John Suffolk's Statement at the Huawei Press Conference on March 7, 2019
Good Morning Everyone. I’m John Suffolk, the Global Cyber Security & Privacy Officer (GSPO) for Huawei.
We applaud any Government or Company that sets itself the objectives of having high levels of cyber security protection and at the same time high levels of personal data protection.
In the 170 countries in which we operate, we have an unblemished track record over 30 years in supporting our customers in achieving these objectives.
The name on the box does not detail who made the components in the box. Let me start by saying it is wrong to assume that the label on a vendor’s box conveys that the contents are solely from that named vendor. The product may have Huawei’s name on it but typically only around 30% of the components are from Huawei.
In March 2012, a report published by the USA GAO examined risks in the supply chain. The report identified that a simple laptop might contain components from 18 separate companies. Other reports on supply chain components have confirmed the global nature of the insides of technology products and services.
This is true for other companies such as European Telecommunications Vendors where some of its equipment is made in China, through joint ventures with Chinese Government-owned entities, with components purchased from Chinese companies, and this so-called European technology is pervasive across the USA.
Many of the world’s well known social media companies use technology built in Asia and China.1
Indeed in 2016, Apple had 766 global suppliers, among which 346 were on the Chinese mainland. In summary around half of iPhones are manufactured China.
The global supply chain generates thousands of security vulnerabilities every year
- The number of vulnerabilities or faults published by some vendors totalled over 30,000 in 2017 & 2018. All but one of the top ten vendors by volume publishing vulnerabilities were US technology companies. All of these products are potentially a national security risk.
- 2017 saw major issues being generated through malware such as Wannacry, Petya and Locky and many more, as well as major hardware issues such as the Intel, AMD, and ARM design issues.
All of these issues impacted America, none of them were to do with Huawei.
All Governments and Companies can do more to protect themselves by just adopting basic cyber hygiene.
We are not short of knowing what to do to protect ourselves from all but the most determined of attackers. There are many international standards such as the ISO range as well as cloud computing assessments.
What we need though, is a concerted, collaborative international effort to define globally accepted security standards, certifications and best practice.
There is substantial evidence that shows the basics of cyber security hygiene are not executed – even within the US Federal Government and even in classified areas.
One report identified that a sample of 1,200 US Federal Government contractors fell well short of security expectations across US published standards including in Aerospace and defence.
The results of poor cyber hygiene can be seen in major data breaches such as Yahoo, Office for Personnel Management, Target Stores, eBay, Equifax and many more.
None of these attacks, breaches or weaknesses are down to Huawei .Huawei’s approach to security by design development and deployment sets a high standards bar that few can match.
At Huawei we are proud that we are the most open, transparent and scrutinised company in the world. We are proud that Governments, customers and their professional teams verify everything we do. And as one Government put it “we are probably the toughest regime that Huawei deals with”.
We are proud that we provide access to our most coveted and precious intellectual property to enable them to full satisfy themselves.
That is not to say that we are perfect, or that we produce perfect code all of the time or that we execute every process right first time – no company in the world can say that. We will continue to make multi-billion dollar investments in our R&D and where we find issues we will fix them, where we find we can improve we will improve.
Our mission of providing the safest, most brilliant, environmentally friendly products and services for our customers will never cease. Our focus on securing our products for our customers will never cease. Our focus on protecting personal data will never cease. We do not sell data we protect it.
The solution to cyber security will come from openness, agreed international standards certification schemes and transparency. It will not come through political posturing.
1“Exclusive: Google, Amazon, and Microsoft Swarm China for Network Gear”, Wired, https://www.wired.com/2012/03/google-microsoft-network-gear/ (March 30, 2012)