www.huawei.com

Security Level:

HUAWEI TECHNOLOGIES CO., LTD.

Cybersecurity and Trade

Andy PurdyChief Security OfficerHuawei Technologies USA

Andy.Purdy@Huawei.com2014-9-24

2

Cyber Threat

“The Cyber threat is one of the most serious economic and national security challenges we face as a Nation.”

President Obama 2013

THREAT: Attacks Against Critical Infrastructure & National Security Systems.

Theft of Intellectual Property & Government Secrets.

THREAT ACTORS: Hacktivists, Terrorists, Organized Crime, Sovereign States.

VULNERABILITIES: Poor Coding Practices, Inadvertence, Negligence, Malicious Intent.

2

3

Cyber Threat

• Four primary types of malicious actors in the cyber world: foreign intelligence services, terrorist groups, organized crime enterprises, and hacktivists.

• Types of attacks:

– Distributed Denial-of-Service (DDOS) attacks – that have interrupted or suspended the service of web servers at banks.

– Theft and general invasions of privacy by “keystroke logging.”

– Economic espionage and trade secret theft.

– The cyber threat also takes the form of destructive malware.

• Collaborations and Partnerships: DIB Framework; partnerships with law enforcement, private industry, and academia through initiatives such as InfraGard, National Cyber-Forensics and Training Alliance (NCFTA), NCSA, and ISACs.

4

Improving the Nation’s DefensesExecutive Order on Cybersecurity

EO 13636: Improving Critical Infrastructure Cybersecurity

• Calls for Public/Private Sector Collaboration in Information Sharing.

• NIST to establish Cybersecurity Framework of Standards and Best Practices for critical infrastructure; draft due October 2013.

• Identifies need to reduce vulnerabilities of government networks and systems by directing GSA to revise procurement processes and requirements.

• GAO: Supply chain risk may be part of the Cybersecurity Framework draft of standards and best practices to protect critical infrastructure to be released in October.

• At the 2nd NIST workshop, a NIST official noted the potential value of considering for ICT products and services “conformity assessment approaches” like those used in other product/service areas .

• Conformity assessment approaches could be used to evaluate ICT products and ensure trusted delivery for installation, servicing, and updates.

4

5

Global Supply ChainOverreaching on the Budget Bill

• With time running out and a furlough imminent April 1 2013, a

small provision (Section 516) was added at the last minute to the

Congressional Continuing Resolution (CR) funding the

Government through September 2013 that would preclude

procurement by select Federal Agencies from companies owned,

directed or subsidized by the PRC.

• In 2014, the Senate passed a provision that did not have a anti-

geographic focus (against China)

5

6

“Geographic-based restrictions run the risk of creating a false sense of

security…undermining the advancement of global best practices

and standards on cybersecurity.”

“Section 516 creates challenges that could undermine U.S.-based

companies’ global competitiveness.“*

“Geographic-based restrictions run the risk of creating a false sense of

security…undermining the advancement of global best practices

and standards on cybersecurity.”

“Section 516 creates challenges that could undermine U.S.-based

companies’ global competitiveness.“*

Global Supply Chain U.S. Industry Objected to Procurement Bans

*Excerpted from April 4, 2013 letter from multiple U.S. industry and trade associations to Congressional Leadership commenting on Section 516 of the Continuing Resolution funding the U.S. Government through the Fiscal Year which would effectively ban select Federal Department procurement from companies “owned, directed or subsidized by the People’s Republic of China.”

6

7

Global Supply Chain The White House Agreed with the Private Sector

• "The undefined terms of this provision will make implementation challenging,"

• "It could prove highly disruptive without significantly enhancing the affected agencies’ cybersecurity. While the Administration has raised concerns about the cyber threats emanating from China, resolving this issue requires open dialogue between the U.S. and China.”

Quotes from White House spokesperson as quoted in “The Hill” on April 5, 2013

7

8

Global Supply ChainHuawei Perspective

Cybersecurity is a shared global problem requiring risk-based approaches, best practices, and international cooperation to address the challenge.

Transparency and an even-handed partnering approach across our industry by public and private sectors is necessary to proactively manage cybersecurity and global supply chain risk mitigation.

Huawei is dedicated to collaborating, innovating and establishing international standards with other global organizations to ensure that the integrity and security of the networked solutions and services meets or exceeds the needs of our customers and provides the assurance confidence required by their own customers.

See Huawei’s Second Security White Paper, “Cyber Security Perspectives -- Making cyber security a part of a company’s DNA - A set of integrated processes, policies and standards.”

http://pr.huawei.com/en/connecting-the-dots/cyber-security/hw-310548.htm

9

Improving the Nation’s DefensesHuawei’s Approach that Promotes Fair Trade Policy

• Huawei actively participates in the development and implementation of international standards and best practices;

• Actively participates in The Open Group Trusted Technology Forum developing global supply chain assurance standards and third-party accreditation process;

• Huawei implements a global supply chain assurance program featuring transparency, end-to-end assurance, traceability, breach & tampering protections, and independent 3rd-party evaluation & assessment; and

• Implements and maintains trusted product assurance programs in the UK and North America meeting the security assurance needs of its global customers.

9

10

Improving the Nation’s DefensesHuawei’s Principles of Security Assurance

Openness, Transparency and Cooperation

Openness, Transparency and Cooperation Working with stakeholders to meet and resolve security challenges.Working with stakeholders to meet and resolve security challenges.

No “Back Doors” and Tamper Proof

No “Back Doors” and Tamper Proof

Processes and technologies to protect against unauthorized tampering and breach using technologies such as digital signatures. Processes and technologies to protect against unauthorized tampering and breach using technologies such as digital signatures.

TraceabilityTraceability Traceable products, solutions, services and components using management tools and integrated systems.Traceable products, solutions, services and components using management tools and integrated systems.

Compliance with Laws and Regulations

Compliance with Laws and Regulations

Security/privacy requirements imbedded into business processes.Security/privacy requirements imbedded into business processes.

Proactive End-2-End Security Assurance

Proactive End-2-End Security Assurance

Risk management/assurance incorporated into design, development and operation to address the dynamic threat environment. Risk management/assurance incorporated into design, development and operation to address the dynamic threat environment.

Assurance Verified by Independent Third-parties

Assurance Verified by Independent Third-parties

Global capability for independent testing, verification, and certification of products using approved third-parties.Global capability for independent testing, verification, and certification of products using approved third-parties.

10

Possible elements for international agreement regarding trade and security

11

Improving the Nation’s DefensesHuawei’s Assurance Program

The following are the components of the Huawei Assurance Program, closely aligned with the NIST Technical Report on Supply Chain Assurance and with the Open Group Supply Chain standard:

Legal compliance

R&D Security

Security Verification

Service Delivery Security

Security Issue Communication and Resolution (CERT/PSIRT)

Supply Chain Security

Procurement Security

Traceability

HR Management

11

12

Global ICT Security ChallengesAddressing risk while keeping promises re: trade

Global

• Sovereign Agreements on Norms of Conduct

• International Norms – Public and Private

• Global Norms of Conduct for ISPs and Carriers

ICT Industry

• Standards and Certification

Every vendor has certified processes in place that conforms to global standard.

• Supply Chain Security

• Product Evaluation

Product risk evaluation before deployment

• Delivery System Security

Standardized process ensuring secured product installed and secured updates and service

Global and National

•Coordinated Approach Against Malicious Activity

12

13

Restoring Trust, Ensuring IntegrityPossible framework for international agreement

14

Restoring Trust, Ensuring Integrity

Supply Chain Standards and Certification

• Every vendor adheres to certified processes that conform to global standards (e.g., Open Group).

Risk-based Product Evaluation Per Global Standards

• Baseline certification requirements Self- or 3rd-party certification of conformity (e.g.,

NIST SP 800-161, e.g., SA-11)

• Higher risk/assurance requirements Tri-party MOU: customer/evaluator/governmentDynamic threat assessment (NOT disclosed to vendor)

Delivery System Security

• Standardized processes ensuring secure product installation, management, update and service.

15

Restoring Trust, Ensuring Integrity

Supply Chain Standards and Certification

• Every vendor adheres to certified processes that conforms to global standards (e.g., Open Group).

Risk-based Product Evaluation Per Global Standards

• Baseline certification requirements Self- or 3rd-party certification of conformity (e.g.,

NIST SP 800-161, e.g., SA-11)

• Higher risk/assurance requirements Tri-party MOU: customer/evaluator/government Dynamic threat assessment (NOT disclosed to vendor)

Delivery System Security

• Standardized processes ensuring secure product installation, management, update and service.

May 23, 2013

Finally, Saw (Clearwire CTO) reiterated that Clearwire is "subjecting every LTE base station vendor to a Trusted Delivery Program whereby we require that all of our vendors' base station and software pass extensive testing by a U.S. government-approved third party company recognized for vetting critical infrastructure systems for security weaknesses and threats."

Real-world Implementation

16

Global ICT ChallengesHuawei’s Perspective on Cyber Risk and Trade

• Global Cyber Threat, including Supply Chain: industry-wide problems require collaboration and information sharing among private and public entities, and the development and leveraging of industry standards and best practices to mitigate risks;

• Industry-Wide Application: all requirements applied to all vendors to assure product and service security;

• US Framework for ICT product evaluation leveraging international standards and best practices supported by government and industry;

• Effective assurance requires processes to ensure that evaluated products are unchanged throughout installation and not compromised during post-installation updates and servicing.

16

17

Draft Supply Chain Risk ModelLeverage purchasing power to reduce risk

• Key Incentive: leverage the purchasing power of government and commercial buyers to raise the cyber security/assurance bar

• Recognized standard and third-party accreditation of conformance (Open Group)

• Risk-based tiers of product evaluation appropriate to buyer Assessment of criticality and risk of product Baseline certification requirements

• What are baseline requirements for evaluation?• Self- or third-party certification with proof of conformance• See NIST SP 800-161 (e.g., SA-11)Advanced evaluation – higher risk/assurance requirement Tri-party MOU: customer/evaluator/government Address dynamic threats; use latest tools (NOT disclosed to vendor) Highest risk/assurance – Trusted delivery Installation/updates/services

18

Improving the Nation’s DefensesHuawei’s ApproachProduct assurance programs – enhanced trust and security

• In the U.S., Huawei and EWA have set up a security evaluation model for third-party verification of Huawei product being sold into the U.S. market, as necessary and commercially meaningful.

• In the UK, Huawei has established the Cyber Security Evaluation Centre with security clearances approved by UK government.

• In Australia, unrelated to Huawei, an independent lab is being considered to provide security assurance testing of software, hardware, system integration and network assurance to ensure that infrastructure and systems comply with a minimum set of security requirements.

18

1919

Beyond the NSA, the international spillover also could be significant, said Michael Hayden, who has directed both the NSA and Central Intelligence Agency. Revelations about the NSA's surveillance operations are fueling international efforts to divide up the Internet by country, he said, which is a movement the U.S. government—and U.S. tech companies—have worked hard to prevent."This is threatening the existence of the World Wide Web," Mr. Hayden said, adding that a Balkanization of the Internet is "a no-fooling danger."

20

Andy PurdyChief Security Officer

Huawei Technologies USAAndy.Purdy@Huawei.com

www.usahuawei.com

Thank you!