Security Level: Slide title :40-47pt Slide subtitle :26-30pt Color::white Corporate Font : FrutigerNext LT Medium Font to be used by customers and partners : Arial HUAWEI TECHNOLOGIES CO., LTD. Cybersecurity and Trade Andy Purdy Chief Security Officer Huawei Technologies USA

2 Cyber Threat “The Cyber threat is one of the most serious economic and national security challenges we face as a Nation.” President Obama 2013 THREAT: Attacks Against Critical Infrastructure & National Security Systems. Theft of Intellectual Property & Government Secrets. THREAT ACTORS: Hacktivists, Terrorists, Organized Crime, Sovereign States. VULNERABILITIES: Poor Coding Practices, Inadvertence, Negligence, Malicious Intent. 2

3 Cyber Threat Four primary types of malicious actors in the cyber world: foreign intelligence services, terrorist groups, organized crime enterprises, and hacktivists. Types of attacks: – Distributed Denial-of-Service (DDOS) attacks – that have interrupted or suspended the service of web servers at banks. – Theft and general invasions of privacy by “keystroke logging.” – Economic espionage and trade secret theft. – The cyber threat also takes the form of destructive malware. Collaborations and Partnerships: DIB Framework; partnerships with law enforcement, private industry, and academia through initiatives such as InfraGard, National Cyber-Forensics and Training Alliance (NCFTA), NCSA, and ISACs.

4 Improving the Nation’s Defenses Executive Order on Cybersecurity EO 13636: Improving Critical Infrastructure Cybersecurity Calls for Public/Private Sector Collaboration in Information Sharing. NIST to establish Cybersecurity Framework of Standards and Best Practices for critical infrastructure; draft due October Identifies need to reduce vulnerabilities of government networks and systems by directing GSA to revise procurement processes and requirements. GAO: Supply chain risk may be part of the Cybersecurity Framework draft of standards and best practices to protect critical infrastructure to be released in October. At the 2 nd NIST workshop, a NIST official noted the potential value of considering for ICT products and services “conformity assessment approaches” like those used in other product/service areas. Conformity assessment approaches could be used to evaluate ICT products and ensure trusted delivery for installation, servicing, and updates. 4

5 Global Supply Chain Overreaching on the Budget Bill With time running out and a furlough imminent April , a small provision (Section 516) was added at the last minute to the Congressional Continuing Resolution (CR) funding the Government through September 2013 that would preclude procurement by select Federal Agencies from companies owned, directed or subsidized by the PRC. In 2014, the Senate passed a provision that did not have a anti- geographic focus (against China) 5

6 “Geographic-based restrictions run the risk of creating a false sense of security…undermining the advancement of global best practices and standards on cybersecurity.” “Section 516 creates challenges that could undermine U.S.-based companies’ global competitiveness.“* Global Supply Chain U.S. Industry Objected to Procurement Bans *Excerpted from April 4, 2013 letter from multiple U.S. industry and trade associations to Congressional Leadership commenting on Section 516 of the Continuing Resolution funding the U.S. Government through the Fiscal Year which would effectively ban select Federal Department procurement from companies “owned, directed or subsidized by the People’s Republic of China.” 6

7 Global Supply Chain The White House Agreed with the Private Sector "The undefined terms of this provision will make implementation challenging," "It could prove highly disruptive without significantly enhancing the affected agencies’ cybersecurity. While the Administration has raised concerns about the cyber threats emanating from China, resolving this issue requires open dialogue between the U.S. and China.” Quotes from White House spokesperson as quoted in “The Hill” on April 5,

8 Global Supply Chain Huawei Perspective Cybersecurity is a shared global problem requiring risk-based approaches, best practices, and international cooperation to address the challenge. Transparency and an even-handed partnering approach across our industry by public and private sectors is necessary to proactively manage cybersecurity and global supply chain risk mitigation. Huawei is dedicated to collaborating, innovating and establishing international standards with other global organizations to ensure that the integrity and security of the networked solutions and services meets or exceeds the needs of our customers and provides the assurance confidence required by their own customers. See Huawei’s Second Security White Paper, “Cyber Security Perspectives -- Making cyber security a part of a company’s DNA - A set of integrated processes, policies and standards.”

9 Improving the Nation’s Defenses Huawei’s Approach that Promotes Fair Trade Policy Huawei actively participates in the development and implementation of international standards and best practices; Actively participates in The Open Group Trusted Technology Forum developing global supply chain assurance standards and third- party accreditation process; Huawei implements a global supply chain assurance program featuring transparency, end-to-end assurance, traceability, breach & tampering protections, and independent 3rd-party evaluation & assessment; and Implements and maintains trusted product assurance programs in the UK and North America meeting the security assurance needs of its global customers. 9

10 Improving the Nation’s Defenses Huawei’s Principles of Security Assurance Openness, Transparency and Cooperation Working with stakeholders to meet and resolve security challenges. No “Back Doors” and Tamper Proof Processes and technologies to protect against unauthorized tampering and breach using technologies such as digital signatures. Traceability Traceable products, solutions, services and components using management tools and integrated systems. Compliance with Laws and Regulations Security/privacy requirements imbedded into business processes. Proactive End-2-End Security Assurance Risk management/assurance incorporated into design, development and operation to address the dynamic threat environment. Assurance Verified by Independent Third-parties Global capability for independent testing, verification, and certification of products using approved third-parties. 10 Possible elements for international agreement regarding trade and security

11 Improving the Nation’s Defenses Huawei’s Assurance Program The following are the components of the Huawei Assurance Program, closely aligned with the NIST Technical Report on Supply Chain Assurance and with the Open Group Supply Chain standard:  Legal compliance  R&D Security  Security Verification  Service Delivery Security  Security Issue Communication and Resolution (CERT/PSIRT)  Supply Chain Security  Procurement Security  Traceability  HR Management 11

12 Global ICT Security Challenges Addressing risk while keeping promises re: trade Global Sovereign Agreements on Norms of Conduct International Norms – Public and Private Global Norms of Conduct for ISPs and Carriers ICT Industry Standards and Certification Every vendor has certified processes in place that conforms to global standard. Supply Chain Security Product Evaluation Product risk evaluation before deployment Delivery System Security Standardized process ensuring secured product installed and secured updates and service Global and National Coordinated Approach Against Malicious Activity 12

13 ICT Vendors Global industry- wide initiative to identify risks Global industry- wide certifiable security assurance standards Service Providers/Dat a Managers Global norms of conduct for ISPs and Carriers Transparent legal and regulatory environment Government Multilateral sovereign agreements on cyber behavior Restoring Trust, Ensuring Integrity Possible framework for international agreement

14 ICT Vendors Global industry- wide initiative to identify risks Global industry- wide certifiable security assurance standards Restoring Trust, Ensuring Integrity Supply Chain Standards and Certification Every vendor adheres to certified processes that conform to global standards (e.g., Open Group). Risk-based Product Evaluation Per Global Standards Baseline certification requirements  Self- or 3rd-party certification of conformity (e.g., NIST SP , e.g., SA-11) Higher risk/assurance requirements  Tri-party MOU: customer/evaluator/government  Dynamic threat assessment (NOT disclosed to vendor) Delivery System Security Standardized processes ensuring secure product installation, management, update and service.

15 Restoring Trust, Ensuring Integrity Supply Chain Standards and Certification Every vendor adheres to certified processes that conforms to global standards (e.g., Open Group). Risk-based Product Evaluation Per Global Standards Baseline certification requirements  Self- or 3rd-party certification of conformity (e.g., NIST SP , e.g., SA-11) Higher risk/assurance requirements  Tri-party MOU: customer/evaluator/government  Dynamic threat assessment (NOT disclosed to vendor) Delivery System Security Standardized processes ensuring secure product installation, management, update and service. May 23, 2013 Finally, Saw (Clearwire CTO) reiterated that Clearwire is "subjecting every LTE base station vendor to a Trusted Delivery Program whereby we require that all of our vendors' base station and software pass extensive testing by a U.S. government-approved third party company recognized for vetting critical infrastructure systems for security weaknesses and threats." Real-world Implementation

16 Global ICT Challenges Huawei’s Perspective on Cyber Risk and Trade Global Cyber Threat, including Supply Chain: industry-wide problems require collaboration and information sharing among private and public entities, and the development and leveraging of industry standards and best practices to mitigate risks; Industry-Wide Application: all requirements applied to all vendors to assure product and service security; US Framework for ICT product evaluation leveraging international standards and best practices supported by government and industry; Effective assurance requires processes to ensure that evaluated products are unchanged throughout installation and not compromised during post-installation updates and servicing. 16

17 Draft Supply Chain Risk Model Leverage purchasing power to reduce risk Key Incentive: leverage the purchasing power of government and commercial buyers to raise the cyber security/assurance bar Recognized standard and third-party accreditation of conformance (Open Group) Risk-based tiers of product evaluation appropriate to buyer  Assessment of criticality and risk of product  Baseline certification requirements What are baseline requirements for evaluation? Self- or third-party certification with proof of conformance See NIST SP (e.g., SA-11)  Advanced evaluation – higher risk/assurance requirement  Tri-party MOU: customer/evaluator/government  Address dynamic threats; use latest tools (NOT disclosed to vendor)  Highest risk/assurance – Trusted delivery  Installation/updates/services

18 Improving the Nation’s Defenses Huawei’s Approach Product assurance programs – enhanced trust and security In the U.S., Huawei and EWA have set up a security evaluation model for third-party verification of Huawei product being sold into the U.S. market, as necessary and commercially meaningful. In the UK, Huawei has established the Cyber Security Evaluation Centre with security clearances approved by UK government. In Australia, unrelated to Huawei, an independent lab is being considered to provide security assurance testing of software, hardware, system integration and network assurance to ensure that infrastructure and systems comply with a minimum set of security requirements. 18

19 Beyond the NSA, the international spillover also could be significant, said Michael Hayden, who has directed both the NSA and Central Intelligence Agency. Revelations about the NSA's surveillance operations are fueling international efforts to divide up the Internet by country, he said, which is a movement the U.S. government—and U.S. tech companies—have worked hard to prevent. "This is threatening the existence of the World Wide Web," Mr. Hayden said, adding that a Balkanization of the Internet is "a no-fooling danger."

20 Andy Purdy Chief Security Officer Huawei Technologies USA Thank you!