Huawei's Yang issues supply chain cybersecurity warning
Global telecoms giant Huawei has outlined its approach to improving supply chain security, in the face of the ever-growing threat posed by cybercriminals.
Huawei’s Global Cyber Security and Privacy Officer Sean Yang delivered a keynote on the subject at GovWare 2023, one of Asia’s top cybersecurity events, which attracted an estimated 10,000 global cybersecurity experts, end-users, as well as representatives from government ministries and agencies.
Huawei designs, develops, manufactures and sells telecoms equipment, consumer electronics and smart devices, offering integrated solutions across telecom networks, IT, smart devices and cloud services.
Yang told the conference that cyberattacks “are growing increasingly severe and pose significant challenges on supply chain security”.
He added: “To address these risks and challenges, collaborative effort from both upstream and downstream stakeholders in the industry is necessary.
“In order to ensure supply chain security, companies need to effectively build security into products, and focus on supplier management, open-source software management, R&D and production management.
“Effective vulnerability management is a crucial control of supply chain security. Companies need to effectively manage their upstream sources, including open-source and third-party.”
Downstream services 'vital to supply chain security'
Yang also said product security must be “assured through secure development practices and continuous lifecycle security”, and that businesses “must provide excellent service to their downstream customers or tenants”.
Yang also shared with his audience Huawei's vulnerability management practices, as laid out in its paper, ‘Huawei Vulnerability Management’.
In this, the company outlines its management principles around telecoms vulnerabilities. These include:
- Harm and risk reduction Its vision for vulnerability management is to ‘reduce the harm and security risks caused by vulnerabilities in our products and services to customers and users’. This vision, it says, ‘guides us when handling and disclosing vulnerabilities’.
- Vulnerability reduction and mitigation Huawei says that although the industry recognises vulnerabilities are inevitable ‘we strive to reduce vulnerabilities in products and services’, and adds that it also ‘provides risk mitigations for customers and users once vulnerabilities in products and services are found’.
The company adds that it has ‘a full-view and end-to-end vulnerability management mechanism’ throughout its product life cycles, designed to ‘rapidly detect, investigate, mitigate, and fix vulnerabilities and support customers in risk mitigation’. - Proactive management Vulnerability issues, it says, ‘need to be resolved through upstream and downstream collaboration in the supply chain’. It adds that it ‘proactively identifies and fulfils our responsibilities on vulnerability management and build our management system based on laws, regulations, contracts, and open standards to proactively manage vulnerabilities’.
- Continuous improvement Cybersecurity, says the company, is ‘a constantly evolving process where threats and attacks also evolve constantly’. As such, it says that defence ‘must be adapted accordingly, and that it ‘continues to learn from industry standards and best practices in order to drive the maturity of our vulnerability management.
- Openness and collaboration Huawei says it adopts an open and cooperative attitude in order to ‘strengthen the connection with the supply chain and external security ecosystem’, and that it seeks to enhance collaboration with stakeholders ‘to build trusted cooperation relationships’.
A recent report from software supply chain management company, Sonatype shows there have been twice as many software supply chain cyberattacks in 2023 than in the previous three years, with so-called back-door attacks targeting supply chains, as a means to work upstream or downstream to larger organisations.