The 2019 Report from the UK Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board has been released and highlights how collaboration between the industry and Government can lead to a more secure environment.
As the report says, “The oversight provided for in our mitigation strategy for Huawei’s presence in the UK is arguably the toughest and most rigorous in the world.”
“Most importantly, the Report has not raised any concerns of ‘backdoors’, or state-sponsored espionage and specifically said that there is no evidence of Chinese state interference”.
The 2019 report however does detail concerns raised in 2018 related to software engineering issues. Huawei understands these concerns and takes them very seriously and in late 2018 Huawei’s Global Board of Directors issued a resolution to carry out a companywide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of US$2bn.
These software issues are not related to 5G mobile networks or technology and are not connected to any of the concerns raised in Australia as they relate to historic network builds in the UK.
Through HCSEC, Huawei has opened itself up to more scrutiny than any other player in the industry. Every major piece of work Huawei does in the UK is subject to rigorous independent evaluation through HCSEC and all consumers can take confidence from that openness as it leads to constant improvements and greater security for customers by identifying issues and getting those resolved.
All networks have potential vulnerabilities and while the Report does highlight issues that Huawei will improve on, it shows the collaborative Evaluation approach works and reinforces the importance of working together to build better and more secure networks.
Huawei supports the Australian Government undertaking a similarly rigorous collaborative review of any potential provider of network systems. We propose a balanced framework which would manage potential risks and provides significant oversight while allowing Australian’s to access high quality, cutting edge technologies.
Transcript: David Wang’s Group Media Interview on March 28
Evening, March 28, 2019
BBC: My question is that the main concern of this report seems to be that the issues identified in last year’s report have not been addressed. Could I just ask why there has not been deeper discussion with UK about addressing these concerns?
Wang Tao: Thank you for asking this question. We have just gone through the report, and we can see that this year’s report continues to recognise the effectiveness of the HCSEC mechanism. And in effect, HCSEC is an extension of Huawei’s R&D arm, so it is supporting us in improving R&D.
Regarding the issues identified in the report, Huawei and the NCSC had extensive discussions last year. We understand that the NCSC has concerns over Huawei’s software engineering capabilities. We understand these concerns and we take them very seriously. The issues identified in the report provide vital input for the ongoing transformation of our software engineering capabilities.
Since the last report was released in July 2018, the Board of Directors of Huawei has had many discussions regarding this report. On November 29, 2018, Huawei’s Board of Directors issued a Board Resolution on Companywide Transformation: Enhancing Software Engineering to Build Trustworthy, Quality Products. It also announced the investment of two billion US dollars in the transformation of software engineering capabilities. On December 27, 2018, Huawei’s founder, Mr. Ren Zhengfei, issued an open letter to all employees, entitled Comprehensively Enhancing Software Engineering Capabilities and Practices to Build Trustworthy, Quality Products. We have, according to the schedule, produced the draft of the high-level plan for software engineering capability improvement, and we are talking to the stakeholders according to the plan.
Huawei is the first company in the telecom sector to implement software engineering capability transformation. There is no precedence we can refer to and no experience we can draw from. We are actually starting a self-transformation, which is a very difficult and painful process for any enterprise. The transformation will take at least three to five years’ time. It is not something that can be completed in a short term.
Nic Fildes, Financial Times: Regarding the hundreds of vulnerabilities identified in the report and notified to the operators, is it Huawei’s responsibility to analyse and solve those vulnerabilities instead of sending them to operators or instead of letting HCSEC to do the analysis?
Wang Tao: First of all, I would like to say that Huawei has a comprehensive cyber security assurance system, and a solid track record in security. Over the last 30 years, Huawei has served over three billion population in the world across more than 170 countries and regions. There has been no major network outage or malicious cyber security incident before. Huawei’s equipment has performed above the industry average in terms of reliability and stability.
The ICT industry involves very complicated software and hardware systems, in which vulnerabilities are difficult to avoid. Huawei has established a product security incident response team, or the PSIRT Team, which is a specialized global team responsible for collecting, troubleshooting, resolving, and disclosing product vulnerabilities according to ISO/IEC 29147 and ISO/IEC 30111 standards. The vulnerabilities identified by HCSEC have already entered Huawei’s vulnerability management process.
No matter who makes the equipment, there will always be vulnerabilities in the equipment, because both hardware and software are complicated systems. These systems are made by people, and people tend to make mistakes. HCSEC provides unique information to help UK operators manage the risks of using Huawei’s equipment. The OB report also states that this report does not suggest that the UK networks are more vulnerable than last year. Indeed, the significant technical insight provided by HCSEC to UK operators allows them to plan more effective mitigations.
Since 2010, Huawei has started to draw reference from the industry’s security practices and worked with security companies like Cigital. Huawei has built a comprehensive SDL security R&D process from end to end to improve the security of our products.
Thomas Seal, Bloomberg: My question is about the DCMS supply chain review. Are you worried that today’s report will influence a possible telco ban on 5G products of Huawei when it comes back in a couple of months?
Wang Tao: Thank you for your question. We’re actively engaging in the supply chain review of DCMS. We all know that the requirements for vendors come from customers, who are the telecom operators in our case, and we’re glad that we have met the business and security requirements of our customers. The ideas and recommendations from NCSC provide input to UK operators and Huawei, so both the operators and Huawei need to consider how to best adopt and use these ideas and recommendations.
Regarding 5G, we started investment in 5G from the year 2009. So far, we have invested more than two billion US dollars in 5G R&D, and we have declared over 2,500 patents.
So far, we have signed 39 commercial 5G contracts and our technology maturity is at least 12–18 months ahead of our competitors. We have absolute leadership of 5G in the market, and we hope that our leadership in 5G can help the UK to build the best 5G networks and serve UK customers well.
We believe the DCMS supply chain review will make the right choice, and we also believe that DCMS recommendations to operators will enable them to build not only secure telecom infrastructure, but also the most advanced 5G networks that will benefit all users in the UK.
Alex Ralph, The Times: Obviously HCSEC has been running for eight years, there have been a number of issues raised not least in last years, so why did it take you to leave them until last November for Huawei’s transformation programme? Why haven’t you addressed them earlier?
Wang Tao: Thank you for your question, Alex. Here I want to review our history of collaboration with NCSC. Eric Xu, our Rotating Chairman, told this story during another interview earlier.
Our collaboration with NCSC has gone through three stages:
In the first stage, we focused on verifying that Huawei’s products have no maliciously implanted back doors. We can say that through that collaboration, this point has been proven, that Huawei’s products are secure and have no maliciously implanted back doors.
The second stage is about making efforts to prove that our telecom products deployed in the UK are secure and reliable enough to withstand cyber attacks. I think the goal for this stage has also been achieved. The test results of many third parties have echoed this point.
Now we’ve entered the third stage. In this stage, we need to prove that our products are trustworthy in both process and results. Trustworthiness not only means that our products are secure as a result, but also suggests that all our processes for ensuring product integrity and security are traceable.
Many issues identified in this report are about efforts that we need to make in this third stage – trustworthy results and processes. That’s why I just mentioned that Huawei’s products have been proven as the most advanced and reliable on live networks over the past 30 years. But still, there are some issues pointed out in this report about how we should make our processes trustworthy.
We believe the telecom sector needs to set a higher bar for cyber security. Remarks by NCSC CEO Mr. Ciaran Martin in Brussels also made this clear. Huawei has started the transformation programme to improve our software engineering capabilities with the aim of producing the most trustworthy telecom products. But we found that there are no standards for establishing trustworthy processes and results. That’s why we think that the governments and industry organizations should work together to produce such standards. We call on the industry to come up with a common set of cyber security standards for equipment providers. We also call on all telecom carriers and equipment providers to work together and build truly secure and trustworthy networks. Thank you.
Reuters: Hi, gentleman. Thanks for your time. I have two related questions. One is that the report clearly concluded that it finds serious and more defects in Huawei’s software engineering. How do you explain why Huawei’s products have flaws? And for the 2-billion-dollar project to fix software engineering, why does it cost so much to fix this problem and what specifically would that entail?
Wang Tao: Thank you for your question.
First, we must be aware of the fact that today’s telecom networks have become very complicated. There are wireless networks, fixed networks, and IP networks that adopt the traditional architecture. And we also have new intelligent and cloud-based infrastructure.
We can say that as a leading ICT solutions provider, Huawei has developed a lot of products over the last 30 years, which have been deployed on live networks. There are some gaps in our ability to deal with security risks, software techniques, and coding capabilities, as they may not keep up with today’s increasingly complicated networks.
For this reason, we implement this systematic transformation over the next ten years to completely overhaul our software engineering in all respects, from R&D processes, organizations, culture, capabilities, to investment strategies. Through this programme, we hope that we can maintain our leadership in the industry with regards to our product security, trustworthiness of our all processes and results, and product competitiveness.
Second, we have also heard the officials from NCSC saying that their oversight mechanism of Huawei is the most rigorous and stringent in the world. And there is no other vendor that has accepted such a high-level and stringent review. This again demonstrates our commitment to openness and transparency.
More importantly, the NCSC also points out that these defects identified in the report have nothing to do with activities of the Chinese government.
The issues identified in the report provide vital input for the ongoing transformation of our software engineering capabilities. We’re actively embracing these challenges. After three to five years, when this programme comes to a close, we would like to see that our competitive edge is honed from all aspects: trustworthiness, security, and technological leadership.
Natasha, The Telegraph: Hello everyone, hello David, thank you very much for taking questions. I will take a relatively quick one. Early in the conversation you were saying this painful process of this transformation programme you have proposed but yet achieved. I’m wondering specifically if you have a response to the Oversight Board saying they haven’t seen anything to give it confidence in your capacity to successfully complete the elements of its transformation programme. Thank you.
Wang Tao: First, I’d like to say that we are very cautious about the transformation programme. The Board of Directors and the founder of Huawei take it very seriously, and have been committed to implementing the transformation. As a programme that will impact our 80,000 R&D personnel, this transformation will fundamentally change our culture, our processes and systems, and our staffing. It is very complicated and very challenging. Since the report of last year was released, we have spent time in developing a comprehensive transformation plan. We initiated the transformation last November, because it took us some time to prepare for this. We have already drafted the high-level plan for the transformation programme internally by the end of March and very soon we’ll start to communicate this programme with stakeholders including NCSC. We will listen to all the stakeholders’ recommendations and comments and take them as input to finalize our plan.
We’d like to take this transformation programme as the second transformation of Huawei’s R&D team comprising 80,000 people. The first transformation across Huawei’s R&D took place in 1998. And that transformation started 20 years ago helped us grow from a small company to an ICT leader today. Our past practices show that once we have determined our direction and objectives, Huawei’s strong execution can make sure we achieve those objectives and goals.
The transformation across R&D this time aims at the next 10 years or even longer. We believe this programme will help us gain a bigger lead in the ICT market, and it will lay a solid foundation to further improve our capabilities. With our experience and lessons learnt from the first transformation, we believe this time we’ll succeed as well. Thank you!
Thomas Seal, Bloomberg: Hi, I have a second question. I just want to check. In the 3–5 year timetable, the UK 5G rollout will be half-completed by the time when this programme is completed, so are you confident that it’s fast enough to secure approval? Is it the fastest that it can possibly go?
Wang Tao: Thank you for your question, Thomas. First, I’d like to say that this transformation is about building our leadership in the next 10 years or even longer. It is not a transformation of a single technology or a single market. In 5G, we’re a leader recognised by the market. Our market performance and preference of our customers have shown such leadership in 5G. For our 5G products and solutions, we are ahead of our competitors in terms of specifications, performance, security, and reliability. Globally, we have signed 39 commercial 5G contracts and shipped over 50,000 5G base stations. The transformation progress, therefore, does not affect the fast and secure rollout of 5G. Our focus on the transformation programme is to lead the market in terms of trustworthiness both in process and results. It has no direct relationship with the performance, functions, and reliability of our 5G products. We’re confident and capable of building the most advanced, reliable, and secure 5G networks for our customers. We’re also committed to bringing the best user experience to the customers of operators. For government customers and other stakeholders, we promise that we’ll strive to serve them better and continue to improve our software engineering capabilities. Thank you!