Cyber Security and Privacy Protection
Huawei is committed to developing secure and trustworthy digital products and services and has continuously optimized its end-to-end assurance system, making sure that each domain is constantly refined to stay up-to-date with advancements in cyber security and privacy protection. In 2020, we implemented the following measures relating to process transformation, solutions, technological innovation, independent verification, supply chain, and personnel management:
Enhancing software engineering capabilities and cyber resilience to build secure, trustworthy, and quality products and solutions
Our management system and R&D processes now feature enhanced capabilities that incorporate several milestones of the software engineering transformation program. At the same time, trustworthy engineering capabilities are embedded into IT systems and tools, providing a more efficient product R&D environment that ensures process trustworthiness.
For software trustworthiness, we released the Software Process Trustworthiness Capability Framework and Assessment Criteria V1.0. This document describes how Huawei is developing 114 sub-capabilities across 44 capabilities under nine capability categories and establishing a complete set of coding production mechanisms that are systematic, sustainable, responsive, and trustworthy.
For hardware trustworthiness, we implemented trustworthy design specifications and security by design on newly developed boards; we also obtained CC EAL4+ certification for key trustworthy hardware components.
For product design, we carried out threat modeling analysis, implemented a secure and resilient architecture, and delivered common security products and components, such as single-domain security management and network element (NE) intrusion detection, to help improve the security situational awareness capabilities of products and solutions, achieving result trustworthiness in architecture.
Moreover, we continue to provide training and certification to consistently improve employees' cyber security capabilities and awareness. In 2020, more than 20,000 employees were certified, and every employee has embraced our trustworthy software culture.
Technological innovation to help customers handle security risks
We continue to research and explore cutting-edge technologies, such as cryptography, AI trustworthiness, confidential computing, differential privacy, digital identity, and trust mechanisms, based on the security technology stack at the system, network, application, and data layers, and centering on business scenarios such as 5G, AI, cloud computing, smart devices, autonomous driving, and digital Intelligent Twins. We strive to accelerate the application and implementation of these innovative technologies and improve the native security capabilities of products, enhancing resilience and helping customers manage existing and emerging risks.
Take 5G base stations as an example. We provide functions such as rogue base station detection, subscription permanent identifier (SUPI) encryption, anti-DDoS over the air interface, and built-in firewalls. These functions enhance privacy protection for end users, reduce the attack surface, and strengthen defense, thereby increasing cyber resilience. At HUAWEI CONNECT 2020, we released AI security protection technologies based on the trusted execution environment (TEE), which improve the security of high-value data assets in AI solutions. By the end of 2020, Huawei had been granted 2,963 patents relating to cyber security and privacy protection around the world.
Cyber security risk management and capacity building of the supply chain
Huawei's comprehensive supply chain security management system, certified to ISO 28000, allows us to identify and control security risks throughout the entire process, from quality control on incoming materials to delivery. It includes industry-leading material trustworthiness specifications and security sourcing testing standards, along with assessment standards for supplier trustworthiness maturity. To be accepted, our suppliers must pass a rigorous security sourcing test and obtain system certification.
In 2020 alone, we assessed, tracked, and managed the cyber security risks of more than 4,000 suppliers worldwide. For privacy protection, we signed data processing agreements (DPAs) with more than 5,000 suppliers and performed extensive due diligence to ensure compliance. Furthermore, we optimized the security baselines and verification processes for supply availability and manufacturing, and implemented them in the production processes of new products.
Considering the global nature of our business, we pay close attention to the supply chain security requirements of each country where we operate. We have obtained 35 Authorized Economic Operator (AEO) certificates in 28 countries and regions across five continents. We continue to optimize our product delivery tracking system to quickly resolve any issues and mitigate any risks.
Secure and trustworthy service operations
The global pandemic caused an explosion in network traffic, and therefore a rise in customer requirements for site construction. Using digital means, we improved personnel qualification management, as well as access, operations, and data security control capabilities. We also raised security awareness among delivery and service personnel using various themed activities, such as our monthly Network Safety Day. Furthermore, we set up both local and remote delivery centers to help carriers quickly and securely build networks, thereby supporting their business activities and reducing the impact of the pandemic.
Security awareness among all employees supporting professional capability improvement
We held a Cyber Security and Privacy Protection Awareness Month, delivering the presidents' messages, expert lectures, a knowledge quiz, an open day at the Cyber Security Transparency Center, technology contest, verification conference, and other themed activities to strengthen our corporate culture around cyber security. All of these initiatives support our key objective to continually raise the overall levels of awareness among employees.
We also encouraged employees to participate in external professional certification programs and provided professional training to improve their professional capabilities. To date, more than 760 employees have obtained industry-recognized certifications such as Certified Information Systems Security Professional (CISSP) and International Association of Privacy Professionals (IAPP).
Furthermore, we planned and developed relevant courses, releasing 204 courses on our online Cyber Security & Privacy Protection Knowledge Center to date. These courses cover topics such as insights into cyber security and privacy protection, process development, and verification and testing, with a total of more than 200,000 individual enrollments.
Increased investment in third-party independent verification
We continued our cooperation with industry-recognized certification bodies and third-party labs to test the cyber security and privacy protection capabilities of Huawei products, solutions, and services against industry standards and best practices. This includes:
- In 2020, we obtained more than 70 certifications related to cyber security and privacy protection. For example, our 5G and LTE base stations were the first in the industry to pass the Network Equipment Security Assurance Scheme (NESAS) assessment; 5G base stations obtained the CC EAL4+ certification; routers obtained the CSPN certification from the French National Cybersecurity Agency (ANSSI); iTrustee obtained the CC certification also from ANSSI; firewall and campus switch products passed the Payment Card Industry Data Security Standard (PCI DSS) assessment; HUAWEI Mate 40 Series smartphones obtained the digital rights management (DRM) copyright certification and Germany's ePrivacy certification; HUAWEI CLOUD received more than 10 certifications, including Cloud Security Alliance Security, Trust and Assurance Registry (CSA STAR), ISO 27001, ISO 27701, PCI DSS, and Trusted Information Security Assessment Exchange (TISAX).
- In May 2020, ERNW, an independent IT security service provider in Germany, conducted a technical review of the source code of Huawei's unified distributed gateway (UDG) on 5G core networks. Their report notes that "the overall source code quality is a good indicator that Huawei has established a mature and appropriate software engineering process for UDG".
- Our bug bounty program in HUAWEI CLOUD, Huawei Mobile Services, mobile phones, and other domains has been a continued success. Through this program, we encourage white hat hackers to discover vulnerabilities in Huawei products so that we can work with security experts in the industry to build a responsible, transparent, collaborative, and secure vulnerability ecosystem.
Respecting and protecting user privacy
Huawei is committed to complying with privacy protection laws and regulations around the world. We have built a management system for end-to-end privacy protection with strong supporting technical capabilities. We have also developed robust privacy protection processes and a host of IT tools and platforms, helping us improve compliance effectiveness and management maturity and allowing us to demonstrate our privacy compliance processes and results in a more transparent and clear manner. Furthermore, we continue to invest in and optimize our efforts to assure data subjects' rights, including the prompt and effective handling of more than 20,000 data subject requests to date. We continue to conduct internal and external audits in different countries and business domains to ensure the effective implementation of our personal privacy protection policies.
STORY-HUAWEI Browser: A secure and trustworthy online environment
The importance of the Internet means that browsers are now a key portal through which we understand the world. The primary mission of HUAWEI Browser is to create a secure and trustworthy Internet environment for users. To better protect privacy, HUAWEI Browser comes powered by four key functions:
Malicious URL detection
Phishing and fraudulent websites masquerade as regular websites to steal personal information. Users entering these sites are at risk of account hacking and identity theft. HUAWEI Browser works with industry-leading security service providers to check website security, inform users of potential risks, and remind users to visit certain websites with caution. As we check website security, we do not share the actual URLs accessed by users with our third-party security service providers. Instead, we only share non-identifiable and anonymized URLs. This means neither Huawei nor security service providers have access to the website content accessed by users. In addition, the malicious URL detection feature is enabled by default on HUAWEI Browser. Users do not need to change any settings to be protected.
After users view an item on a shopping website, they often find that ads for the same item will start appearing on other websites. This is how tracking cookies work. Advertisers push ads across websites using these tracking cookies. HUAWEI Browser's intelligent anti-tracking function identifies URLs with tracking cookies in advance and shares this information with the user's phone in real time. When a user accesses any website known to track users, HUAWEI Browser automatically disables tracking cookies, thereby preventing cross-website tracking. This process ensures that the user's privacy is never compromised.
Pop-up ads can severely affect the user browsing experience. HUAWEI Browser blocks ads by website: The ad blocker on HUAWEI Browser is turned on by default for websites with large numbers of ads. For other websites, users can turn on the blocker if they want to. The number of blocked ads is displayed in a widget in the address bar.
Intelligent blocking of automatic app opening and downloading
When users are browsing a webpage, HUAWEI Browser stops websites from automatically opening or downloading apps, allowing users to browse the Internet with fewer interruptions. This function is also enabled by default and does not require additional configuration.
In addition to the functions above, HUAWEI Browser has many other privacy and security features, such as making data sharing visible, controllable, and personalized (zero sharing of personal data with third parties); private browsing; information on and control over how third-party websites access sensitive information; and child mode. HUAWEI Browser has been certified by the British Standards Institution (BSI) for four different information security and privacy standards, namely ISO/IEC 27001, ISO/IEC 27018, ISO/IEC 27701, and CSA STAR.
HUAWEI Browser is a user-centric app that helps to create a secure and trustworthy Internet environment so that users can enjoy smart digital lifestyles.
HUAWEI Browser Privacy Protection Salon