Huawei’s whitepaper on global cyber security

Telecom Lead India: Huawei India has released its whitepaper on global cyber security.

TelecomLead.com is presenting highlights of the report.

Cyberspace is a new strategic domain unlike physical territory. It has gradually become the “nerve system” that ensures the normal functioning of society. Countries around the world have attached significant importance to the development of cyberspace technologies. As such, we should leverage the benefits created by these technologies for society while managing any challenge we all confront in cyberspace.

I. The development of networks has contributed to social progress.

1. The openness of networks has encouraged information flow and sharing, provided more opportunities for and lowered the costs of innovation, enhancing the world’s technological innovation capabilities.

  • Increasing opportunities for innovations: Network technology itself is a remarkable innovation. Open networks have made it easier to obtain and share information and created a lot of opportunities for innovations.
  • Lowering the hurdle to innovation: Network technology lowers the hurdle to innovation, empowering individuals and small- and medium-sized enterprises to innovate on the same platform as large enterprises.
  • Promoting the application of innovations: By drawing innovators and users closer together, networks have made it easier for innovations to be validated by users and put into commercial use.

2. The development of networks encourages investment, brings about new consumption models, and drives global economic growth.

  • Fueling the global economy: Open networks connect the world, facilitate economic exchanges across regions, and promote global trade.
  • Bringing about emerging industries: Networks have changed people’s lives, developed new consumption and business models, and helped shape the industries that depend on the Internet.
  • Driving economic growth: Information technology has become a key driver behind economic growth. As reported by the World Bank, for every 10% increase in broadband penetration, the GDP in developing countries will increase 1.38%.
  • Improving social efficiency: Accelerated network speeds, the popularity of smart devices, and the large-scale application of cloud computing have helped create a smart energy-conscious society and significantly improved organizational efficiency and productivity.

3. The openness of networks brings people from different regions more equal opportunities for development, allows different cultures to communicate on a common footing, and advances the progress of human civilization.

  • Bridging the digital divide: Networks, by nature, tend to be open. We should adopt a positive attitude towards data floods, not simply look at the ills or complexities that they create. We must utilize information to bridge the digital divide, provide more people with access to communications and information systems, and allocate information resources more appropriately, so that all human beings can benefit.
  • Advancing fair development: The openness of networks makes it possible for people to have equal access to information, improve social justice, and balance development across regions.
  • Promoting cultural exchanges: The openness of networks has promoted cultural exchanges and helped to soften many of the misunderstandings, acts of discrimination, and cultural conflicts that exist between people with different cultural backgrounds.

II. Cyber security is a common challenge that all of society and the entire world have to confront together.

1. As the ICT industry shares a global supply chain, the diversity of vendors from different regions makes it difficult to trace the source of cyber security threats.

  • Standardization has brought about a global supply chain: The ICT industry is becoming highly standardized. ICT enterprises that have established R&D, manufacturing, and purchase centers around the world are able to benefit from global trade and the division of work. Leveraging these benefits has made their resource allocation the most competitive. In this process, a global supply chain has come into being.
  • It is challenging to trace cyber security threats: As communications infrastructure and systems become more complicated and ICT products integrate more hardware, software, and service applications, the global supply chain requires ICT products to be designed, manufactured, and assembled in different countries or regions. As a result, it is very difficult to locate and trace the source of threats when cyber security issues arise.

2. Data security and privacy protection face increasing challenges as society depends more and more on the ever-evolving Internet that continues to grow in complexity and scale.

 

  • Added complexity: Data security and privacy protection face increasing threats and challenges as ICT technologies become more open, telecom networks continue to migrate to IP, smart devices become more pervasive, and services are converged.
  • Increased dependence on the Internet: As modern society relies more and more on the Internet, cyber security is increasingly pertinent to the politics and economy of one country, as well as to the daily life of its citizens.
  • High accessibility to the Internet: People today can access the Internet anytime, anywhere. Multi-point access provides users with increased flexibility yet it also creates vulnerability to security threats.
  • Surge in digital assets: As more individual users and organizations send and store critical digital assets online, susceptibility to hacking is also increased.

3. Lack of trust amongst stakeholders in the field of cyber security makes it difficult to form an effective global solution.

  • Lack of definition: Consistent security definitions and criteria are nearly non-existent in existing policies and regulations.
  • Protectionism: The risks and challenges in cyber security are often exaggerated and used as an excuse for protectionism by the private and public sectors.
  • Over-politicalization: Cyber security challenges can largely be managed by technical means. However, if these challenges are escalated to ideological differences as a result of political debates, it is difficult to formulate viable solutions.
  • Excessive protection: Oversensitivity to cyber security and excessive protection will aggravate accusations and suspicions between stakeholders.

III. Governments, industries, and users need to open up and work together to take their fair share of cyber security responsibilities.

1.      Governments should create an environment of trust, transparency, cooperation, and openness conducive to cyber security assurance.

Collaboration: Cyber security is a global issue. Data is transmitted and processed across the entire globe. Data does not stop at national boundaries or territorial jurisdictions of governments or courts. Legal and judicial systems are based on territorial boundaries, so countries are required to adopt generally-accepted

  • Added complexity: Data security and privacy protection face increasing threats and challenges as ICT technologies become more open, telecom networks continue to migrate to IP, smart devices become more pervasive, and services are converged.
  • Increased dependence on the Internet: As modern society relies more and more on the Internet, cyber security is increasingly pertinent to the politics and economy of one country, as well as to the daily life of its citizens.
  • High accessibility to the Internet: People today can access the Internet anytime, anywhere. Multi-point access provides users with increased flexibility yet it also creates vulnerability to security threats.
  • Surge in digital assets: As more individual users and organizations send and store critical digital assets online, susceptibility to hacking is also increased.

3. Lack of trust amongst stakeholders in the field of cyber security makes it difficult to form an effective global solution.

  • Lack of definition: Consistent security definitions and criteria are nearly non-existent in existing policies and regulations.
  • Protectionism: The risks and challenges in cyber security are often exaggerated and used as an excuse for protectionism by the private and public sectors.
  • Over-politicalization: Cyber security challenges can largely be managed by technical means. However, if these challenges are escalated to ideological differences as a result of political debates, it is difficult to formulate viable solutions.
  • Excessive protection: Oversensitivity to cyber security and excessive protection will aggravate accusations and suspicions between stakeholders.

III. Governments, industries, and users need to open up and work together to take their fair share of cyber security responsibilities.

1.      Governments should create an environment of trust, transparency, cooperation, and openness conducive to cyber security assurance.

Collaboration: Cyber security is a global issue. Data is transmitted and processed across the entire globe. Data does not stop at national boundaries or territorial jurisdictions of governments or courts. Legal and judicial systems are based on territorial boundaries, so countries are required to adopt generally-accepted

  • Added complexity: Data security and privacy protection face increasing threats and challenges as ICT technologies become more open, telecom networks continue to migrate to IP, smart devices become more pervasive, and services are converged.
  • Increased dependence on the Internet: As modern society relies more and more on the Internet, cyber security is increasingly pertinent to the politics and economy of one country, as well as to the daily life of its citizens.
  • High accessibility to the Internet: People today can access the Internet anytime, anywhere. Multi-point access provides users with increased flexibility yet it also creates vulnerability to security threats.
  • Surge in digital assets: As more individual users and organizations send and store critical digital assets online, susceptibility to hacking is also increased.

3. Lack of trust amongst stakeholders in the field of cyber security makes it difficult to form an effective global solution.

  • Lack of definition: Consistent security definitions and criteria are nearly non-existent in existing policies and regulations.
  • Protectionism: The risks and challenges in cyber security are often exaggerated and used as an excuse for protectionism by the private and public sectors.
  • Over-politicalization: Cyber security challenges can largely be managed by technical means. However, if these challenges are escalated to ideological differences as a result of political debates, it is difficult to formulate viable solutions.
  • Excessive protection: Oversensitivity to cyber security and excessive protection will aggravate accusations and suspicions between stakeholders.

III. Governments, industries, and users need to open up and work together to take their fair share of cyber security responsibilities.

1.      Governments should create an environment of trust, transparency, cooperation, and openness conducive to cyber security assurance.

Collaboration: Cyber security is a global issue. Data is transmitted and processed across the entire globe. Data does not stop at national boundaries or territorial jurisdictions of governments or courts. Legal and judicial systems are based on territorial boundaries, so countries are required to adopt generally-accepted

  • international principles and methodologies when formulating and executing laws to address challenges regarding cyber security and privacy protection.
  • International cooperation: Governments from different countries and players from both the public and private sectors should enhance cooperation to combat cyber crimes and mitigate risks in the global supply chain.
  • Transparency: A visible and viable cyber security framework must be built up, including policies, laws, standards, and best practices.
  • Hierarchical management:Governments should manage information risks by priority level. Only core information assets and critical network facilities should be kept confidential for a specific period of time. Small amounts of data are more easily protected. All-round and excessive protection costs too much and produces limited results.
    • Education: Governments should help network users raise their cyber security awareness through education and publicity campaigns and improve their ability to protect their own privacy.
    • 2.        All parties of the ICT industry should be committed to building an end-to-end cyber security assurance system to improve network robustness and resilience.
  • Industry standards: Organizations in the ICT industry should optimize international standards on cyber security, and stakeholders should comply with these standards.
  • End-to-end systems:It is necessary for any global ICT technology organization to adopt an open, transparent, and end-to-end cyber security assurance system to prevent malicious attacks on its software and hardware.
    • Improving network robustness: Network equipment vendors and carriers can prevent disruptions of their network from malicious attacks by taking technological and managerial measures to shore up their network robustness and data security.
    • Enhancing network resilience: Network equipment vendors and carriers must improve network resilience so that networks can quickly recover from cyber security incidents. Achieving this will ensure business continuity and protect assets and reputation.
      • Independent verification: The ICT industry needs to build a verification system that is independent and is based on facts instead of assumptions. All participants’ products should be verified fairly and without discrimination so that all parts of the network receive transparent “cyber security” screening.

      3. Network users should abide by laws and regulations, increase risk awareness, and properly protect their personal assets and privacy.

      • Compliance with laws and regulations: Network users are forbidden from using the network to engage in activities that harm national security, the public interest, or personal privacy. Equally important is paying sufficient attention to safeguarding cyberspace against malicious use.
      • Self-protection: Users should take such safety measures as encrypting their accounts, passwords, contacts, data about locations, personal photos, and mobile banking data to protect their personal data online.

      IV. Huawei practice: advocating openness, transparency, and cooperation; building and implementing an end-to-end and reliable global cyber security assurance system.

      1. Huawei is a global commercial company. Protecting the cyber security of its world-wide customers is crucial to its fundamental interests.

      Ÿ   Values: Huawei will in no way harm the interests or infringe on the security of any country, acquire any national or company secrets, or invade anyone’s personal privacy. We will never support or condone this type of behavior either, let alone accept orders to conduct such activities.

      Ÿ   Commercial interests: As an independent commercial company, Huawei is wholly owned by its employees. As an international company depending on global markets for its development, Huawei will not jeopardize its global reputation to agree to the inappropriate propositions of any country. Safeguarding its global commercial interests is possible only if Huawei ensures the cyber security of customers.

      Ÿ   Top priority: Ensuring the stable and secure operations of customers’ networks and business is Huawei’s top priority, particularly when earthquakes, tsunamis, and other natural disasters and emergencies take place. This prioritization guides Huawei’s actions.

      Ÿ   Business areas: Huawei has and will always focus exclusively on R&D, manufacturing, and sales of civilian telecom equipment.

      Ÿ   Compliance with applicable laws and regulations: Huawei has been and will always be committed to complying with all applicable laws and regulations concerning cyber security and privacy protection in the countries and regions where it operates.

      2. Huawei has established an auditable, sustainable, and reliable cyber securityassurance system by integrating security requirements into internal business processes. This system is supported by policies, organizational structures, designated personnel, governance, technologies, and regulations.

      Ÿ   Incorporate security requirements into processes: Huawei ensures internal cyber security by incorporating cyber security requirements into end-to-end business processes, thus making cyber security a part of Huawei’s DNA.

      Ÿ   Integrated Product Development (IPD) process: Huawei has integrated security assurance activities into the end-to-end IPD process. During the requirement analysis phase, security threat scenarios are analyzed. During the design phase, the security architecture is developed. During the development phase, source codes are scanned and tested to ensure security. After a product is launched, security patches are effectively managed. By adopting these approaches, Huawei can ensure that all hardware and software meet security requirements throughout the product development process.

      Ÿ   Service Delivery (SD) process: By establishing rigorous product delivery, installation, and maintenance processes, Huawei ensures that engineers’ conduct and actions meet cyber security management requirements. For example, Huawei engineers must obtain permissions from carriers and comply with applicable laws before accessing carriers’ commercial equipment. Upon request by carriers, engineers who have passed local security certifications can maintain carriers’ critical network equipment. Before installation, engineers are required to be familiar with security configuration specifications. During handover, acceptance shall be conducted to ensure anti-tampering measures are in place. When providing managed services, Huawei ascribes the highest priority to the security of service data on commercial networks and end user data, robustness of commercial networks, and ability to defend against external attacks. In addition, Huawei frequently commissions independent third parties to conduct surveys on customer satisfaction in terms of security to check the effectiveness of its initiatives.

      Ÿ   Issue to Resolution (ITR) process: Huawei adopts a resolution-centered approach in dealing with and managing security issues. Customers should be forewarned about holes in security in a timely manner. In the event of a security problem on a network, Huawei promptly responds to and resolves the problem, upgrades the network, and rectifies all issues. Moreover, ITR is a closed-loop improvement of security work in the IPD, Lead to Cash (LTC), and SD processes.

      Personnel management: Security management is included in the end-to-end personnel management process, including on-boarding, in-service, and exiting processes. Personnel filling key positions must pass security certification. When employees are on-boarded, they are required to undergo training sessions for raising cyber security awareness and sign the Business Conduct Guidelines (BCG). The BCG clearly states that employees shall not inject malicious codes,

    • Ÿ   malware, or back doors; access customer networks, collect, hold, process, or modify any data and information on customer networks without authorization; or attack or damage customer networks. When employees work at Huawei, they sign the BCGevery year. Employees who violate cyber security rules are held accountable. After employees resign, their permissions are revoked immediately.Ÿ   Organization:The Global Cyber Security Committee (GCSC) is the highest-level committee in charge of cyber security at Huawei. Its members include directors and presidents of relevant departments. The Committee is responsible for developing cyber security strategies, plans, policies, and roadmaps; making investment decisions; and deciding on key issues. The Global Cyber Security Officer (GCSO) and his office are responsible for establishing and implementing an end-to-end cyber security assurance system. Cyber security offices in each BG vertically report to the GCSO. In countries like the US, the UK, France, and India, we have set up local organizations to better understand customers’ security requirements.Ÿ   Trust-nobody assumption: To avoid uncertainties due to employees’ varied network security skills, awareness, and even social backgrounds, Huawei takes nothing for granted and does not depend on the skill sets or opinions of one or a selected few individuals when designing business processes, policies, and organizations. That is, no one is trusted to unilaterally design any of these processes, policies, or organizations. We set up key control points (KCPs) in processes to check whether activities are performed as required and outputs meet the requirements. During the organizational design, we adhere to the separation of duties (SOD) to clearly define roles and responsibilities. Any bypass of a process or policy is fully recorded in the system, and all employees are held liable for their conduct.

      Multi-eye strategy:Huawei adopts a multi-eye strategy to guarantee cyber security. When designing processes, policies, and organizations, Huawei involves experts from global professional consulting agencies. At Huawei, employees from over 140 countries have engaged in and implemented Huawei’s end-to-end processes including R&D, marketing, sales, procurement, supply chain, engineering delivery, and service delivery. Thanks to their joint efforts, Huawei has built up its leading position in solutions and products around the globe. We proactively encourage fair and non-discriminatory reviews on all industry players, including Huawei, to question our organizations, policies, and processes, which in turn helps us improve our capabilities. Huawei products go through vigorous security tests, such as the security tests conducted by internal teams who are independent of development teams, by the security test center that serves global customers, by the cyber security center serving specific areas, and by independent third parties designated by customers. By fixing and closing the issues found in these tests, Huawei has continuously improved the initial end-to-end product design, development, testing, delivery, and maintenance processes to avoidŸ   similar problems in the future. These efforts combine to provide customers with world-leading security assurance.

      3. To provide secure, easy, and equal access to information services, Huawei ensures network robustness and security through continuous innovation and open cooperation and has engaged in formulating relevant international standards.

      • Cyber security in the cloud era: Compared to traditional software architectures, cloud-based software architectures present greater challenges to such things as user privacy and data security risks. These challenges exist because information assets are hosted in a centralized manner and resources are shared by multiple tenants in the cloud. To address these challenges, Huawei leverages a privacy protection mechanism that allows users to manage and control private information. Huawei also implements end-to-end security protocols, separates domains based on their security levels, and employs secure tunnel technology. All these measures aim at ensuring cyber security and robustness.
      • End-to-end security design: Huawei takes business continuity and network robustness and resilience into full consideration when designing products, solutions, and services. To that end, Huawei applies the ITU-T X.805 and other methodologies to security design, enforces mandatory security baselines, and validates security based on customers’ application scenarios. In addition, Huawei encourages employee awareness and compliance by incorporating requirements for cyber and product security design into employees’ competency and qualification criteria. This move contributes to enhanced capabilities in security design.
      • Security standardization: Huawei employees play an active role in quite a few major international and regional standards organizations such as the Institute of Electrical and Electronics Engineers (IEEE) and internet engineering task forces (IETFs). Employees who are a part of these organizations work with industry experts on cyber security issues and have published a great number of requests for comments (RFCs). Moreover, Huawei contributes scores of security-related articles to 3GPP each year. Huawei also organized the formulation of H(e)NB security standards and is collaborating with major carriers and equipment providers to push forward security research on machine to machine (M2M) and public warning systems (PWSs). Huawei proactively participates in setting security and anti-spam standards for the ITU-T cloud and virtual networks. In addition, Huawei has joined many security standards organizations (e.g., IEEE, OMA, UPnP Forum, and WiFi-Alliance) and the Forum for Incident Response and Security Teams (FIRST).

      Continuous innovations:Through continuous innovations, Huawei maintains its

      • leadership position and owns the largest number of intellectual property rights (IPR) in the telecom industry. Huawei respects others’ IPR. Huawei invests 10% of its revenue in R&D each year – the figure for 2011 was US$3.76 billion and that for the past decade was more than US$15 billion.

      An open cyberspace produces many positive results. It fuels economic growth, bridges the digital divide, ensures balanced development across regions, boosts social efficiency, inspires innovations, and drives the advance of civilization. The development of cyberspace technologies necessitates a sound business ecosystem that encourages fair play and allows the whole society to enjoy achievements made possible by technological advancements. Ensuring the security of cyberspace is a common challenge facing the world. Therefore, governments, industries, and users must cooperate openly to fulfill their own responsibilities in ensuring cyber security.

      Huawei has been providing innovative solutions to continuously create business value for its customers globally and move the industry forward. Huawei attaches the highest priority to network reliability and cyber security. We are fully aware of the importance of cyber security as well as the concerns that governments and customers have when it comes to this subject. Huawei looks forward to working further with governmental organizations and customers in an open and transparent manner to address cyber security challenges. In doing so, we aim to ensure that everyone has secure, easy, and equal access to information services.

      [email protected]