76 Huawei Investment & Holding Co., Ltd.
■ Maximizing technological innovation to
reduce risks to customers: We have introduced
full-stack security technologies into ICT products
to enhance product security and resilience. These
technologies include host intrusion detection,
sandboxing functionality, container security, CPU
side-channel attack detection, web application
security, and intelligent risk control. We have also
deployed memory code integrity measurement
on 5G gNodeBs ensuring runtime code security.
Furthermore, we have enhanced kernel integrity
protection on mobile phones, and applied key
security technologies such as real-time detection
of kernel attacks and AI-based detection of
unknown threats to improve mobile phone security.
Another area in which we executed innovation
was in mobile apps. Dynamic and static privacy
data access compliance detection technologies
will detect exceptions in mobile applications, such
as permission abuse, malicious behavior, and
pirated applications. This not only ensures that the
AppGallery complies with Android Green Alliance
2.0, but also provides for a clean and sustainable
application software ecosystem.
■ Maximizing the use of AI in developing security
products and solutions: We have launched
a series of security products and components
centering on AI-powered security risk identification,
security situational awareness, security risk
prevention and response, and security ecosystem.
These tools are integrated with our 5G, IoT, and
cloud solutions to provide intelligent network
boundary protection and defense, real-time
situational awareness, and efficient closed-loop
handling of security risks, helping customers build
network resilience and protect themselves and their
customers.
■ Strengthened the independent verification
mechanism: We have fully supported the
independent verification of Huawei cyber security
by stakeholders. In addition, we have assured and
verified our cyber security management systems,
products, services, and personnel through quality
monitoring, internal and external auditing, and
standards certification, meeting stakeholders’ cyber
security requirements across all of our business
processes (e.g., R&D, sales, service, and supply)
helping us to enhance external confidence in
Huawei’s overall approach to cyber security. Take
product security standards certification as an
example. We continue to work with authoritative
certification organizations and third-party labs in
the UK, Germany, France, the Netherlands, Spain,
and Sweden to obtain high-level certification. In
2019, our major products obtained more than 20
cyber security and privacy certifications inside and
outside China. These include:
● HongMeng Kernel: CC EAL5+ certification
● HUAWEI CLOUD: World’s first batch of ISO/IEC
27701:2019 certification
● EulerOS: CC EAL4+ certification
● EMUI 10.0: ePrivacyseal
● Kirin 990 5G chip: Financial security certification
from the People’s Bank of China
Our bug bounty program in HUAWEI CLOUD,
Huawei Mobile Services, mobile phones, and other
domains is a continued success. We have also
collaborated with multiple White Hat security
experts to build a responsible, transparent,
collaborative, and secure vulnerability ecosystem,
all contributing to ever safer and more resilient
technology.
■ Supply chain cyber security risk management
and capability building: Huawei’s comprehensive
supply chain security management system is certified
to ISO 28000, enabling us to identify and control
security risks throughout the supply chain lifecycle.
We produced 28 types of industry-leading material
security specifications and security sourcing test
standards, along with 11 sets of industry-leading
standards for the certifications of our supplier cyber
security systems. Our suppliers must pass a rigorous
security sourcing test and obtain system certification
before they are accepted. In 2019, we assessed,
tracked, and managed the risks of more than 3,800
suppliers worldwide. We signed data processing
agreements (DPAs) with more than 3,000 suppliers
and continued to run due diligence to ensure
compliance with privacy obligations.
We released the supply availability security
baseline and implemented it in all of our 145
newly-developed products. Furthermore, we
developed an in-transit exception dashboard
to provide real-time warnings about exceptions
such as abnormal stay and route deviation. We
restructured the product delivery tracing system,
allowing us to trace software information within
one hour and trace hardware information (from
incoming materials to delivery to customers) within
one day to facilitate the speedy and transparent
resolution of issues and to further mitigate against
risks.