nation political coalition that might have impact on cyber security?
cyber security 4. Has the government raised concerns over Huawei or has Huawei been involved in any crisis?
5. Does the opposition party use cyber security as a leverage and potentially impact Huawei?
6. Do candidates running for new government positions use cyber security as a leverage and potentially impact Huawei?
1. Do customers change their requirements on cyber security during bidding and communication? What are the concerns?
Customer concerns over cyber
2. Do customers audit or plan to audit suppliers' cyber security?
security
3. How do local tier-1 carriers cooperate with the government on cyber security?
1. Do leading local media outlets comment on cyber security? What do they focus on and what is the tone? Are there negative
Media climate
comments on Huawei in terms of cyber security? Please give examples.
1. Do local industry organizations have standards, forums, or proposals concerning cyber security?
2. How much influence can industry organizations exert on customers, the government, and media? Please give examples.
Industry organizations, think
3. Are there cyber security evaluation organizations urging the government and customers to create barriers against Huawei?
tanks, KOLs
4. Are local think tanks and opinion leaders concerned about cyber security? What are their concerns? What is their attitude
towards Huawei?
1. What actions are competitors taking in terms of cyber security?
Competitors
2. Is there any local (country/region) competitor facing operational difficulties and exerting influence on the government?

1. Do local values conflict with Western values?

2. Is there trade protectionism?
Political environment
3. Does the government of your country have political or military conflicts and disputes with China?
4. Is there any hot issue concerning cyber security locally?

Huawei Confidential 16
 Country classification Country-specific insights Stakeholder mgmt

Insights into the external environment: Cyber security maturity of the

government of your country

01 02 03 04 05 06 07
Strategy Organization Policy Law Methodologies Technical International
& Measures strength cooperation

Has your Does your Has your Has your country Has your How much has Has your country
country or country or country or or organization country or your country or or organization
organization organization organization passed a law on organization organization maintained open
established a have a developed a cyber security? Is identified risks invested in dialogues,
cyber security dedicated team policy on cyber it effectively and taken technology and communications,
strategy? Is it of responsible for security? What enforced? necessary capacity and collaboration
strategic cyber security? content is methodologies building? globally or with
importance? Who do they included in this or measures? external
report to? policy? organizations?

Huawei Confidential 17
 Country classification Country-specific insights Stakeholder mgmt

Insights into the external cyber security environment: Legislation,

competitors, industry, and the media

 Insight into government

How sensitive is the government in your host country to cyber security? What about local cyber security
maturity? Are there any discriminatory provisions against Huawei?

 Insight into competitors

What are the goals regarding cyber security and privacy of the competitors in your country? What measures
have they taken? How do they influence public opinion?

 Insight into the industry

In which areas are Huawei's cyber security and privacy practices receiving the most attention or facing the
biggest challenges in your country?

 Insight into public opinion

What are the public perceptions of Huawei and its competitors in terms of cyber security and privacy in your
country? What are your next steps to improve public perceptions of Huawei?

Huawei Confidential 18
 Country classification Country-specific insights Stakeholder mgmt

Insights into the internal Cyber security environment: Status quo of

local business, requirements, and future development

Business Purpose Description

Identify and analyze opportunities Penetration rate and user base: mobile, fixed-line, MBB, and FBB

Identify high-value customers
Status quo of the ICT industry
in the country
Identify product lines with high
growth potential
Market share, revenue, and financial condition of major carriers
Development of major technologies: wireless and wired networks and
transmission

ICT market size and trends in 5–10 years (Carrier BG, Enterprise BG, and
Where do opportunities lie
Consumer BG)

Huawei's presence in the local The current market share and the Carrier, Consumer, Enterprise BGs: size, market share, investment,
market target market share competitors, and Huawei's position

Huawei Confidential 19
 Country classification Country-specific insights Stakeholder mgmt

Setting cyber security and privacy goals at the regional/national level

based on internal and external insights and business goals and gaps

Goal
Effectively communicate to build advantages or remove barriers

Support

External: Government attitude and Internal: Impacts of cyber security on business

Insight
preparedness development

(1) Proactive or reactive communications?

Methodologies Decision-making (2) Local or global communications?

Y N

Implementation Develop and execute strategy Continue to monitor the policy environment
Huawei Confidential 20
 Country classification Country-specific insights Stakeholder mgmt

WHO: Identify stakeholders, create a stakeholder map, and identify key roles

Develop
Manage and Build
Identify
stakeholder implement mutual
stakeholders
relationships communica trust
tion plans

Key stakeholders

• Cabinet, parliament, congress, federal government, state

Government governments, ministry of the interior, legislature
and legislature
• Law enforcement agencies, ruling coalition leaders, powerful sectors
• Carriers (private/government-owned), named accounts/channels of
Customers enterprise business
• Consumers

• Industry associations, mainstream media, trade media, certification

Other third bodies, standards organizations
parties
• Think tanks, academia, government advisors, partners
Huawei Confidential 21
 Country classification Country-specific insights Stakeholder mgmt

Best practice sharing: Cyber security stakeholder relationship

management in Germany
Comments:
 Summary: Build robust customer relationships through systematic
planning; work with the government to jointly explore how to
collaborate to alleviate concerns; translate customer relationships
into real productivity.
 Systematically review customer organization structure to identify key
stakeholders in cyber security and privacy protection.
 Analyze relevant rules and identify the stakeholders based on project
and compliance requirements. Then develop a feasible customer
communication plan.
 Ensure that the plan is well executed; establish a regular communication
mechanism; build trust on an ongoing basis to support business growth.

Huawei Confidential 22
 Contents

1. Why – Importance of cyber security and privacy protection

2. What – Essence of cyber security; PACD's role and objectives

3. How – PACD's plan for communications about cyber security

3.1 Global public action plan map
3.2 Country-specific insights
3.3 Key stakeholder management

4. How – PACD's practices for communications about cyber security

4.1 Confident communications
4.2 Trust building
4.3 Knowledge map

5. Overview of privacy protection

Huawei Confidential 23
 Confident
Trust building Knowledge map
communications

Goals and strategies for cyber security communications: Addressing customer

concerns to build foundations for trust and execute a comprehensive strategy of
defense and challenge
How does the US shape the policy
PACD's key tasks for 2021
environment around security
Alleviate
Stage 1: Thoughts and concepts Public
opinion 1. Create a climate for rational discussion
Influence Security concerns
Sway public opinion pressure
• Conflate different concepts and hype the
public
and development • Build a security ecosystem, communicate with target
opinion audiences, and create a de-politicized and rational climate.
security and privacy risks of 5G requirements of the
• Create rules to exclude "untrusted" local government
suppliers at the Prague 5G Security
Conference
• Department of State's Clean Path Alleviate
statement political
pressure 2. Establish a mutual trust mechanism
• Push for regional organizations and countries to sign mutual
Phase 2: Consensus and norms Political trust agreements to mitigate political pressure.
pressure
Bilateral/Multilateral agreements and joint
statements
• MoUs/joint statements on 5G security
• Joint statement on Clean Network Carrier decisions
Alleviate
3. Advocate non-discriminatory standards
policy
pressure • Increase investment in countries where conditions are
Phase 3: Policies and regulations
favorable; promote NESAS/SCAS as global cyber security
Push for national legislation around standards; establish and maintain strong foundations for
security Legislative trust and support.
• Spectrum auction conditions restrictions
• 5G supplier risk management
• Removal of Chinese suppliers from key
networks

24 Huawei Confidential
 Confident
Trust building Knowledge map
communications

WHAT (1): Cyber security is not just a crucial corporate strategy; it is the
company's top priority

"Building and fully implementing a global, end-to-end cyber security assurance system will be one of Huawei's
crucial strategies…Huawei will work with governments, customers, and industry partners in an open and
transparent manner to tackle cyber security challenges...In addition, Huawei guarantees that its commitment to
cyber security will never be outweighed by commercial interests."
—Statement on Establishing a Global Cyber Security Assurance System
As a company, cyber security and privacy protection are our top priorities. We are committed to building
trust and high quality into every ICT infrastructure product and solution we develop.
—An open letter to all Huawei employees

Over the past 30 years, Huawei's products have been used in more than 170 countries and regions, serving more than 3 billion users in
total. We have maintained a solid track record in security. Huawei is an independent business organization. When it comes to cyber
security and privacy protection, we are committed to siding with our customers. We will never harm any nation or any individual.

Huawei Confidential 25
 Confident
Trust building Knowledge map
communications

WHAT (2): An E2E cyber security assurance system that covers

everything we do at Huawei
Legal & regulatory BCG signing rate: Trustworthiness ABC: Assume nothing,
Security as a top 100%
Best practices compliance US$750 million Believe nobody, Check
priority
Accountability system US$2 bn for everything
enhancing software
GSPC 800+ legal experts Key position "Many hands and many
Security-by-design engineering
management eyes"
capabilities
Strategy,
Standards and Laws &
governance, and HR R&D Verification
processes regulations
control

Personnel, technologies, and processes

Problem and
Delivery service Manufacturing and
Auditing Traceability vulnerability Third-party suppliers
security logistics
solving

Internal audits Software: 1 hour Product Security 3 approvals ISO 28000, C-TPAT, Security agreements
Incident Response Secure remote access TAPA, etc. with 3,855 suppliers
Third-party audits Hardware: 4 hours
Team (PSIRT) platform Auto test equipment
Supplier qualification
Customer audits Responsible disclosure Cyber security work (ATE)
certificate Digital signature Testing of incoming
materials

Huawei Confidential 26
 Confident
Trust building Knowledge map
communications

WHAT (3): Cyber security is in every aspect of corporate governance

CEO GSPC (Global Cyber Security and User Privacy Protection

Ren Zhengfei Committee)
• Approves the company's cyber security strategy, plan, policy,
GSPC roadmap, and investments.
Chaired by Ken Hu • Resolves conflicting strategic priorities and conducts audits.
GSPO (Global Cyber Security & Privacy Officer)
GSPO
• Leads the team in developing a security strategy.
John Suffolk • Internal: Implements the cyber security assurance system.
• External: Supports GR/PR and relationships with global customers.
GSPO Office
GSPO Office
Cyber Security Internal Cyber • Coordinates efforts to develop detailed operational plans.
Transparency Centers Security Lab • Supports strategy development and execution.
• Conducts audits and oversees implementation.

Regional/BG/BU CSOs
Cyber Security and Privacy

PACD
P&S / 2012 Labs Cyber
Protection Lab (CSPL)

Supply Chain Cyber

• Develop regional/BG/BU cyber

Procurement Cyber

Netherlands CSO
Legal Carrier BG

Germany CSO
Australia CSO
Security Office

Security Office

Security Office

Canada CSO

France CSO
MKT Cyber Security Office security strategies and plans and drive
UK CSO
US CSO

implementation.

……
Regions Enterprise BG

CHR
Cyber Security Office • Work with the GSPO to identify
Consumer BG changes to departmental/BG/BU
BP&IT Cyber Security Office processes so that the cyber security
Audit strategy and its requirements are fully
embedded into their processes.

3,800+ full-time security personnel

Huawei Confidential 27
 Confident
Trust building Knowledge map
communications

WHAT (4): Cyber security strategies, plans, governance mechanisms, accountability system,
and supporting technologies that are integrated, seamless, replicable, and auditable

 Use the right security Common

standards, requirements and Criteria
best practice Closed Loop Management Design, build, and test
BSIMM FIPS PCI NESAS/SCAS
with security in mind
Establish Baseline Execute Baseline Audit Baseline
OR Process
ISO 27034 IPD Process

Charter

Concept
Long-term ISO 21434 ISO 17025
requirements

Plan
SPs/BPs
requirement Develop Verify Release Lifecycle Process
ISO 30111 BC IA
Collect

Owner
Security Verification
Roadmap ISO 29147
Standards/ Security Best Practice

Mid-term
requirement Planning
Customer

Customer
Process
Design
ISO 27001
Sell it right. Legally LTC Process
(SOD/KCPs)

Risk
compliant
R&D security baseline Compliance
Acceptance
Manage Lead Manage Opportunity Manage Contract Fulfillment Testing
Set requirement

ISO 22301
SD /ITR Process Sales mgmt
baseline

Monthly
Sales management Consulting & ISO 27017
Network Design, Roll-out and System Assessment

 Install, serve, and

requirement Assessment
CSA STAR
Network & Planning
Integration
ISO 27018
Service security Customer Support &
support in a secure way
baseline
Assurance
Learning & Education Managed Service SACA

Supply chain and

procurement security Supply Chain and Procurement Processes
baseline Audit Committee
Order Plan Manufacture Logistics
C-TPAT Delivery TAPA
Reverse logistics

Manufacture with secure, tamper- ISO 28000

Audit: Assume
TL 9000 nothing, believe no-
proof components one, check everything (ABC)
OR: Offering Requirement LTC: Lead to Cash IA: Internal Audit
IPD: Integrated Product Process SD: Service Delivery CT: Compliance Test
BC: Business Controller SACA: Semi-annual Control Assessment

Huawei Confidential 28

Fact based communications on cyber security:
Independent in 3 aspects & 10 KMs
Independent from the government: Huawei has never
and will never attempt to harm any country. We have never
used our equipment to acquire national data, business
1 secrets, or IPs from any country. We will never support or
tolerate such activities, and we will never engage in
such activities at anyone' request.
We have designed, established, and implemented
2 E2E cyber security processes, governance, policies,
and standards.
3 We can show the results of measurement and audit
of every part of Huawei.
We can proactively showcase our best practices in
4 security design, development, and testing by our
R&D and security competence centers.
We can demonstrate a high level of testing independent
from R&D (Internal Cyber Security Lab, UK Cyber
5 Security Evaluation Centre, and Canada Cyber Security
Lab). None of our competitors has done this.
Huawei Confidential
Confident
Trust building Knowledge map
communications
We are a global leader in terms of traceability in
6 software and manufacturing.
We have established a PSIRT that communicates
with our customers when a vulnerability is
7 discovered. We have built a CERT-to-CERT channel
with our customers.
We are the only vendor that has signed a security
8 agreement with suppliers, increasing the security of
the parts they provide to Huawei.
We have greatly enhanced our cyber security
9 awareness, BCG requirements, and HR policies and
processes.
Independent and dedicated cyber security audits:
10 We ensure that our engineering delivery and services
are secure, not tampered on, and fully audited.
29
 Confident
Trust building Knowledge map
communications

Cyber security Message House (for communication with governments and

the media)
Security, we do more.
Cyber security and user privacy protection are Huawei's top priorities. Huawei works with all
stakeholders openly and transparently to address cyber security challenges.
Rational approach
Independent operations
to risk mgmt
Understanding the Serving customers is the only reason
complexities of networks is Huawei exists. Huawei is committed to
essential. working with customers to ensure stable
and secure network operations in all
Huawei conducts objective,
circumstances – earthquakes, tsunamis,
evidence-based analysis of
social conflicts, and cyber attacks.
threats and makes informed
decisions based on risks. Huawei will never try to harm any country
or any individual. We would rather shut
There is no linkage between
Huawei down than submit to any such
suppliers' country of origin and
requests.
where cyber attacks stem from.
Chinese law doesn't require companies
to install backdoors or collect intelligence engineering capabilities and practices.
from other countries.
Huawei is willing to sign a "No-Backdoor,
No-Spying" agreement with countries.
High-quality, trustworthy Collaboration on network-wide, end-to-end
products cyber security
Huawei has a robust cyber security assurance Governments and industry organizations should work together to develop
system and a proven track record in cyber unified security standards to ensure all network-based equipment and
security. services reach the same level of security.
Huawei invests US$20 billion annually in R&D Operators and vertical industries should determine their own required
to build high-quality, secure, and trustworthy levels of security certification based on agreed security standards, the
products. The operational quality and defining characteristics of their industry, and the implications these have
performance of Huawei products on live on security. Operators and vertical industries should also require all
networks are top in the industry. equipment and services to meet requisite levels of security certification in
order to ensure network-wide, end-to-end cyber security.
Huawei has allocated a US$2 billion budget
for a 5-year transformation program to Equipment vendors need to improve their capabilities in cyber security
enhance trustworthiness and software design so that their products can meet all relevant security standards and
the security certification requirements of their customers.
Huawei always remains customer-centric. We Both for industries and the general public alike, we need to build trust in
work with them closely so that they can the ability of third-party evaluators to independently certify network
always make a return on their investment. equipment and services based on agreed security standards. There
needs to be trust in their ability to produce fair results.
Huawei has built 7 network security centers around the world. Through
these centers, Huawei will work with governments and operators to
manage any potential network security risks.

Huawei Confidential 30

Several models for building customer trust in cyber security: Increasing
government trust through practical cooperation
Product
security
evaluation
• Jointly established the Huawei
Cyber Security Evaluation Center
(HCSEC) with the UK government
and carriers.
• Costly and not replicable
• Agreed with governments and
carriers in New Zealand and
Denmark to use evaluation reports
produced by HCSEC in these two
countries. However, it's also not
suitable for wide replication due to
high cost and coordination difficulty.
• Used evaluation reports produced
by Huawei's internal cyber security
lab for Telefonica and India. This
practice may incur some cost, but is
replicable in a controllable manner.
• Third-party evaluation reports: CC
certification
Sharing product
evaluation
reports
Confident
Trust building Knowledge map
communications
Guide policy &
standards PPP
outcomes
• Security strategy: Helped governments develop national cyber security • Maintained dialogues and cooperation
strategies and white papers. by proactively engaging with the
• Security policies and standards: Worked with customers and industry governments of Malaysia, Indonesia,
peers to develop cyber security policies, standards, and whitepapers and Spain.
for a specific domain. • Cost-effective and replicable
• Germany: Joined the government-led Industry 4.0 work group; co-
• Introduced Huawei's security
authored a white paper on cyber security in Industry 4.0.
capabilities, experiences, and
• France: Contributed to the 2016 report on information threats and practices in new tech such as cloud,
security practices (MIPS) led by CLUSIF, the largest cyber security 5G, and IoT.
association in France. Huawei's contributions were recognized by
• Communicated with government
Clusif and the Ministry of the Interior.
cyber security regulators (e.g. ANSSI
• Spain: Huawei and INCIBE jointly released a whitepaper titled
of France, BSI of Germany, CIC of
"Building a Trusted and Managed IoT World" at the MWC 2017. Australia, GCSB of New Zealand)
• Focused on critical infrastructure security; worked with government multiple times on the security of new
regulators for specific industries and industry customers to discuss technologies such as 5G, SDN/NFV,
security solutions for finance, transportation, electricity, and other cloud computing, IoT, and trusted
sectors and build security systems. computing.
CII security/enterprise Exchanges on new
security services ICT technologies
Huawei Confidential 31
 Confident
Trust building Knowledge map
communications

Global Initiative on Data Security: Encouraging more countries to sign

mutual-trust agreements with China to offset political pressure
⑦ Find the right timing & Key Roles and Responsibilities
occasions
① Find the right topic ⑥ Identify risks
Support MTA signing by leveraging
Front-end
Discuss the Global appropriate platforms and operations
Initiative on Data Security opportunities through meetings of Monitor in real-time and Country
promptly eliminate any
Identify key
(GIDS) with local heads of state, high-level visits,
government stakeholder bilateral or multilateral government risks that may impede MTA stakeholders with
to understand whether summits/forums, etc. signing. power
they are willing to sign the
MTA. Intermediary
Embassy support
⑤ Build consensus Obtain support from
the ambassador
② Find allies MTA signing
Work with key
stakeholders on the Beijing
Collaborate and discuss cyber
design and guidance of
security topics with local Office &
government stakeholders and
overall strategy and Back-end
seek support from key
agreement content. GA relationship
stakeholders.
③ Find the right actors ④ Find the right teams support
Bridge HQ and local
Persuade the Chinese Frontline teams for joint
Work with PACD's Beijing
embassy into supporting and
preparing for MTA signing, and
Office which will discuss MTA PR staff operations
signing with the Ministry of
report the matter to the Ministry
Foreign Affairs and the
of Foreign Affairs and the
Cyberspace Administration of
Cyberspace Administration of
China.
China.
Huawei Confidential 32
 Confident
Trust building Knowledge map
communications

Best practice sharing: Signing agreements with Indonesia and the Arab
League
On March 29, 2021, the Ministry
On January 12, 2021, the
of Foreign Affairs of China
Cyberspace Administration of
signed the
China signed an
China-League of Arab
MoU on cyber security States Cooperation
cooperation Initiative on Data Security
with the Cyber and the Encryption with the General Secretariat of
Agency of Indonesia the League of Arab States
(LAS)

〉 Regulators on both sides are encouraged to share cyberspace
governance information, including cyberspace-related laws, legislation,
regulations, and governance policies.
〉 China and Indonesia share ideas, experiences, and best practices on
critical information infrastructure protection, data security management,
personal information protection, and cyber threat responses and
cooperation.
〉 The two nations engage in dialogs, mutual visits, and capacity building on
cyber security issues among stakeholders, including governments,
institutions, academia, and businesses to promote mutual trust and
cooperation in terms of data security.
Takeaway: Creating social value and strengthening
relationships with local governments is the foundation of our
work.
https://www.fmprc.gov.cn/mfa_eng/wjdt_665385/2649_665393/t1865098.shtml
〉 States should handle data security in a comprehensive, objective and
evidence-based manner, and maintain an open, secure and stable
supply of global ICT products and services.
〉 States should stand against ICT activities that undermine other States'
security and public interests, and oppose unauthorized collection of
personal information of other States with ICTs as a tool.
〉 States should respect the sovereignty, jurisdiction and governance of
data of other Sates, and shall not obtain data located in other States
through companies or individuals without those other States'
permission.
Takeaway: Member states are willing to sign agreements at the
LAS level, but are hesitant to sign them individually.

Huawei Confidential 33
 Confident
Trust building Knowledge map
communications

Promoting NESAS/SCAS as international standards to prevent

politicization of cyber security
What Why International standards make cyber security just a matter of
managing the physical properties of products, and not an excuse
to exclude us.
NESAS/SCAS – Cyber security standards for
the mobile industry
Standards?
(Network Equipment Security Assurance
Scheme/Security Assurance Specifications)
US actions
 Embassy lobbying through visits and
Power shift to the state MoUs
NESAS/SCAS  1G, 2G, 3G, and 4G equipment selection:  Pressure on IMF and other orgs through
aid and cooperation arrangements
Carriers have the final say
 Defines cyber security evaluation standards  5G: States have the final say  Creating panic through FDPR and other
 Inadequate regulation/legislation in many restrictions
 Jointly defined by GSMA and 3GPP
countries and regions
 Customized for the mobile communications industry
 Shared by carriers, equipment vendors, regulators, and industry
partners How Country offices proactively promote NESAS/SCAS and nurture a fair and
transparent business climate.

Insight Promotion Influence

1. Audit
NESAS Audit report
NESAS covers the  Regulators  Presentations  Suggestions on legislative and
Methodology
security auditing of  State-owned key  Topic planning for summits technical standards proposals
product development and accounts  Remote visits to the  Communicating through local
+ lifecycle processes.  Tier-1 and tier-2 transparency centers associations
2. Testing Test report carriers  Inviting stakeholders to visit  Steering customer requests for
SCAS  Local think tanks (Brussels) proposals
SCAS provides test  Legal consultancies  CC-certified lab for NESAS certification
Specifications cases for network
 Proactive media
 National labs communications  Providing NESAS/SCAS training for
equipment security
evaluation.  Design institutes local cyber security review agencies

Huawei Confidential 34

Proactive messaging at international and regional events
(Example: An overview of global cyber security events in 2020)
 Jan: Switzerland – World Economic
Forum – HQ PACD
 Feb: RSA Conference – US PACD
 Feb: Germany – Munich Security
 Apr: US Critical Infrastructure Protection and Resilience –
Conference – HQ PACD
US PACD
 Feb: Spain – MWC 2020 – Canceled
 May: SC Chamber of Commerce Cyber Security Summit  Apr: Netherlands – CFCE – HQ PACD
– US PACD
 Apr: Switzerland – ITU WSIS Forum –
 Jun: National Cyber Summit – US PACD
HQ PACD
 Jun: National Homeland Security Conference – US
 Jun: Germany – Potsdam Conference
PACD
on National Cybersecurity – Berlin
 Aug: Black Hat USA 2020 – US PACD Office
 Aug: DEF CON® Hacking Conference – US PACD
West Europe
US
Latin America
 Jul: Brazil – Cybersecurity Summit Brazil –
Latin America PACD
 Oct: Mexico – Mexico National
Cybersecurity Week – Latin America PACD
Huawei Confidential
Confident
Trust building Knowledge map
communications
 Feb: Bulgaria – ITU Regional Cybersecurity Forum – CEE & Nordic European
PACD
 May: Czech Republic – Prague 5G Security Conference – CEE & Nordic European
Region + PACD + GSPO
 May: Czech Republic – GlobSec – CEE & Nordic European PACD
 Nov: Latvia – Annual Baltic Sea Region 5G Ecosystem Forum "5G Techritory" –
CEE Nordic & European PACD
 Nov: Poland – CyberSec Forum – CEE & Nordic European PACD
Northeast Europe Japan & South Korea
 Apr: South Korea – NetSec-KR 2020 – and South
Middle East
Korea PACD
 Jan: Saudi Arabia – Global Cyber Security Forum –  Aug: South Korea – WISA 2020 – South Korea PACD
Middle East PACD  Sep: Japan – International Conference on Emerging
 Mar: UAE – ISNR Abu Dhabi – Middle East PACD Network Technologies – Tokyo Office
 Mar: Saudi Arabia – Intersec – Middle East PACD  Nov: South Korea – ICISC 2020 – South Korea PACD
 Apr: UAE – Gulf Information Security Expo &  Dec: South Korea – Asiacrypt 2020 – South Korea
Conference (GISEC) – Middle East PACD PACD
 Oct: UAE – Government 5G Conference – Middle East
PACD
Asia Pacific
 Oct: Qatar – Milipol 2020 – Middle East PACD
 Nov: UAE – National Cyber Security Summit – Middle
East PACD  Apr: Thailand – Cybersecurity Forum – Southeast Asia
PACD
 Oct: Singapore – International Cyber Week (SICW) –
South Pacific PACD
 Dec: India – Cybersecurity Summit – Southeast Asia
PACD
35
 Confident
Trust building Knowledge map
communications

Cyber security resources available for customer visits

Executive Support
 Company CEO/vice presidents
 Global Cyber Security & Privacy Officer (GSPO)
 Director of the Global Government Affairs Dept
 Director of the GSPO Office
 Cyber Security Officers (CSOs) in local offices

Resources for Customer Tours Topics for Discussion

 Huawei's cyber security vision, strategy, and approach
 Global Cyber Security and Privacy Protection Transparency Center in
Dongguan, China  Huawei's best practice in R&D security – Design and build secure
products
 Cyber Security Transparency Centre in Brussels
 ICSL – Product security verification independent of R&D
 Shenzhen F1 T-Centre
 Third-party independent product security verification and
 Galileo and Columbus exhibition halls in Section K, Shenzhen
assurance
 Darwin Exhibition Hall in Section F, Shenzhen
 Protecting complex transnational supply chains
 Shenzhen J5 EBG exhibition hall
 Introduction to PSIRT and vulnerability management
 Supply Chain Production Line of Dongguan Southern Factory
 Additional tailored topics

Huawei Confidential 36
 Confident
Trust building Knowledge map
communications

Huawei cyber security and transparency centers

Open communication and cooperation with key stakeholders

Brussels, Belgium

Banbury, UK
Bonn, Germany
Toronto, Canada
Rome, Italy
Dongguan, China
Dubai, UAE

Global
Regional
Communication, Innovation, and Verification

Huawei Confidential 37
 Confident
Knowledge map
communications Trust building

PACD cyber security knowledge map (1/3)

Category Content Link
• Corporate Presentation_Cyber http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=-
Security at Huawei (for overseas 100&fileId=72423&fileType=5&selectAttId=584822&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&source=file&ke yWord=Corporate%20Presentati
on_Cyber%20Security%20at%20Huawei&uniStr=null
governments)
Key content • Huawei cyber security message
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=28186&f ileType=5&selectAttId=23391
for govt. house (for communication with 5&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&isActDoc=false&source=file&keyWord=message&clsca=5003

communicati governments and the media)

ons • Huawei Cyber Security – Strategy http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=-
100&fileId=25945&fileType=5&selectAttId=198521&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&source=file&keyWord=Huawei%20Cyber%20Secu
and Approach rity%20%E2%80%93%20Strategy%20and%20Approach%20%E2%80%93%20PACD&uniStr=null

• Huawei's Position Paper on Cyber https://www-file.huawei.com/-/media/Corp/facts/PDF/2019/Huaweis-Position-Paper-on-Cyber-Security.pdf?la=en

Security
• KM House for the 2019 hearing in http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=45490&fileType=5&selectAttId=36000
1&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&isActDoc=false&source=file&keyWord=%E5%90%AC%E8%AF%81%E4%BC%9A&clsca=5003,5
France 027

http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=37169&f ileType=5&selectAttId=32742
• Q&A for the 2019 hearing in France 6&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=true&isActDoc=false&source=file&keyWord=&clsca

http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=68329&f ileType=5&selectAttId=56930
Cyber • KMs for the 2019 hearing in France 0&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=true&isActDoc=false&source=file&keyWord=&clsca=5003,5027
security http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=68330&f ileType=5&selectAttId=56930
hearings • Q&A for the hearing in South Korea 4&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=true&isActDoc=false&source=file&keyWord=&clsca=5003,5027

http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=68335&f ileType=5&selectAttId=56932
• KM list for the 2019 hearing in Brazil 9&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=true&isActDoc=false&source=file&keyWord=&clsca=5003,5027

http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=68336&f ileType=5&selectAttId=56933
• Q&A list for the 2019 hearing in Brazil 3&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=true&isActDoc=false&source=file&keyWord=&clsca=5003,5027

• Communication materials regarding https://onebox.huawei.com/v/14386f91fe629034c3d7dd6bb76a4d4f/list

EU 5G EU 5G security risk assessment
security
• EU 5G Toolbox https://onebox.huawei.com/v/d574139ca6165902d08e9ebec40c0d59

Huawei Confidential 38

PACD cyber security knowledge map (2/3)
Category Content
• 2012: 21st century technology and security – a difficult marriage
• 2013: Making cyber security a part of a company's DNA – A set of
integrated processes, policies and standards
• 2014: 100 requirements when considering end-to-end cyber security
https://www-file.huawei.com/-/media/corporate/pdf/cyber-security/hw-cyber-security-wp-2014-en.pdf?la=en
with your technology vendors
• 2016: It is time for real progress in addressing supply chain risks
Cyber security
white papers
• Huawei 5G Cyber Security White Paper (the fourth one released on https://www-file.huawei.com/-/media/corporate/pdf/trust-center/huawei-5g-security-white-paper-4th.pdf
May 31, 2019)
• AI Security White Paper_201810
• Huawei Cloud Security White Paper_201709
• White Paper for HUAWEI CLOUD Data Security_20180927
• Communication with Government on 5G Security (slide deck)
• Key Messages and Q&A Regarding Huawei's 5G Security
• Communication with Government on Cloud Security (slide deck)
• Key Messages and Q&A Regarding Huawei's Cloud Security
New tech
security
communication
guides • Communication with Government on IoT Security (slide deck)
• Key Messages and Q&A Regarding Huawei's IoT Security
• Communication with Government on AI Security (slide deck)
• Key Messages and Q&A Regarding Huawei's AI Security
• Key Messages and Q&A Regarding Huawei Device Security
Confident
Knowledge map
communications Trust building
Link
https://www.huawei.com/ucmf/groups/public/documents/attachments/hw_187368.pdf
https://www-file.huawei.com/-/media/corporate/pdf/cyber-security/hw-cyber-security-wp-2013-en.pdf?la=en
https://www-file.huawei.com/-/media/corporate/pdf/cyber-security/the-global-cyber-security-challenge-en.pdf?la=en
https://www-file.huawei.com/-/media/corporate/pdf/trust-center/ai-security-whitepaper.pdf
https://www-file.huawei.com/-/media/corporate/pdf/trust-center/cloud-security-white-paper-2017-en.pdf
https://res-static1.huaweicloud.com/content/dam/cloudbu-site/archive/china/en-us/securecenter/security_doc/Security_en_20181008.pdf
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=-
100&fileId=21558&fileType=5&selectAttId=167968&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&source=file&ke yWord=Communication%
20with%20Government%20on%205G%20Security%20(slide%20deck)&uniStr=null
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=-
100&fileId=21558&fileType=5&selectAttId=167971&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&source=file&ke yWord=Key%20Message
s%20and%20Q%26A%20Regarding%20Huawei's%205G%20Security&uniStr=null
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=23625&f ileType=5&selectAttI
d=196158&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&isActDoc=false&source=file&keyWord=&clsca=5003,5027, 5055
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=23626&fileType=5&selectAttI
d=196166&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&isActDoc=false&source=file&keyWord=&clsca=5003,5027, 5055
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=23622&f ileType=5&selectAttI
d=196134&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&isActDoc=false&source=file&keyWord=&clsca=5003,5027, 5055
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=23623&f ileType=5&selectAttI
d=196142&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&isActDoc=false&source=file&keyWord=&clsca=5003,5027, 5055
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=23624&f ileType=5&selectAttI
d=196150&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&isActDoc=false&source=file&keyWord=&clsca=5003,5027, 5055
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=-
100&fileId=23621&fileType=5&selectAttId=196126&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&source=file&ke yWord=%E7%BB%88%E
Huawei Confidential 39
7%AB%AF%E5%AE%89%E5%85%A8%E6%94%BF%E5%BA%9C%E6%B2%9F%E9%80%9A%E4%B8%BB%E6%89%93%E8%83%B6%E7%89%87%E5%8F
%8A%E6%B2%9F%E9%80%9A%E5%8F%A3%E5%BE%84&uniStr=null

PACD cyber security knowledge map (3/3)
Category Content
• 20190328 Government Communications
Policy and Message for the 2019 OB
Report
• 20190414 Analysis of the NATO
Analysis CCDCE's paper: Huawei, 5G, and China
reports as a Security Threat
• Analysis and recommendations in
response to the article by DHS & CISA:
Overview of Risks Introduced by 5G
Adoption in the United States
• Cyber security at Huawei
• #1 Secret lover's code 2.0
• #2 Public key, private message
Videos
• #3 Your key is your ID
• #4 Will computers outsmart us?
• #5 Upping the game with 5G
• PACD Cyber Security Package for
Visits Customer Visits
• Cyber security and privacy protection
CSPP course approaches_Overview
Confident
Knowledge map
communications Trust building
Link
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=28290&f ileType=5&selectAttId=2350
41&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&isActDoc=false&source=file&keyWord=OB&clsca=5003,5027
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=44571&fileType=5&selectAttId=3561
42&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&isActDoc=false&source=file&keyWord=&clsca=5003,5027,5056
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=44700&f ileType=5&selectAttId=3566
88&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&isActDoc=false&source=file&keyWord=OB&clsca=5003,5027
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=52034&f ileType=5&selectAttId=4098
99&isDoc=2&propertyId=111&attType=other&activeId=&selDisplay=true&isActDoc=false&source=file&keyWord=&clsca=5003,5027,5061,60 83
https://www.youtube.com/watch?v=leL6UPvPdCs&list=PLCuu5t_nsFKDVjiKZNNh8SXu0ePS18pAd&index=1
https://www.youtube.com/watch?v=mLjui3ar-R8&list=PLCuu5t_nsFKDVjiKZNNh8SXu0ePS18pAd&index=2
https://www.youtube.com/watch?v=CpC2nNEeOEU&list=PLCuu5t_nsFKDVjiKZNNh8SXu0ePS18pAd&index=3
https://www.youtube.com/watch?v=W0rFFMdWRsA&list=PLCuu5t_nsFKDVjiKZNNh8SXu0ePS18pAd&index=4
https://www.youtube.com/watch?v=KYo1uqGhhzY&list=PLCuu5t_nsFKDVjiKZNNh8SXu0ePS18pAd&index=5
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.html?jalorNode=documentManager&codeItem=102&fileId=23257&f ileType=5&selectAttId=1914
61&isDoc=1&propertyId=111&attType=other&activeId=&selDisplay=false&isActDoc=false&source=file&keyWord=%E6%8E%A5%E5%BE%85%E5%A 5%97%E9%A4%9
0&clsca=5003,5027
http://ilearning.huawei.com/edx/next/#/courses/HuaweiX+CNE051501000079/about
Huawei Confidential 40

PACD presentation on cyber security at Huawei (for overseas
governments)
Corporate Presentation_Cyber Security at Huawei (for
overseas governments) (201903)
http://w3.huawei.com/mypacd/#!pacd/document/view/showOnlineBrowser.h
tml?jalorNode=documentManager&codeItem=103&fileId=38056&fileType=5
&selectAttId=397351&isDoc=1&propertyId=111&attType=other&activeId=&s
elDisplay=true&isActDoc=false&source=file&keyWord=&clsca=2010
Huawei Confidential
Confident
Knowledge map
communications Trust building
 Huawei strives to maintain stable, reliable, and secure
network operations in any situations such as natural
disasters, conflicts, or hacker attacks.
 Huawei sees security and trustworthiness as a strategic
priority throughout product lifecycles and will never relax
requirements for product trustworthiness for any reason, be
it cost, schedule, or function.
 Huawei complies with GDPR and protects user privacy.
 Huawei is committed to jointly building E2E network-wide
security and advocates independent and equitable cyber
security certifications.
41
 Confident
Knowledge map
communications Trust building

Huawei cyber security white papers – Learn about Huawei's cyber

security practices from these white papers
21st century Making cyber 100 requirem It is time for
technology security a ents when co real progress
and security – part of a nsidering end in addressing
a difficult company's -to-end cyber supply chain
marriage DNA – A set security with risks
of integrated your technolo
processes, gy vendors
policies and
standards

2012 2013 2014 2016

Shares Huawei's perspectives on Explains how Huawei resolves Provides customers with Focuses on supply chain security
cyber security with the industry issues through its end-to-end suggestions on how to manage
and the general public cyber security assurance system and improve cyber security

https://www.huawei.com/ucmf/groups/ https://www-file.huawei.com/- https://www-file.huawei.com/- https://www-file.huawei.com/-

public/documents/attachments/hw_18 /media/corporate/pdf/cyber- /media/corporate/pdf/cyber- /media/corporate/pdf/cyber-
7368.pdf security/hw-cyber-security-wp-2013- security/hw-cyber-security-wp-2014- security/the-global-cyber-security-
en.pdf?la=en en.pdf?la=en challenge-en.pdf?la=en

Huawei Confidential 42
 Confident
Knowledge map
communications Trust building

Huawei's Position Paper on Cyber Security

 Huawei encourages all stakeholders in the digital ecosystem to

evaluate risks in a rational, objective, and evidence-based way. If
we focus our attention on irrelevant factors like vendors' country of
origin, it will only delay the resolution of security issues.

 Cyber security involves many elements and stakeholders. An all-

industry, full-society approach to collaboration is essential to
enhancing systematic cyber security governance for everyone.

 Governments and industry organizations should work together on

unified cyber security standards. These standards should be
technology-neutral and apply equally to all companies and
networks.

 Once clear, unified cyber security standards are developed, we

Huawei's Position Paper on Cyber Security (201911)
https://www-file.huawei.com/-/media/Corp/facts/PDF/2019/Huaweis-Position-
Paper-on-Cyber-Security.pdf?la=en
need independent, comprehensive verification processes that
apply these standards. As a global community, we need to
establish third-party cyber security verification mechanisms for all
industries and companies so that trust and distrust are based on
facts, not feelings. Facts must be verifiable and verifications must
be based on unified standards.

Huawei Confidential 43
 Confident
Knowledge map
communications Trust building

Huawei's position paper on EU 5G networks: Towards a

trustworthy foundation to enhance the security of EU 5G networks

 5G technology presents several cybersecurity challenges due to its innovative,

software-driven nature and its use in a wide range of services. It is essential to
drive towards a trustworthy foundation to enhance the security both of EU 5G
networks and of technology built upon them in a reliable, secure, and resilient
manner.
 On October 9, 2019, the EU Network and Information Security (NIS)
Cooperation Group published its EU coordinated risk assessment of the
cybersecurity of 5G networks, which highlights shared technical and non-
technical concerns. No matter whether it is a technical risk or a non-technical
risk, we must make judgments and decisions based on facts.
 This paper details existing and forthcoming measures and industry best
practices to enhance the security of EU 5G networks. Cyber security is
increasingly entangled with geopolitical issues, trade negotiations, and
diplomatic dialogue between nations. Politically motivated suspicion does not
address the challenges to enhance cyber security.
 Risk evaluation for European telecommunications networks should focus on the
greatest risks, including: system failure and human error. The potential risks
inherent in any given product should be evaluated based on factors that have a
material effect on security, such as security architecture, controls, and features.
Mitigation measures must aim to reinforce cross-sector cooperation between
telecommunications suppliers, network operators, and service providers, and
also to raise transparency and openness of suppliers.
Towards a trustworthy foundation to enhance the
 Huawei continues to collaborate with governments, customers, and partners to
security of EU 5G networks (201912) drive towards a trustworthy foundation to enhance security of EU 5G networks.
https://www.huawei.eu/publication/towards-trustworthy-foundation-
enhance-security-eu-5g-networks

Huawei Confidential 44
Contents

1. Why – Importance of cyber security and privacy protection

2. What – Essence of cyber security; PACD's role and objectives

3. How – PACD's plan for communications about cyber security

3.1 Global public action plan map
3.2 Country-specific insights
3.3 Key stakeholder management

4. How – PACD's practices for communications about cyber security

4.1 Confident communications
4.2 Trust building
4.3 Knowledge map

5. Overview of privacy protection

Huawei Confidential 45
New technologies and innovative business models present more
challenges to privacy protection

Big data IoT

Big data, AI & machine learning

IoT 5G
algorithms

Major implications of big data analytics on data Privacy and data protection build the foundation of Customers will not adopt 5G-enabled services if
protection: trust. Major challenges: adequate privacy protocols are not in place.
 Use of algorithms  Lack of control and information asymmetry  Wide-ranging impact on modern life

 Using all data  Quality of the user's consent  Robust and fit for purpose security

 Opacity of processing  Inferences derived from data and repurposing of architecture needs to be at the center of 5G
 Repurposing data original processing development to ensure privacy and customer
 Intrusive bringing out of behavioral patterns and
security.
 Data controller or processor?
profiling
 Limitations on the possibility to remain anonymous

when using services

 Security risks: security vs. efficiency

Huawei Confidential 46
 Privacy legislations around the world are modeled after GDPR

Omnibus coverage
Countries that have single or multiple national privacy
or data protection laws that result in comprehensive
coverage. These laws do not exclude the possibility of
additional sector-specific privacy regulations.

Sectoral coverage
Countries that have sectoral privacy or data
protection laws, for example, in the public sector,
financial sector, and telecommunication sector.

None
Countries that do not have privacy or data protection laws
but may have some coverage in their constitution or other
laws.

Source: Nymity Research

Updated on August 23, 2018

The legal concepts and basic principles of personal data protection provided
Countries/regions with dedicated privacy protection
in GDPR are widely accepted worldwide. After the EU released GDPR in 2016,
laws: 118
Argentina, New Zealand, Canada, Japan, Brazil, Turkey, and China all referred
Countries/regions with laws which cover privacy
to GDPR when developing or amending their own personal data protection
protection requirements: 28
laws.

Huawei Confidential 47
Basic concepts about privacy protection
Concepts
• The data subject (natural person) is the owner of his or her data.
• The data subject decides (except under special circumstances)
who can obtain and access their personal data, and how their
personal data will be used and processed.
• The data subject is entitled to multiple rights. The data controller
(company or individual) must respect these rights, such as the
right to request access or the deletion of their data (i.e. the right
to be forgotten).
• The data controller cannot use personal data for purposes without
valid legal basis (valid legal basis includes consent, contract
fulfillment, etc.).
• The data controller is legally obligated to protect data.
• Cross-border transfers of personal data (or access data from a
foreign country) may be restricted or have special prerequisites.
Data controller
The data controller is the natural person, legal entity, public authority,
government agency or any other organization, which individually or
collectively, determines the purpose and means of processing
personal data. For example, Huawei is the controller of users'
registration information on Vmall.
Huawei Confidential
Implications for companies
• Each data controller (a company may have more than one data
controller) must maintain a complete list of personal data that it
stores and/or processes, including legal basis, retention period,
transfer, etc.
• Best practices (not explicitly defined in GDPR) must be adopted to
protect all personal data.
• All data controllers must demonstrate the company's highest level of
effective personal data governance, policies, processes, capabilities,
awareness, and oversight.
• The data controller must fulfill its legal obligations.
• The response to data subjects' requests must strictly comply with the
SLA.
• Violations or non-compliance in some areas may result in serious
consequences.
Data processor
The data processor is the natural person, legal entity, public authority,
government agency, or other organization that processes personal data,
as instructed by a data controller. For example, Huawei is the data
processor when it provides maintenance services as instructed by a
telecom operator.
48
Huawei's privacy protection framework: Setting differentiated privacy
protection objectives to meet various privacy expectations

Privacy Protection in a Digital World

Lawfulness, fairness, and

Purpose limitation Data minimization Storage period limitation Integrity and confidentiality Accuracy Accountability
transparency

Data Controller (employees)

Data Controller (users: CBG + other)
Observe laws to proactively safeguard consumers' privacy,
enhance consumer trust, and facilitate business success
Data Processor (CNBG + EBG + other)
Make personal data processing transparent to enhance Huawei
Ensure data security and comply with customers' instructions.
employees' trust; process employees' personal data according
Avoid becoming the Data Controller.
to legitimate business purposes and necessity.

Notification to Data subject's Notification to Data subject's Notification to Data subject's

data subjects choice and consent data subjects choice and consent data subjects choice and consent High risk area
identified by PIA

Mainly Mainly
consumer carrier & enterprise Employee
business business

Management Security Quality Monitoring and Enforcement

Policies and Organizations and Standards, laws, Law enforcement

Access control Record and verification Complaint handling
processes resources and regulations investigations and litigation

Risk assessment Employee awareness and Data breach incident

Business continuity Assessment and rectification Audit and accountability
(PIA etc.) capability response

Huawei Confidential 49
Huawei privacy protection Message House
Respecting and protecting privacy to let people embrace a fully
Huawei is a responsible and trustworthy global
provider of ICT infrastructure and smart devices.
• Protecting privacy is part of our social responsibility.
We are committed to protecting customer data.
We never sell customer data.
• Data is the most important resource in the digital
world and privacy protection is the foundation of
the development of digital technologies. Working
with regulators, partners, and customers, we
understand what privacy protection is about and
embed it into everything we do.
• Privacy legislation is an effective way to address
public concerns about privacy breaches and
helps companies better protect personal data. As
a leading global ICT infrastructure solutions and
smart devices provider, Huawei fully complies with all
applicable laws and regulations.
• Huawei remains open, and our approaches and
practices for end-to-end privacy protection are
transparent to regulators, customers, and
consumers.
connected, intelligent world
We collaborate openly with stakeholders to protect
We adopt a Privacy by Design/Default approach to ensure privacy protection
personal data and privacy in the digital world and
requirements are embedded into all our business processes and activities. enable the digital transformation process.
• We adopt the Privacy Impact Assessment (PIA) methodology to evaluate and mitigate privacy • Carrier & enterprise customers: Privacy protection
risks in our products and services. is an integral part of Huawei's solutions, helping
• We have maintained a comprehensive personal data inventory to record all personal data customers successfully go digital.
processing activities, legal bases, security and control measures, and cross-border data transfers. • Consumers: Huawei aptly protects all private
This helps us achieve legal compliance in a transparent and effective way and provide better consumer data stored on Huawei's devices and
customer services. cloud. Consumers are made aware of all
• At Huawei, we have established privacy protection organizations with clearly-defined roles activities that collect personal data, and can
and responsibilities. These organizations are managed by our long-standing Global Cyber control the collection, processing, and sharing of
Security & User Privacy Protection Committee which is chaired by Huawei's Rotating Chairman. their personal data.
All business departments have dedicated personnel or organizations for privacy protection. In • Cloud service customers: Huawei strictly complies
addition, we have appointed an EU Data Protection Officer (DPO) who leads a team that with the boundaries of services and never
independently oversees Huawei's privacy activities to ensure they are GDPR compliant. monetizes customer data. Huawei never uses
• We continue to train and test all our employees on privacy protection. In addition, privacy customers' personal data without explicit consent.
protection requirements are included in the company's Employees Business Conduct Guidelines • Industry partners, governments, and regulators:
(BCGs) to ensure all employees correctly understand and abide by privacy protection rules and Privacy protection requires joint efforts across
requirements. the industry and is an ongoing process. Huawei
• Huawei adopts a comprehensive approach to supplier privacy protection management, is committed to working with industry stakeholders
which ensures that data processing agreements (DPAs) are signed, privacy protection and partners to understand and address privacy
responsibilities are clearly defined, and privacy protection requirements are strictly enforced. challenges in the digital world. We aim to do our part
Based on a risk-informed model, we conduct audits on suppliers to ensure their compliance. to deliver a better connected world.
• By referring to best practices, we protect personal data and have strict control over cross-
border personal data transfers. In cases where cross-border data transfers happen, we ensure
that data receiving countries can provide the adequate protection level required by GDPR. In
addition, we make sure that necessary processes and resources for privacy protection are in place
so that we can meet any reasonable request from regulators or data subjects.
Huawei Confidential 50
 Privacy protection course on iLearning

Privacy Protection Awareness and Basic Capabilities – For General

• Course objectives:
 Have a thorough understanding of the key clauses in GDPR
 Be familiar with Huawei's privacy protection framework, organizations, and
documentation
 Design corresponding privacy requirements for the seven links of the data processing
lifecycle during business operations; undertake privacy protection responsibilities in
daily work
 Drive the implementation of the company's privacy policies, methodologies, and
measures for better privacy protection
• http://ilearning.huawei.com/edx/next/courses/HuaweiX+ENE051101000021/about

GDPR Introduction
• Course objectives:
 Understand the basic roles and data processing principles under GDPR and the major
changes in the legislation
• http://ilearning.huawei.com/next/learnCourse.html?courseId=23997#/video/110195

Huawei Confidential 51
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home and
organization for a fully connected,
intelligent world.

Copyright©2018 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.