Huawei flings open the doors of its third privacy and security transparency centre

Huawei has opened another cyber security centre and, despite facing a crisis of trust in the West, has chosen to do so for the first time in its Chinese heartland.

The company said its Global Cyber Security and Privacy Protection Transparency Center (GCSPPT) in the industrial city of Dongguan will allow regulators, independent third-party organisations and customers to gain a closer look at it wares.

According to Huawei, the centre “demonstrates solutions, facilitates communication, joint innovation, and supports security testing and verification”.

In a statement, Ken Hu, Huawei’s Rotating Chairman, described an urgency for the industry to collaborate on standards and governance.

“We need to give both the general public and regulators a reason to trust in the security of the products and services they use on a daily basis. Together, we can strike the right balance between security and development in an increasingly digital world,” he said.

Best practices

Coinciding with the ribbon-cutting, Huawei also published its Product Cyber Security Baseline. The company said this twelve-page document, available to download online (PDF), represents its purported best practices when it comes to secure development.

Although not the lengthiest of reads, the pamphlet touches on the “wetware” of product development, particularly when it comes to the software development life cycle and the management of development and testing teams, something Huawei has been criticised for.

Advice includes having security requirements outlined in advance, and the use of a testing process that includes manual scans and code reviews, as well as the use of automated tools.

Perhaps timely, Huawei’s security baseline includes incident response procedures, with security patching a feature of a product’s long-term maintenance. Last week, securiy biz Trustwave said it had found a vulnerability in one of Huawei's LTE USB modems and had tried to report this to Huawei on multiple occasions. However, Trustwave admitted it had not used Huawei's correct PSIRT contact information. Huawei eventually took action and patched the weakness after The Register intervened.

More technical topics also feature, with Huawei's Product Cyber Security Baseline describing integrity protection, good application security hygiene and secure coding practices as essentials, among others.

"This is the first time we've shared our security baseline framework with the entire industry, not just core suppliers," said Sean Yang, director of Huawei's Global Cyber Security and Privacy Protection Office.

“We want to invite all stakeholders, including customers, regulators, standards organisations, technology providers and testing organisations, to join us in discussing and working on cyber security baselines. Together, we can continuously improve product security across the industry."

Casting a critical eye over the documents, it's hard to identify anything that goes beyond what is already considered secure software development best practice.

Not Huawei's first rodeo

As mentioned, the GSCPPT isn't Huawei's first foray in opening a dedicated transparency centre.

• Biden expands Chinese tech and military blocklist to 59 companies
• China reveals plan to pump out positive news about itself. Let's see what happens when that lands with social media fact-checkers
• To what do we owe the Honor? Huawei spinout breaks silence with two pro ultraportables
• FCC starts probing effects of semiconductor drought on the US telecoms supply chain

In 2010, following an agreement with the UK government, Huawei opened the doors to the Huawei Cyber Security Evaluation Centre (HCSEC), located in the leafy market town of Banbury, Oxfordshire.

HCSEC allowed experts from UK spy agency GCHQ and later its tech wing, the National Cyber Security Centre, to scrutinise Huawei’s telecoms kit in order to identify any potential security issues, be they deliberate or accidental. No intentional ones were ever found.

The most recent report (PDF) from the facility’s oversight board said HCSEC was able to operate independently of Huawei’s head office, and remained in compliance with the agreement initially set out between the telecommunications giant and Her Majesty's Government.

However, HCSEC raised concerns about the quality of Huawei's software development practices, which it said brought "significantly increased risk to UK operators” and required “ongoing management and mitigation".

Last July, the UK Government issued a wholesale ban against UK carriers using Huawei’s 5G equipment, and ordered networks to remove existing equipment by 2027. This move was prompted by fears surrounding Huawei's long-term ability to source the essential semiconductors it relies on. This was itself caused by US sanctions that prevented US suppliers from selling components to Huawei, born of national security concerns about Huawei's perceived closeness to the Chinese govenrment.

The UK's decision will cut Huawei from the UK’s 5G ecosystem and is expected to delay the rollout of 5G services across the country by two to three years and cost £2bn to rip and replace.

Huawei also operates a similar facility in Brussels. This facility, opened in 2019, was conceived to assuage the fears of regulators across the continent.

Although it's hard to imagine a scenario in which this third facility based in China softens the hearts of lawmakers in the West, and the wider “Five Eyes” community, it may provide reassurance to unaffiliated countries, particularly those in the developing world.

Huawei remains a viable competitor in Africa, and is providing some of the equipment used by Kenyan network Safaricom in its 5G network trials, alongside Nokia.

Safaricom, we note, is partly owned by UK network Vodafone, with the government of Kenya and South African carrier Vodacom also holding sizeable shares.

Huawei has also begun reducing it's dependency on carrier sales, placing greater emphasis on industrial networks, as well as software and cloud products which are inherently less susceptible to the type of supply chain disruption it has experienced in the previous two years.

The company's previously high-volume consumer arm is also shifting from its traditional bread-and-butter of high-end mobile handsets to devices that are less dependent on sophisticated semiconductor components.

These include wearable devices, PCs and laptops, monitors, tablet computers (with much of its latest crop using 4G platforms provided by Qualcomm). ®