Backroom barricade keeping the hacker hordes at bay2021-12-29         Follow @huaweinewos Tweet to @huaweinewos
In the movies, cyberattacks are thwarted by good-looking young people pounding on keyboards in the dead of night. In real life, a successful defense requires more than one or two heroes – and more than one or two nights.
At Huawei, hundreds of people have spent more than 10 years working on ways to fortify the company’s networks against attack. In doing so, it has pushed its suppliers – nearly 4,000 in all – to become more secure as well.
One tool for accomplishing this minor miracle is something called the Product Security Baseline.
The idea for the Baseline began in response to questions about network security posed by one of the company’s biggest customers, Deutsche Telekom.
Every day, there are approximately 1 million cyber-attacks on Huawei’s IT networks. “Hackers are always coming after us, said Mika Lauhde, Huawei’s vice-president for cyber security and privacy. “As the world’s largest telecom company, we’re their first target.””
The Product Security Baseline is a bulwark against those attacks.
At its heart, the Baseline is a massive checklist of technical requirements from customers in 170 countries. Added to that are laws, regulations, and industry best practices from jurisdictions around the world. The current version of the Baseline contains 54 different requirements split into 15 categories. That sets a high security bar for every piece of gear in the network.
The Baseline was purely internal at first, but that soon changed. The company notified its 2,000 suppliers that they, too, would need to follow the Baseline’s strict rules.
This wasn’t simply a matter of signing a pledge. Before a supplier could be certified as Baseline-compliant, it had to submit to a close examination of its practices.
The test was not easy: more than half the company’s suppliers failed on their first try. But Huawei coached its suppliers to help them raise their security game. Although about 200 ultimately failed to make the cut, most eventually passed. Today, all of Huawei’s 3,800 suppliers adhere to the Baseline standards.
This may have promoted greater cybersecurity among Huawei’s competitors. Cisco launched its own baseline in 2014, and Ericsson has its own baseline requirements as well.
Huawei shares the details of the Baseline with a wide variety of partners. “After it was released in 2020, we were thinking about how to help the whole industry move forward,” explained Xue Yongbo, a senior expert on cyber security and privacy protection in the Huawei supply chain. “We decided to release the Baseline document to suppliers, telecom companies, regulators, and anyone who cooperates with us.”
This is more than just an overall attempt at transparency. It’s also incredibly helpful to smaller telecom operators that might not have enough staff to formulate security standards of their own.
To date, the Baseline has helped Huawei earn more than 380 product security certifications from organizations around the world. Because security needs are constantly shifting, the Baseline has evolved over time, growing from 38 basic primary requirements to 54 in the latest iteration.
But in one important respect, the Baseline hasn’t changed: to work with Huawei, developer need to make sure their products meet the company’s standards. They must pass tests at Huawei’s Independent Cyber Security Lab that certify compliance before their devices can be accepted as Huawei hardware.
The Baseline itself is part of a larger assurance system covering verification, third-party supplier management, manufacturing, delivery, issue response, traceability, and audit – all of which must constantly adapt to a changing threat environment. The rise of remote work, software-as-a-service, and the Internet of Things create opportunities for cyber malfeasance, and most computer viruses can mutate just like their biological cousins.
Making networks more secure will only get more challenging in the years ahead. Fortunately, the ever-evolving Baseline will be ready for whatever the future brings.