Demand more transparency from us and vendors: Huawei

The company that bills itself as the most probed and audited has said that others should be subject to the same security checks, as users can't be sure what they're getting.

Huawei is calling for other vendors to be as transparent and open as it is in taking information security seriously.

Speaking at the CeBIT conference and exhibition in Sydney today, Huawei Global chief information security officer John Suffolk said that every piece of technology could be a significant threat, and that organisations using equipment should demand to know what is being used in the equipment they rely on. This is because according to him, it didn't really matter whose brand was on the box if the components didn't necessarily come from the company or country it was assembled in.

"Many people who will look at any equipment will make an assumption that what's in that equipment comes from that country. If you open up a Huawei box, what you will see [is] 70 percent of the components in that equipment come from non-Huawei, comes from outside of Huawei, and come from actually outside of mainland China. The biggest provider of components in Huawei's equipment is American companies, at 32 percent," Suffolk said.

Suffolk said that there are so many places in the supply chain where people could inject code or bribe someone, especially when, for example, even the delivery of a consumer laptop could pass through five to six countries before the end user receives it.

He said that vendors should be held accountable for being able to trace back every component, every hand that the device has passed though, even throughout the entire world. Doing so requires organisations to demand that their vendors do something about security, he said.

"If you, as a customer, don't ask a vendor to do anything on security, do not be surprised if that vendor does nothing on security."

Suffolk indicated that although businesses like Huawei are large multinationals with many relationships in different countries, the sort of security process that would satisfy customers needed to be thorough and applied to carefully considered businesses processes.

"You can't do this on random processes," he said, comparing security to buying a product at a retail outlet. "When you go to a shop and buy something, you don't just measure the quality, you measure whether you're getting a consistent level of service. The more variability in this service, the more variability in the product, telling you this company makes things up as it goes along."

This included vendors having intimate knowledge of laws for each company they operate in, and dealing with the challenge of training their staff accordingly. To highlight his point, Suffolk said that if he were to ask the audience for its definition of Australian data protection laws, he would probably get more than one answer back.

And he said that customers should be concerned if their vendors aren't building security into their equipment from the ground up.

"You have to build cybersecurity into everything that you do, from your policies, your procedures to your manufacturing to your R&D. The moment that you bolt it on, it becomes somebody else's problem," he said.

"If they can't show you that, it means that in essence that it is not an embedded process, it's an add-on."

Suffolk said that that it is probably the most poked, prodded, probed, and audited company in the world, and because of that, it has had to become as open and transparent as possible to allay concerns.

"If something goes wrong, you want me to be able to trace where I got that component from, what route it came in to, what equipment it ended up in, and what customers got that equipment with that faulty component — which implies they can trace."

Suffolk said that such traceability could also be used to track down who, exactly, was responsible for any poor code that may have proliferated to devices.