As cloud, digitalization, and software-defined everything become more prevalent, the world will become data-centric and intelligent in the future. This new world will bring both challenges and opportunities. We understand that the ICT industry is undergoing rapid technological transformation, with technologies becoming increasingly complex and networks more open.
Against this backdrop, we are aware of the increasing interest and concerns of companies, regulators, and the general public regarding cyber security, which we take very seriously. Users want to get online anytime and anywhere, and efficiently access data. To meet these requirements, product trustworthiness and network resilience have become more important than ever. Compared with new functions and features, customers will focus on the trustworthiness of products and solutions, along with network resilience and cyber security.
Huawei's Cyber Security Framework
Cyber security must be built upon trustworthiness, basic product quality, basic security engineering capabilities, and resilient products and solutions. That is the very foundation of all security activities.
To meet customer requirements in this more complex world, we will initially invest US$2 billion over the next five years to implement a company-wide transformation program. With this program, we aim to optimize our software engineering capabilities, as this is the foundation upon which we will build secure, trustworthy, and high-quality products. The program will entail reassessing the quality of our code, strengthening our grasp on and capabilities in the core elements of secure and resilient architecture design, and, wherever possible, simplifying every element of our products and solutions.
In 2018, to address the increasingly complex cyber security environment, we used a dynamic response approach to develop an overview of product planning and development. This was based on the assumption that cyberspace is insecure and cyber-attacks are constant. We also released our new Cyber Security Framework.
In 2018, we applied our new Cyber Security Framework through people management, security engineering capabilities, security technologies and standards, security certifications, and supply chain management. Some highlights of this year are listed below.
In staff management, we focused on improving employees' security awareness and capabilities:
We reviewed all key positions across the company relating to cyber security and privacy protection and mandated that all employees in such positions must pass and receive certification from a cyber security examination.
All of our employees received privacy protection awareness training and were tested on their mastery of its content. Currently, 98% of our employees have passed this examination, and the exam will be optimized and re-administered annually.
A total of 97 Huawei employees received International Association of Privacy Professionals (IAPP) certification.
We embedded cyber security into our R&D processes and continued to improve our software engineering capabilities. Over the past several years, we have put an end-to-end security design platform in place, as well as a code security scanning cloud, a security test automation and FUZZ test cloud, and a vulnerability response platform. 2018 in particular saw multiple enhancements in our basic security quality:
We customized scanning rules and applied AI, enabling the code security scanning cloud to intercept more code security issues faster.
On our security test cloud, we focused on improving intelligent security testing technology. This technology identified more than 60 vulnerabilities in open-source software, which were then submitted to open source communities.
We released the DevSecOps platform, incorporating security into the DevOps process. This ensures the security of cloud-based development.
In the public cloud and consumer domains, we implemented vulnerability reward programs. With these programs, we mobilized industry security experts and worked with the industry to build a responsible, transparent, and collaborative security ecosystem.
Results from the Building Security in Maturity Model (BSIMM) evaluation that has been conducted for the past five consecutive years showed that Huawei has continuously improved security practices and ranks among the top in the 120 evaluated companies.
In security technologies and standards, we continued research on technology and architecture to improve the trustworthiness of our products and network resilience:
We launched security technologies including security orchestration and virtual machine escape detection at HUAWEI CONNECT 2018.
We developed a series of key security technologies for mobile phones, including dynamic measurement, enhanced Return Oriented Programming (ROP) attack defense, and a lightweight applet isolation sandbox. We also researched and adopted formal proof technology to perform formal verification on some key designs and code, ensuring that mobile phone security is well protected.
We developed and applied privacy protection technologies such as randomized identifiers, data masking, generalization, and multi-attribute differential privacy.
As a director and technical committee member of the Trusted Computing Group (TCG), we submitted Recommendations for Runtime Integrity Preservation, which their new standards are based upon. As an ETSI NFV SEC rapporteur, we submitted the Report on NFV Remote Attestation Architecture, which also became the basis of their new standards. Huawei is the chair of 3GPP SA, and the 5G security architecture led by Huawei was included in the Standard on 5G Security Architecture and Functions as part of the Release 15 standard TS 33.501.
We actively participated in the industry's mainstream security certification. Our major products received 11 international mainstream security certifications, including:
Network Device collaborative Protection Profile (NDcPP) certification from the BSI in Germany for our NE40E product software
Common Criteria (CC) EAL2 certification from the BSI in Germany for our OSN 1800 V product software
Authoritative security certifications including ISO 27018, SOC1/2, and Payment Card Industry Data Security Standard (PCI DSS) for Huawei Cloud
Certifications based on ISO 20000 and ISO 22301 for Huawei's Operation Web Services (OWS) Operation Center
In 2014, Huawei's Independent Cyber Security Lab (ICSL) gained ISO/IEC 17025 accreditation for the first time. In 2018, this accreditation was reconfirmed.
Huawei also proactively works with GSMA on 5G security testing and evaluations based on the Network Equipment Security Assurance Scheme (NESAS).
In supply chain management, we manage the cyber security and privacy protection of our suppliers around the world. In 2018, we took significant steps towards that end:
We evaluated 2,778 of our mainstream suppliers for cyber security risks, and verified the progress of related corrective action plans.
We signed a Data Protection Agreement (DPA) with 582 suppliers for privacy protection, and performed due diligence on these suppliers.
We continued to optimize our manufacturing system by developing an independent software test cloud and security assurance system. These were deployed by all of our 62 Electronic Manufacturing Services (EMS) providers, ensuring the security of our manufacturing process.