Cyber Security: Innovation and Cooperation
In today's increasingly digital world, new technology is increasingly the driver of our digital evolution. New technology is making our lives better and our work more efficient. New technology brings together resources in new configurations. It is the spark of life in the digital economy. However, new technology inevitably brings brand new security challenges for our networks. Huawei is addressing these challenges head on, seeking innovative solutions, pulling together international partners, and gradually building up codes of practice for new, high-tech scenarios. Together, Huawei and its partners are building a Better Connected World in which businesses and people can connect with confidence.
Digital evolution brings new security challenges
As mobile networks evolve, all things will become connected, and they will always be online. In the 5G era, there will be upwards of a million connections per square kilometer. Every object we encounter in our personal and professional lives will be connected. With 5G, network response times will be 50x faster than it is with 4G technologies. The lag between action and reaction will be an ultra-low 1 millisecond. That will make possible many real-time applications that today simply do not exist.
Big data and artificial intelligence (AI) will turn scenes from science fiction into reality: machine learning, machine vision, diagnostic assistants, etc. For example, in the healthcare industry, we will see DNA tests performed by tiny AI chips, and huge "medical brains" that can analyze millions of those test results simultaneously. The potential value of big data and AI will finally begin to be realized, bringing benefits for all of humanity.
The use of cloud technology will also become much more widespread, and costs will drop. Over the next 10 years, 100% of companies will start connecting to cloud services. 85% of applications will migrate to the cloud. As a result, corporate efficiency will rise sharply. We will be able to develop and launch new software on the cloud, and the cloud will become a kind of digital brain, available to enhance all kinds of mental labor.
However, there are two sides to every coin. Mobile networks and sensors will make for a much more densely connected world; but the attack surface of our ICT systems will grow exponentially. AI and big data will enable deep data mining; but the risk of data leaks will also soar. Cloud will enable the sharing of resources and open up closed systems; but that means traditional, defendable boundaries will also become blurred.
Huawei believes that new challenges are no excuse for standing still. Challenges are part and parcel of technological advancement and social progress, and we should not shy away from them.
Security built into the innovation process
As a technology provider in the digital age, one of the first tasks for Huawei is to find innovative ways to build security into our innovative technologies. Here are some of our key initiatives:
Security as a pillar of corporate governance
If the board of directors and senior executives don't prioritize cyber security, their employees won't either. One of the principles underlying Huawei's cyber security framework is a commitment to putting cyber security ahead of profits, every time. In 2010, the company established a Global Cyber Security Committee, with oversight of all Huawei operations. Committee members include principal board members and senior executives, and this high-level engagement helps to ensure that cyber security is integrated into the company's strategy, governance, and operations from the start. It makes cyber security a part of Huawei's DNA.
Active research into new technology
Given the complexity of today's cyber security challenges, technology providers have a duty to deliver technological solutions. We must develop new security capabilities so that we can give our customers products and services that they can trust. Huawei is an active player on the cutting edge of security research, looking at ways to incorporate new technologies like blockchains and quantum cryptography into our products and services, so that we can protect the integrity of distributed systems, and better encrypt our transmission and storage.
We are also seeing increased investment in cyber security by many other companies, and this is driving the emergence of new security techniques, including big data and AI. Huawei has invested in leading research in security for data pipes and devices, virtual security, and algorithm security, and we have made important advances. For example, the Open Networking Foundation (ONF) has adopted an SDN Northbound Interface technology developed at Huawei's European Security Lab.
New security concepts
ICT technology is changing rapidly, and in this mobile, cloud-based world of infinite connections, technology providers need to think long and hard about how to best protect our networks. For years, security efforts have focused on setting a hard perimeter: a "great wall", basically a sophisticated firewall. However, as new technology emerges, traditional sharp boundaries are becoming increasingly blurred. It is no longer clear where the control points should be; and when we do set up controls, there are now many more ways to circumvent them. The "perimeter defense" concept is no longer effective. So Huawei will have more immersive focus to the concept of "defense in depth", and combine this concept thoroughly with new technologies. In this approach you have to assume that at some point your firewall will be breached, so you have to consider how to identify, contain, and eradicate a given threat at every level of an ICT system.
- Defense in depth requires big data technologies, to compare current system data to known benign and malicious behaviors.
- It also requires the use of sophisticated AI to assess what processes should be allowed to continue, and what needs isolating for further examination.
- When dynamic blocks are imposed, all hardware and systems that might have been infected need to be isolated as well. Policies need to be updated in real time to prevent further spread and fully eradicate the threat.
To build these security concepts into Huawei's products and solutions, from 2012, Huawei has adopted the following three security practices into our security framework:
- Security in development
In the early stages of product planning, Huawei first considers all the available security technologies, relevant security standards, legal requirements, and the customer's cyber security needs. As part of the initial product specification, we include our security positioning and target security features. This allows us to determine what resources will be required in the later development phases. From product design and coding to testing, Huawei embeds strict security requirements into every product development process.
- Security by design
We follow the fundamental security principles during the design phase, including least privilege, defense in depth, and complete mediation. Huawei has a Security Competence Center which sets security standards. This center has over 300 people, and is responsible for improving the security skills of our nearly 80,000 R&D engineers. The Competence Center also coordinates with R&D teams working on new technologies to develop comprehensive security solutions. Two examples are our cloud and IoT security solutions:
Cloud: Huawei's cloud technology is predicated on effective data protection. Big data analytics dynamically assess the security status of a Huawei cloud network, identify major risks and threats, then take defensive action to mitigate and remediate. Multi-dimensional, multi-layer defenses and analytics support secure cloud operations by delivering swift identification, containment, and recovery.
IoT: The Huawei IoT security framework encompasses endpoint security, network layer security, platform and application security, and security situational awareness. In IoT endpoints (sensors and devices), chipsets incorporate Trusted Platform Module (TPM) and Trusted Execution Environment (TEE) techniques, and secure boot and secure upgrade processes. At the network level, security is assured through mutual authentication, security zone isolation, and encryption of transmitted data. For platforms and applications, there is sandboxing, web application firewalls, DDOS defense, etc. Together, these individual measures form a deep, layered defense. Over the top runs security situational awareness: monitoring, big data analytics, and policy management. The system is constantly sensing and analyzing the network and its behavior to detect potential risks and threats.
- Independent security verification
Huawei has an independent cyber security lab, led by a dedicated Global Cyber Security Officer. This lab carries out a completely independent verification of all products before launch. No product which fails to meet security standards can be released onto the market, and faulty development processes are carefully investigated.
End-to-end supply chain security
The research, manufacturing, delivery, and use of ICT products are heavily dependent on a globalized supply chain. Therefore, our security practices must also encompass the entire supply chain, end to end. Internally, this means every phase of product manufacturing, delivery, and service. Externally, it includes supplier management. End-to-end security is complex and demands a highly systematic approach, with commitment from all stakeholders. The following issues are especially important:
Traceability of hardware and software
Complex technologies include thousands of components and millions of lines of code. We must ensure that every component of every product is traceable and identifiable. Huawei is able to trace all replaceable components, down to the level of a single capacitor or diode. For software, we have rapid traceability at the source code level.
Secure deployment and maintenance
Security during product deployment and maintenance has a direct impact on the security and stability of customer networks, and also the services that run on them. Huawei aligns its delivery and service processes with its customers, and complies strictly with local law and the customer's cyber security requirements. For both onsite delivery and remote maintenance, Huawei's internal software and tools force full process compliance at every step.
If a supplier's technology or processes are not secure, they threaten the security of products and services that are delivered to end customers. Huawei was the first company in the communications industry to sign a cyber security agreement with its suppliers to help them strengthen the security of their products and services. When selecting and auditing suppliers, Huawei assesses and tests their cyber security systems and the quality of their security controls. Only suppliers that pass these audits can become Huawei partners.
Security must be part of a company's culture
Security ultimately comes down to people. Awareness of cyber security is not just an issue for technology operations. It should be an important consideration in hiring, training, incentives, and performance management. Huawei operates in over 170 countries and regions, and regularly delivers education and training on cyber security to its 180,000 employees. All Huawei employees must pass a cyber security examination, and must sign Huawei's Business Conduct Guidelines, which include a section on cyber security. Cyber security is a key competency in Huawei's internal skills assessment system, and is a mandatory competency for many positions. The company has developed comprehensive cyber security training programs to meet its employees' training needs.
Security through cooperation
Today's networks are diverse and extensive. Technology providers cannot be the sole architects of security. They must build a shared awareness of cyber security with all stakeholders. Active collaboration will be vital for effective cyber governance.
Governments should establish common codes of conduct through bilateral talks and multilateral consultations. They should proactively share experience and best practices, and work together to crack down on cyber attacks and cybercrime. These measures will help build trust in a transparent, collaborative, and open environment. For example, at the end of last year, the National Cyber Security Agency of France (ANSSI) and Germany's Federal Office for Information Security (BSI) signed an MoU to cooperate on the ESCloud label, for which they established a joint working group. This effort has set the stage for Germany and France to develop shared standards for cloud security, improve the security of cloud services, promote trust, and build more business links. The UK's National Cyber Security Center (NCSC) is another good example. Recently, this organization put online guidance for infrastructure security and supply chain risk control. It offers an excellent reference for governments around the world.
Development of ecosystems
Industries need to work with governments to formulate widely-accepted security standards. They also need to encourage all stakeholders to invest more in open source security, which is a vital resource for enhancing industry security. Agreement on standards is an important link in any cyber security system. Industry organizations should work with technology providers to develop comprehensive international standards that will give industries clear, consistent guidance on security. Industry organizations should also work with governments to recognize that supply chains are now global. Governments must realize that uncoordinated national standards will not solve their security issues. Moreover, having different standards will break supply chains, block technological progress, and increase the cost of doing business.
Unified international standards are of paramount importance. Moving forward, open source will be an increasingly important part of software development, as almost all products directly incorporate large amounts of open source code. Today, open source communities lack the personnel and the funding to respond quickly to the security challenges of new technology, so the security features of open source software lag behind. In the future, open source cannot rely solely on the inputs of community members for its security features. Broader investment from all stakeholders will be required.
Huawei has long been active in both of these aspects. It is a member of over 20 international security standards organizations, and is one of the major contributors to working groups in the major standards bodies. In 2016 alone, over 200 Huawei proposals on security were accepted by 3GPP SA3 and ETSI NFV working groups. Together with other corporate partners, Huawei also provided funding and shared experience with open source communities. This helped to fix vulnerabilities and improve the quality of security code in Linux and other open source initiatives.
Building user awareness
In order to protect technology users and the public, every company and citizen needs a greater awareness of cyber security, data ownership, and privacy. Major countries around the world have made public education on cyber security a key part of their national data protection and privacy strategies. Governments hope to raise general levels of knowledge and skills to help control cyber crime and threats to cyber security. If the general public knows how to protect itself, this reduces the cyber vulnerability of individuals, and even of the nation as a whole. The EU, Austria, the Netherlands, and Australia have made educating young people on cyber security a key measure in their national cyber strategies. By giving young people the awareness and skills they need to protect themselves, these countries are taking a vital step toward protecting their citizens' interests, reducing cybercrime, and stopping cyber threats.