Huawei's Yang issues supply chain cybersecurity warning

Huawei Global Cyber Security and Privacy Officer Sean Yang tells GovWare 23 event that supply chain attacks are growing and 'pose significant challenges'

Global telecoms giant Huawei has outlined its approach to improving supply chain security, in the face of the ever-growing threat posed by cybercriminals.

Huawei’s Global Cyber Security and Privacy Officer Sean Yang delivered a keynote on the subject at GovWare 2023, one of Asia’s top cybersecurity events, which attracted an estimated 10,000 global cybersecurity experts, end-users, as well as representatives from government ministries and agencies.

Huawei designs, develops, manufactures and sells telecoms equipment, consumer electronics and smart devices, offering integrated solutions across telecom networks, IT, smart devices and cloud services. 

Yang told the conference that cyberattacks “are growing increasingly severe and pose significant challenges on supply chain security”. 

He added: “To address these risks and challenges, collaborative effort from both upstream and downstream stakeholders in the industry is necessary. 

“In order to ensure supply chain security, companies need to effectively build security into products, and focus on supplier management, open-source software management, R&D and production management.

“Effective vulnerability management is a crucial control of supply chain security. Companies need to effectively manage their upstream sources, including open-source and third-party.”

Downstream services 'vital to supply chain security'

Yang also said product security must be “assured through secure development practices and continuous lifecycle security”, and that businesses “must provide excellent service to their downstream customers or tenants”. 

Yang also shared with his audience Huawei's vulnerability management practices, as laid out in its paper, ‘Huawei Vulnerability Management’.

In this, the company outlines its management principles around telecoms vulnerabilities. These include:

  • Harm and risk reduction  Its vision for vulnerability management is to ‘reduce the harm and security risks caused by vulnerabilities in our products and services to customers and users’. This vision, it says, ‘guides us when handling and disclosing vulnerabilities’.
  • Vulnerability reduction and mitigation  Huawei says that although the industry recognises vulnerabilities are inevitable ‘we strive to reduce vulnerabilities in products and services’, and adds that it also ‘provides risk mitigations for customers and users once vulnerabilities in products and services are found’.
    The company adds that it has ‘a full-view and end-to-end vulnerability management mechanism’ throughout its product life cycles, designed to ‘rapidly detect, investigate, mitigate, and fix vulnerabilities and support customers in risk mitigation’. 
  • Proactive management  Vulnerability issues, it says, ‘need to be resolved through upstream and downstream collaboration in the supply chain’. It adds that it ‘proactively identifies and fulfils our responsibilities on vulnerability management and build our management system based on laws, regulations, contracts, and open standards to proactively manage vulnerabilities’.
  • Continuous improvement  Cybersecurity, says the company, is ‘a constantly evolving process where threats and attacks also evolve constantly’. As such, it says that defence ‘must be adapted accordingly, and that it ‘continues to learn from industry standards and best practices in order to drive the maturity of our vulnerability management.
  • Openness and collaboration  Huawei says it adopts an open and cooperative attitude in order to ‘strengthen the connection with the supply chain and external security ecosystem’, and that it seeks to enhance collaboration with stakeholders ‘to build trusted cooperation relationships’.

A recent report from software supply chain management company, Sonatype shows there have been twice as many software supply chain cyberattacks in 2023 than in the previous three years, with so-called back-door attacks targeting supply chains, as a means to work upstream or downstream to larger organisations.

Share

Featured Articles

Why you Should Automate your Supply Chain Analytics

Supply Chain Digital takes a look at some key vendors to consider when your business is automating its supply chain analytics

P&SC LIVE New York welcomes Amanda Davies, Mars Snacking

Amanda Davies, Chief R&D, Procurement and Sustainability Officer at Mars Snacking, is set to speak at Procurement & Supply Chain LIVE New York

P&SC LIVE New York welcomes Kirsten Loegering, ServiceNow

Kirsten Loegering, VP of Product Management, Finance and Supply Chain Workflows at ServiceNow, will speak at Procurement & Supply Chain LIVE New York

P&SC LIVE New York welcomes Dean Ocampo, ServiceNow

Digital Supply Chain

P&SC LIVE London Welcomes New Sponsor – LeanLinking

Operations

Procurement & Supply Chain LIVE Dubai is LIVE!

Operations