Cyber Security and Privacy Protection
As a leading global provider of ICT infrastructure and smart devices, Huawei plays an active role in the digital transformation of industries to bring digital to every person, home, and organization. As digital transformation initiatives accelerate across the world, we have a clear responsibility to ensure that cyber security and privacy protection remain a top priority. We have implemented and maintained a comprehensive end-to-end cyber security assurance system.
Over the past three decades, we have maintained a solid track record in security throughout. Huawei is the leading provider and designer of enhancing 5G security. We have provided more manpower and resources to the international bodies than anyone else, and we are the number 1 contributor of 5G security proposals which have been accepted and adopted by the industry. For example, 385 proposals submitted by Huawei were accepted by 3GPP, which accounts for 24.6% of all proposals accepted in 2019, making Huawei the top contributor of security proposals.
End-to-End Cyber Security Assurance and Privacy Protection System
Building and fully implementing an end-to-end global cyber security assurance and privacy protection system is one of Huawei's most crucial strategies. We are referencing industry best practices to build a system that is sustainable, reliable, and compliant with applicable laws and international telecom standards. This system covers everything from policies, organizational structures, processes, and management to technologies and standard practice. Huawei transparently works with governments, customers, and partners to tackle cyber security and privacy challenges and meet our customers' demands.
We are addressing cyber security and privacy needs by incorporating best practices into our processes, baselines, policies, and rules. This makes cyber security and privacy protection central to Huawei's daily operations.
End-to-end cyber security assurance system
Huawei's top-down cyber security governance structure supports the success of its security strategy. The Global Cyber Security and User Privacy Protection Committee (GSPC) is Huawei's highest cyber security management body, and it is responsible for approving its strategy for cyber security assurance. The Global Cyber Security and User Privacy Protection Officer (GSPO) is an important member of the GSPC and reports directly to the CEO of Huawei. The GSPO is in charge of developing Huawei's security strategy, and plans, manages, and oversees how departments (e.g., R&D, supply chain, marketing, sales, project delivery, and technical services) structure their security teams and ensure security in their business activities. The system now covers all departments, geographies, and processes. The GSPO also facilitates effective communication between Huawei and its stakeholders, including governments, customers, partners, and employees.
Cyber Security and Privacy Protection with Secure, Trustworthy, and High-quality Products
Over the past two years, we have reviewed our approach to security and privacy, analyzed the directions in which new technologies are heading and the current and future challenges facing our customers. As a consequence, we have enhanced our cyber security and privacy frameworks operating on the assumption that in this globally intertwined world, the cyberspace will face constant attacks.
Throughout 2019, the frameworks guided the way in which we continued to drive process transformation, solutions, security engineering capabilities, security technologies and standards, independent verification, supply chain, and personnel management. This has enabled us to proactively enhance our end-to-end cyber security assurance capabilities. Some of our key activities are highlighted here:
Heavily invested in software engineering capability transformation to ensure secure, trustworthy, and high-quality products: We simplified our products and solutions as much as possible, implemented the latest thinking about security architecture and development, and we are progressively upgrading all appropriate products and solutions to reflect the latest thinking, technology components, and partners. We have systematically built and deployed resilient architecture design methods, and have launched the distributed automatic binary vulnerability mining platform. Moreover, we have improved our security design tools, code security scanning cloud, security test cloud, and fuzz test cloud. These initiatives greatly enhanced our security engineering capabilities enabling us to help our customers safely digitize their businesses and create value for their customers.
Maximizing the use of AI in developing security products and solutions: We have launched a series of security products and components centering on AI-powered security risk identification, security situational awareness, security risk prevention and response, and security ecosystem. These tools are integrated with our 5G, IoT, and cloud solutions to provide intelligent network boundary protection and defense, real-time situational awareness, and efficient closed-loop handling of security risks, helping customers build network resilience and protect themselves and their customers.
Maximizing technological innovation to reduce risks to customers: We have introduced full-stack security technologies into ICT products to enhance product security and resilience. These technologies include host intrusion detection, sandboxing functionality, container security, CPU side-channel attack detection, web application security, and intelligent risk control. We have also deployed memory code integrity measurement on 5G base stations, ensuring runtime code security. Furthermore, we have enhanced kernel integrity protection on mobile phones, and applied key security technologies such as the real-time detection of kernel attacks and AI-based detection of unknown threats to improve mobile phone security. Another area that we have innovated in is mobile apps. Dynamic and static privacy data access compliance detection technologies will detect exceptions in mobile applications, such as permission abuse, malicious behavior, and pirated applications. This not only ensures that the AppGallery complies with Android Green Alliance 2.0, but also provides for a clean and sustainable application software ecosystem.
Strengthened the independent verification mechanism: We have fully supported the independent verification of Huawei cyber security by stakeholders. In addition, we have assured and verified our cyber security management systems, products, services, and personnel through quality monitoring, internal and external auditing, and standards certification, meeting stakeholders' cyber security requirements across all of our business processes (e.g., R&D, sales, service, and supply) helping us to enhance external confidence in Huawei's overall approach to cyber security.
Supply chain cyber security risk management and capability building: Huawei's comprehensive supply chain security management system is ISO 28000-certified, enabling us to identify and control security risks throughout the supply chain lifecycle. We produced 28 types of industry-leading material security specifications and security sourcing test standards, along with 11 sets of industry-leading standards for the certifications of our suppliers' cyber security systems. Our suppliers must pass a rigorous security sourcing test and obtain system certification before they are accepted. In 2019, we assessed, tracked, and managed the risks of more than 3,800 suppliers worldwide. We signed data processing agreements (DPAs) with more than 3,000 suppliers and continue to run due diligence to ensure compliance with privacy obligations.
We released the supply availability security baseline and implemented it in all of our 145 newly developed products. Furthermore, we developed an in-transit exception dashboard to provide real-time warnings about exceptions such as abnormal stay and route deviation. We restructured the product delivery tracing system, allowing us to trace software information within one hour and trace hardware information (from incoming materials to delivery to customers) within one day to facilitate the fast and transparent resolution of issues and to eliminate risks.
Employee awareness and skills enhancement: We conducted training across a range of cyber security and privacy protection topics and held exams for all Huawei employees, with a 99% success rate. Employees continue to be encouraged to improve their cyber security and privacy expertise through external training and professional certification. To date, more than 500 employees have obtained external professional certifications such as IAPP (privacy) and CISSP (cyber security). Huawei has the most IAPP-certified employees in the world. Our Cyber Security & Privacy Protection Knowledge Center, a one-stop learning and training platform was launched and is already helping employees improve their skills and enhance their knowledge. Over 620,000 hours of coursework has been completed by our employees, with a total of more than 290,000 individual enrollments in our 111 courses. This means the average Huawei employee spent more than two hours taking cyber security and privacy training.
User privacy protection obligations: Huawei remains committed to complying with privacy protection laws and regulations around the world. We have adopted industry-recognized best practices, and have embedded Privacy by Design into product and service development processes. These initiatives contribute to a holistic framework for personal privacy protection policy. We have increased our investment in the management of data subject rights assurance, developed explicit management requirements and processes, and deployed them in a unified IT system, ensuring that we can promptly process data subjects' requests. To date, we have handled more than 10,000 data subjects' requests. In addition, we completed 26 internal audits to ensure that our personal privacy protection policy has been implemented in a consistent and effective manner, and we passed five external audits as well as one professional inspection by a regulator.
AI governance: In 2019, Huawei released the Thinking Ahead About AI Security and Privacy Protection white paper, setting out Huawei's viewpoint on the current security and privacy challenges surrounding AI. The paper explores key topics such as technical reliability, societal applications, and legal requirements and responsibilities. In addition, the paper proposes a number of feasible governance models, including planning trustworthy technical solutions, and adopting a shared responsibility model for AI security and privacy. The paper calls on all stakeholders to work together towards shared goals and for the healthy development of AI into the future.
Our experience tells us that no one has a monopoly on good ideas. The more we share and discuss the challenges we all face, the more we can improve solutions, standards, and approaches to raise the bar for everyone. Huawei remains determined to communicate and cooperate with stakeholders in a manner characterized by openness and transparency; integrity and trustworthiness; and accountability. We strive to address cyber security and privacy protection challenges through technological innovation, standards development, and management improvement. We are relentless in our mission to help customers establish their own cyber resilience and risk mitigation strategies.
Building a Privacy Protection Brand Trusted by Users
Mobile Internet developments have made smart devices the most popular way to go online. These devices store a wealth of user data with an increasing number of apps installed from uncontrolled sources. This has made user privacy and security at risk, drawing increasing scrutiny to the security of mobile smart devices. Huawei takes the security of smart devices extremely seriously. We do everything we can to protect user privacy and ensure data security as we work to provide a premium user experience.
Huawei's Consumer BG is committed to building a brand that is trusted by global consumers in terms of privacy protection. We strictly comply with the Generally Accepted Privacy Principles (GAPP), the EU's General Data Protection Regulations (GDPR), and all other applicable laws and regulations in the countries where we operate. We believe that privacy is our consumers' basic right, and that they should have full knowledge and control of what has been done to their personal information. Achieving this goal is part of everything we do.
Guided by the idea of "Privacy Under Your Control", our Consumer BG adheres to four basic principles – transparency, user benefits, security, and legal compliance – and incorporates Privacy by Design throughout its business.
Protecting user privacy requires advanced technologies. We leverage leading security technologies to protect user data and to incorporate privacy protection principles starting from the product design stage. These principles continue throughout the entire product development process to fully protect user data.
Huawei has built a Trusted Execution Environment Operating System (TEE OS) that supports hardware isolation. Sensitive user data such as fingerprints, facial biometrics, and lock screen passwords are all encrypted, verified, and stored in the TEE to prevent privacy leaks. The TEE OS's microkernel obtained the CC EAL5+ certification, the highest for a commercial OS and uses the formal verification method. Compared with traditional verification methods, formal verification starts from code and uses mathematical methods for verification. It then analyzes each possible execution of that code, which eliminates system vulnerabilities from the source to enhance systemic security. The key features of the Emotion User Interface (EMUI) – Huawei over-the-air (HOTA), Celia, and Hiview – received the EU's ePrivacyseal, making Huawei the first mobile phone manufacturer to receive this certification.
In the HMS domain, we have established a complete system for managing personal data protection, and we are the global leader in terms of personal data security management, transparency, and privacy compliance. For example, the AppGallery manages the security of apps with a unique four-layer system – malicious behavior detection, security vulnerability scanning, privacy leak checks, and manual real-name reviews. This system ensures that only secure apps are available for download from the AppGallery. HUAWEI Mobile Cloud encrypts the data transmitted in device-cloud channels and the data it stores to protect user data from end to end. In November 2019, HMS became one of the first recipients of the ISO/IEC 27701 privacy protection system certification issued by the British Standards Institute (BSI), an authoritative international standards organization. This shows that our ability to protect user privacy and manage information security is recognized by world-leading organizations.