Huawei is an independent company, committed to supporting the secure operations of our customers' networks and services.
We exist to serve our customers. That means supporting stable, reliable, and secure network operations no matter the circumstance, whether it be natural disaster, social conflict, or cyber-attack.
Huawei is a private company wholly owned by its employees. No government or any third party holds shares in our company, intervenes in our operations, or influences our decision-making.
Although we are not a public company, we abide by many established standards and norms for public companies, including the publication of an Annual Report, which contains financial statements audited by KPMG, an independent third-party organization. We do this to help people outside the company understand the real Huawei, our business integrity, and our independence.
These days, there is much debate about Chinese intelligence law. Some groups of politicians claim that Chinese law allows the government to force companies to collect intelligence on its behalf.
This is simply not true. The Chinese government has been explicitly clear about this, as have multiple independent legal professors and a well-known international law firm: Government requests for company assistance must be in accordance with the law. There is no Chinese law authorizing the state intelligence agency to require a telecommunications equipment manufacturer to implant backdoors or disable customer networks. The Chinese government does not interfere with our business or the security of our products. And if any attempt were made to force our hand – from any country or organization – we would reject it outright.
We have been very clear on this point: If we are ever put in a position that jeopardizes our independence, the security of our products, or customer networks, we would sooner shut down the company than violate our principles. We are happy to sign any "no-spy" and "no-backdoor" agreements if that would provide further comfort to our customers and governments around the world.
For the past three decades, Huawei has operated in more than 170 countries and regions, serving over three billion people around the world. Our equipment has never caused a large-scale network breakdown, and we have never experienced any serious cyber security breach. There is no evidence to show that Huawei has ever done anything to jeopardize the security of our customers' networks or devices.
New technologies such as cloud computing, artificial intelligence (AI), and the Internet of Things (IoT) will provide new opportunities for society. However, these technologies also present new security challenges. Governments around the world are reviewing the challenges surrounding next-generation mobile communications technology, and we believe governments should view these challenges from a technological perspective. As a world-leading information and communications technology (ICT) infrastructure provider, we believe that future cyber security regulations must encourage collaboration from both industries and governments.
Networks are connected by devices from different vendors, and services are provided by different operators. Without any industry-wide security standards, cyber security challenges may become more frequent. To eliminate the impact of cyber security challenges, governments, enterprises, and industry organizations need to collaborate to ensure end-to-end (E2E) cyber security.
Firstly, we need agreed-upon standards. Governments, enterprises, and industry organizations need to decide upon security standards for all network devices and services. If any network device or service fails to meet these security standards, the entire network’s security can be compromised. 3GPP has been recognized as an international standards organization in the mobile communications field. The members of 3GPP, including Huawei and Ericsson, work together to develop security standards and promote the security of communications networks. Compared with 4G, 5G has stronger encryption algorithms and more flexible authentication mechanisms, and new security standards are being discussed to protect product deployment security, and the security of new services.
Secondly, we need unified security certification standards. Governments and enterprises need to collaborate and develop security certification standards, such as the standards set by Common Criteria (CC), which has become the most recognized and trusted IT product security certification in the world. It is the responsibility of operators and vertical industries to determine the required security certification levels, using previously successful security standards as well as an understanding of each industry’s individual characteristics. It is also their role to ensure that all devices and services meet their expected security certification levels. We must think about how to apply and upgrade the current security certification standards, processes, and methods with concerned stakeholders, and how to build standards, processes, and methods that can be recognized by both governments and customers. Ensuring all stakeholders collaborate in this discussion will ensure that successful, industry-wide standards will be implemented. For example, Korea’s LG U+ requires all 5G devices to be CC EAL 4 certified.
Thirdly, secure manufacturing processes and services are needed. Equipment suppliers, as well as service providers, must improve their cyber security capabilities to ensure that their products comply with security standards and meet their customers’ security certification level. Vendors such as Huawei and Ericsson have designed the security of LTE and 5G equipment and services using recognized security standards, such as 3GPP and CC.
Lastly, third-party security certification mechanisms need to be established to ensure there are minimal cyber security certification issues. Unified third-party security certification mechanisms that involve multiple stakeholders, including governments, equipment vendors, operators, and certification organizations must be established, and all equipment vendors must earn certification. The entire industry should trust these third-party certification organizations, and their independent equipment certifications should be impartial. If there are current scenarios that are not covered by current certification standards, these would need to be changed to satisfy new certification standards. 3GPP is developing the Network Equipment Security Assurance Scheme (NESAS), and the Global System for Mobile Communications Association (GSMA) will review this third-party certification lab’s qualifications, meaning that this third-party certification lab will soon be able to certify NE security.
Cyber security cannot be achieved by unrecognized organizations, and risks cannot be eliminated through isolation. The only way to ensure E2E cyber security is to collaborate our resources and work together to develop high quality cyber security services.
Huawei started its cyber security journey in 1999 when it published its first set of security technical regulations to enhance the security of products and solutions. In 2011, our founder and CEO Ren Zhengfei fully endorsed the strategy and issued the following Cyber Security Assurance policy that further reinforced and enhanced our commitment:
“As a global leading telecom solutions provider, Huawei Technologies Co. Ltd. ("Huawei") is fully aware of the importance of cyber security and understands the concerns of various governments and customers about security. With the constant evolution and development of the telecom industry and information technology, security threats and challenges are increasing, which intensify our concerns about cyber security. Huawei will therefore pay a great deal more attention to this issue and has long been dedicated to adopting feasible and effective measures to improve the security of its products and services, thus helping customers to reduce and avoid security risks and building trust and confidence in Huawei. Huawei believes that the establishment of an open, transparent and visible security assurance framework will be conducive to the sound and sustainable development of industry chains and technological innovation; it will also facilitate smooth and secure communications among people.
In light of the foregoing, Huawei hereby undertakes that as a crucial company strategy, based on compliance with the applicable laws, regulations, standards of relevant countries and regions, and by reference to the industry best practice, it has established and will constantly optimize an end-to-end cyber security assurance system. Such a system will incorporate aspects from corporate policies, organizational structure, business processes, technology and standard practice. Huawei has been actively tackling the challenges of cyber security through partnerships with governments, customers, and partners in an open and transparent manner. In addition, Huawei guarantees that its commitment to cyber security will never be outweighed by the consideration of commercial interests.
To continuously deliver innovative high-quality products and services, advanced business process assurance is required. Huawei has hired IBM since 1997, as a consultant to build Huawei as a process-based organization based on industry-best-practice to ensure that high-quality products and services can be delivered repeatedly. We have hired the world's most innovative and professional organizations to provide Huawei with business process support.
In addressing the requirements of law, policies, and standards for cyber security, we incorporate the industry-best-practice into Huawei's standard processes and baselines. In this way, cyber security becomes a standard part for Huawei's daily business operation. Huawei's end-to-end cyber security methodology is incorporated into the following 12 corporate processes and business modules.
Governance of Cyber Security Strategy
However, we accept that just because you have a process that does not mean that it is a good process, or that anyone actually executes the process. Our starting point was to create the governance that will make this happen, but importantly, provide clear accountability for its success or failure. This can only happen at the very top of the organization – if it doesn’t matter to the Board and senior officials it will not matter to the employees. The governance of cyber security in Huawei is as follows:
From an organizational perspective, the Global cyber Security and user Privacy protection Committee (GSPC), as the top-level cyber security management body of Huawei, is responsible for ratifying the strategy of cyber security assurance. The Global cyber Security and user Privacy protection Officer (GSPO) is a significantly important member of GSPC, who reports directly to the CEO of Huawei. The GSPO in charge of developing this strategy and managing and supervising its implementation. The system will be adopted globally by all departments within Huawei to ensure consistency of implementation. The GSPO shall also endeavor to facilitate effective communication between Huawei and all stakeholders, including governments, customers, partners and employees.
Information communication technology (ICT) is evolving from a vertical industry to a platform industry, supporting the digital transformation of various industries, and creating a fully connected, intelligent world. New technology trends, such as cloud, artificial intelligence (AI), and software-defined everything require highly reliable ICT infrastructure, and customers will continue to value trustworthiness as a basic requirement when investing in ICT products. Trustworthiness does not only refer to producing successful results, but it also refers to providing quality process assurance and designing products in an inherently quality way. Trustworthiness stems from verifiable quality – both in process and results.
Cyber security and privacy protection are Huawei’s top priorities. Huawei is building an effective management system using the ISO 9000 quality management system and ISO/IEC/IEEE 15288 and 12207 system engineering and software development standards. This ensures that every customer will be provided with a high-quality product, while employees continue to value product security and earn our customers’ trust.
In the future, what standards will be needed in the telecom industry to ensure the fully connected world remains secure? Huawei has been involved in the development of more than 150 documents, including mainstream security standards, and process specification guides, as well as regulatory directives, white papers, and academic papers. Huawei has found that there are no all-encompassing standards, rather different standards value different aspects of security. Huawei has experience in large-scale development, network deployment, and operations and maintenance (O&M), as well as the knowledge to design large and complex products. We define Huawei’s trustworthiness framework based on common knowledge in system engineering and using the following four principles: explainability, implementability, verifiability, and considerable industry consensus.
Figure 1-1 Huawei trustworthiness framework
We are committed to building trust and high quality into every ICT infrastructure product and solution we develop. Here are some key areas we as a company will work on:
Security: Huawei will strengthen the defensive capabilities of its products, including their ability to protect the confidentiality, integrity, and availability of services and data.
Resilience: This is the ability of the system to continue to be in a known state while under attack, even if in a degraded state, and to rapidly recover after an attack.
Privacy: Protecting privacy is a regulatory requirement, and also the expression of Huawei’s values as a company. Users should also be able to appropriately control how their data is used. Information use policies should be transparent to users. Users should be able to appropriately control when and if they want to receive information based on their own individual needs. There must be a set of capabilities and mechanisms to fully protect user private data.
Safety: System failures should not cause unacceptable risks or cause harm to the safety of any individual person, either directly or indirectly, through damaging environments or properties.
Reliability & availability: We need to ensure long-term, fault-free operations for the entire lifecycle of our products. They must be able to rapidly recover and self-manage, as well as provide predictable and consistent services.
Trustworthiness should be incorporated from the very beginning and throughout the development, implementation, and innovation of each product. We must ensure the integrity and bidirectional traceability of each product, from the product’s innovation to the customer’s premise, and provide proper confidentiality protection mechanisms (such as permission separation, trust, and behavior monitoring mechanisms) when necessary to ensure that products are not faked or tampered with. We must also ensure that deployment, maintenance, and disposal processes and tools can protect sensitive data from leakage. Trustworthy system design, trustworthy software implementation, trustworthy delivery and O&M, and product lifecycle management transformation needs to be implemented in each domain to achieve trustworthiness.
Over the past 100 years, many of the world’s most successful companies have fallen because they were not able to adapt to change. Choosing to evolve is the only way for a company to remain adaptive to changes in the outside world. Huawei needs to stay open and keep evolving if we hope to remain relevant. Our Board of Directors has decided to begin a broad transformation program to fundamentally enhance our software engineering capabilities and practices over the next five years. Our rotating chairman, Xu Zhijun (Eric Xu), will take overall accountability for the program. We will allocate an initial budget of US$2 billion to this program, which will cover all products in our ICT infrastructure business. Our goal is to develop trustworthy, quality products. Only in this way can we fulfill our vision and mission: to bring digital to every person, home and organization for a fully connected, intelligent world.