Yes, the headline is accurate. Huawei has authored what is its second comprehensive white paper on cyber security in the past year. 

That said, because of reader eyebrows that could be raised about the source, a short bit of prologue is in order. The reason is because the new white paper, Cyber Security Perspectives:  Making cyber security a part of a company’s DNA - A set of integrated processes, policies and standards, by John Suffolk, senior vice president, global cyber security officer at Huawei and his team,in my opinion,is a global ICT stakeholder “must read.”  

Before discussing what is a transparent documentation of Huawei’s assertion that cyber security is part of its DNA (which is unusual in its scope and detail), and the inclusion of a much needed industry call for action, the opening of the report contains a statement by Mr Ken Hu, deputy chairman of the board of Huawei and chairman of the Huawei Global Cyber Security Committee, that needs to be cited as context. It is likely the most extensive statement by a Huawei executive directly addressing what Huawei believes are ill-informed accusations and misperceptions that have been generated in the global press for months. Mr. Hu states:

We can confirm that we have never received any instructions or requests from any Government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies.

We confirm our company’s unswerving commitment to continuing to work with all stakeholders to enhance our capability and effectiveness in designing, developing and deploying secure technology.

We firmly believe that the world is a better place when the innovations brought about by the use of technology are maximized, they improve people’s lives, and they improve economies. Huawei will continue our open and transparent approach and responsible position to its operations and everything we do.

That, by itself, would be news were it not for the content in the report.

Operational transparency and a call for standardization, conformity assurance and cooperation

Putting aside the media noise, and to backtrack briefly, it should be mentioned that in its first cyber security white paper last year, Huawei stated its intention and commitment to work with public and private sector stakeholders to jointly capitalize on the benefits of technology and globalization, while rationally and pragmatically addressing related challenges.  They had come to the same place where industry and government leaders have reached a consensus. Everyone agrees that in a pervasively connected world cyber threats pose a real, present, powerful and persistent danger to not just national interests, but the global economy. In short, when it comes to security we must all be in this together.

In publishing this latest report, they note that there has been a significant shift globally towards greater cooperation on cyber security issues and that more and more countries have adopted a pragmatic approach by adding security laws and regulations development to their agenda.

However, there is a lot of work to be done. Indeed, recent headlines about the desires of Brazil and Germany, just to name two that have been vocal, about building their own national secure networks highlights that pragmatism, unfortunately, may not be the order of the day, as countries evaluate what to do in the wake of the NSA revelations of leaker Edward Snowden.  

Huawei's latest white paper provides an incredible amount of detail into its end-to-end cyber security approach. And, when they say detail, they mean it. The over 50-page report provides an overview of the approach Huawei takes to the design, build and deployment of technology that involves cyber security considerations. These include presentation of the company’s:

• Overarching strategy and governance structure
• Its day-to-day processes and standards
• Staff management
• R&D
• Security verification
• Third-party supplier management
• Manufacturing
• Delivery and traceability

I had a chance to discuss the report with Bill Plummer, VP, External Affairs, and Andy Purdy, chief security officer at Huawei. 

Plummer noted that, “We as an industry have an obligation to restore trust. We are the largest company in the world in the communication equipment business, and while we believe we are not perfect and can improve our security practices and processes, security is a big part of our culture and we hope this white paper serves as an accelerant to industry cooperation that is verifiable and helps make the world a better and much safer place.” 

“We are at a watershed moment globally regarding cyber security.  Leaders need to lead. We think that being transparent and sharing our insights on what works can be a foundation for discussions as to how the entire community can meet the challenges of tomorrow,” he added.

Purdy, meanwhile, noted that, “Even before Snowden, there was a recognition that we needed to have a risk-informed, fact-based approach to risk mitigation. As vendors, this means transparency is paramount, standards are crucial, and compliance and assurance of compliance is the only way that makes sense for trust to be restored.”  

He observed that this covered not just technology, but people and processes, and that the industry in fact needed, through cooperation (collaboration between competitors and public-private partnerships), to make it easier for technology buyers to know what the risks are and what best practices should be used to manage them end-to-end, internally and externally.

Speaking at the Seoul Conference on Cyberspace 2013, report author Suffolk amplified Plummer and Purdy’s thoughts, stating that, "It is time to press the reset button on the security challenge and ask ourselves if we wish the future to be different from the past, and indeed today, in what way will we work together to define and agree new norms of behavior, new standards, new laws and create a new realism in the balance between privacy and security."

"The problem with standards today is that they are not standard. The more that governments, enterprises and technology vendors can detail common standards, understand their purpose and the positive difference they make and commit to their effective adoption through buyers using their buying power, the more the world will begin to see a difference. This is not about solving every problem, but it is about having a common agreement about what problems we are trying to solve and how they should be solved," Suffolk continued. "We recognize we still have much to do to continuously improve our approach. However, our commitment to openness and transparency drives everything we do and we believe the more people who review, consider, assess and question our policies and procedures, the greater the promotion and impact on our ability to deliver better quality products and services.”

At the risk of sounding redundant or exhibiting what might be described as having “a keen grasp of the obvious,” the reason the report resonates so deeply is that there is comfort to be taken in the fact that leaders in the ICT industry recognize the increased centrality of their capabilities to our lives and business operations, and the catastrophic impacts that will occur should cyber security challenges not be addressed by the global community jointly.

As all of us who work in ICT know, calls for cooperation sound good in theory but are very difficult in execution. What is different this time, and it really does fit the characterizations of us being at a tipping point or watershed moment, is the enormity of the threat and the urgency for action. Huawei, especially given the level of detail they have contributed in this white paper, deserve credit for bringing the need for cooperation, collaboration, assurance and action into sharp focus.  

It makes the white paper a must read for two reasons: 

• Insights into well thought-out and articulated practices, which are already guiding operations in one of the world’s largest companies; and
• Hopefully, it accelerates discussion that leads to pragmatic and verifiable actions.

Regardless of source, this is a message that was well delivered and, hopefully, has its desired effect.