Huawei's Rotating Chairman Guo Ping Responds to the 2019 HCSEC Oversight Board Report
[Shenzhen, China, April 1, 2019] Huawei's rotating chairman Guo Ping has responded to the findings of the 2019 HCSEC Oversight Board Report, which confirms that so-called “backdoors” in Huawei technology do not exist. He reiterated confidence in Huawei’s openness and 30-year cyber security track record, and outlined the timeframe for Huawei to complete its transformation program.
1. The 2019 HCSEC Oversight Board Report attests to two important things. First, Huawei's equipment has no backdoors. Second, Huawei's front doors are always open.
As the CEO of the UK National Cyber Security Centre (NCSC), Ciaran Martin noted, "Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei." We keep our front doors open and allow authorities and specialized institutions to review our source code. This ensures that our security assurance is verifiable. No company has done this anywhere else in the world. Huawei is the only technology provider in the industry that is willing to subject its source code to review against such high standards. Even with such rigorous oversight, the OB report has noted that it does not suggest that the UK networks are more vulnerable than last year.
The Huawei Cyber Security Evaluation Centre (HCSEC) only evaluates Huawei products. It does not evaluate the products of other vendors. Huawei understands the UK government's commitment to protecting their networks and providing oversight of Huawei – a company based in China. The EU has stated they will not discriminate against any country or any company from a specific country. We welcome this approach. We also hope that other vendors in the industry will also have their products tested to ensure that both their processes and results are trustworthy. We believe this will help increase the security of the industry as a whole.
2. As an ICT industry leader with the largest investment in cyber security, Huawei has stronger cyber security capabilities than any of our peers. Over the past 30 years, Huawei has maintained the strongest track record in cyber security in the industry. Assessments by expert institutions show that Huawei has the highest technological competence in the industry.
Cigital is a US company that professionally evaluates the maturity of software security engineering. Every year since 2013 Cigital has assessed how well Huawei manages the security of its products. They test security practices against 12 different indicators. Huawei has performed above industry average in all 12 of the security practices they assess, and has reached the highest level attainable in nine of them.
Top third-party organizations in the industry have evaluated Huawei base stations (along with our source code) across 14 different indicators. The results have shown that Huawei outperforms the communications products and open source software of its industry counterparts.
On December 6, 2018, issues with another vendor's equipment caused nearly simultaneous network failures for O2 in the UK and SoftBank in Japan. Data services went down and a portion of users couldn't make phone calls or send text messages. SoftBank's network went down for five hours, and O2 took almost an entire day to resume services. In addition to the UK and Japan, the networks of Telksomsel in Indonesia and MobiFone in Vietnam also experienced similar issues. According to the equipment vendor, 11 countries were affected by this shutdown.
In the past two years, a series of major malware attacks, vulnerabilities, and cyber security incidents have had an adverse effect on the US, but not a single one of these incidents has anything to do with Huawei. The discussion around security needs to return to technical challenges and risk management as soon as possible. This is the only way we can truly ensure cyber security.
3. Huawei has initiated a transformation program aimed at enhancing our software engineering capabilities. This program will set a new benchmark for the industry. We are confident in our ability to bring this program to a successful conclusion.
We're not going through this transformation just to address the requirements of any one market. We've decided to take this initiative out of our own sense of responsibility, in response to an increasingly complex macro environment. Through this transformation, we are putting cyber security and privacy protection at the top of our agenda – above even our own commercial interests.
This transformation is not just about building trustworthy results, but also trustworthy processes. It will be an extremely difficult process. So we completely understand why NCSC believes it to be too difficult, why they aren't confident in our commitment. But Huawei is confident. We are confident that, through three to five years of hard work, we can bring this transformation to a successful conclusion and set a new benchmark for security in the industry.