By Herman Kannenberg, Head of Legal Affairs and Cyber Security, Huawei South Africa – Huawei is committed to developing secure and trustworthy digital products and services and has continuously optimised its end-to-end assurance system, making sure that each domain is constantly refined to stay up to date with advancements in cybersecurity and privacy protection.
Recently, we implemented the following measures relating to process transformation, solutions, technological innovation, independent verification, supply chain, and personnel management:
Enhancing software engineering capabilities and cyber resilience to build secure, trustworthy, and quality products and solutions
Our management system and research and development (R&D) processes now feature enhanced capabilities that incorporate several milestones of the software engineering transformation programme. At the same time, trustworthy engineering capabilities are embedded into IT systems and tools, providing a more efficient product R&D environment that ensures reliable processes.
For software trustworthiness, we released the Software Process Trustworthiness Capability Framework and Assessment Criteria V1.0. This document describes how Huawei is developing 114 sub-capabilities across 44 capabilities, under nine capability categories and establishing a complete set of coding production mechanisms that are systematic, sustainable, responsive and trustworthy.
When it came to hardware dependability, we implemented design specifications and security by design on newly developed boards. We also obtained CC EAL4+ certification for key hardware components.
For product design, we carried out threat modeling analysis, implemented a secure and resilient architecture, and delivered common security products and components, such as single-domain security management and network element (NE) intrusion detection, to help improve the situational security awareness capabilities of products and solutions, achieving result trustworthiness in architecture.
Moreover, we continue to provide training and certification to consistently improve employees’ cybersecurity capabilities and awareness. In 2020, more than 20 000 employees were certified, and every employee has embraced our “trustworthy software” culture.
Technological innovation to help customers handle security risks
We continue to research and explore cutting-edge technologies, such as cryptography, AI trustworthiness, confidential computing, differential privacy, digital identity and trust mechanisms, based on the security technology stack at the system, network, application, and data layers and centering on business scenarios such as 5G, AI, cloud computing, smart devices, autonomous driving, and digital intelligent twins (a virtual model designed to accurately reflect a physical object). We strive to accelerate the application and implementation of these innovative technologies and improve the native security capabilities of products, enhancing resilience and helping customers manage existing and emerging risks.
Taking 5G base stations as an example: We provide functions such as rogue base station detection, subscription permanent identifier (SUPI) encryption, anti-DDoS over the air interface as well as built-in firewalls. These functions enhance privacy protection for end-users, reduce the attack surface, and strengthen defense thereby increasing cyber resilience.
At HUAWEI CONNECT 2020, we released AI security protection technologies based on the trusted execution environment (TEE), which improves the security of high-value data assets in AI solutions. By the end of 2020, Huawei had been granted 2 963 patents relating to cyber security and privacy protection around the world.
Cybersecurity risk management and capacity building of the supply chain
Huawei’s comprehensive supply chain security management system, certified to ISO 28000, allows us to identify and control security risks throughout the entire process, from quality control on incoming materials to delivery. It includes industry-leading material trustworthiness specifications and security sourcing testing standards, along with assessment standards for supplier trustworthiness maturity. To be accepted, our suppliers must pass a rigorous security sourcing test and obtain system certification.
In 2020 alone, we assessed, tracked, and managed the cyber security risks of more than 4 000 suppliers worldwide. For privacy protection, we signed data processing agreements (DPAs) with more than 5 000 suppliers and performed extensive due diligence to ensure compliance. Furthermore, we optimised the security baselines and verification processes for supply availability and manufacturing and implemented them in the production processes of new products.
Considering the global nature of our business, we pay close attention to the supply chain security requirements of each country where we operate. We have obtained 35 Authorised Economic Operator (AEO) certificates in 28 countries and regions across five continents. We continue to optimise our product delivery tracking system to quickly resolve any issues and mitigate any risks.