This content is part of the Conference Coverage: RSA Conference 2015 special coverage: News, analysis and video
News Stay informed about the latest enterprise technology news and product updates.

Can supply chain security assuage Huawei security concerns?

Huawei's U.S. CSO pitched the rigor of its supply chain security processes to RSA Conference 2015 attendees, but they remained skeptical at best on whether to trust the Chinese networking and security vendor.

SAN FRANCISCO -- Can North American enterprises trust networking and security products from Huawei? An executive...

from the Chinese vendor pitched the rigor of its supply chain security in an effort to indirectly answer that question at RSA Conference 2015 Wednesday, but attendees remained skeptical.

Andy Purdy, U.S. chief security officer for Huawei Technologies USA, offered a detailed look at how the vendor, a Fortune Global 500 company that has 150,000 employees and operates in 170 countries, addresses supply chain security assurance.

In describing Huawei's global supply chain, he said about a third of its materials come from the U.S. and another third from mainland China, which largely includes cables, batteries, mechanical parts, cabinets and the like.

Regardless of where the materials come from, they are vetted by a comprehensive system based on Open Group standards to ensure confidentiality, integrity, availability, traceability and authenticity.

From a security standpoint, its cybersecurity baseline management program focuses on identifying risks, developing baselines and integrating them into processes that continuously improve its security posture.

"All our suppliers must sign cybersecurity agreements and pass systems qualifications," Purdy said, noting that includes more than 400 suppliers in the U.S. and several thousand globally. "There is an awful lot involved in making sure suppliers do what they need to do to address supply chain risk."

Other key details in that process include detailed component testing when products arrive at Huawei, providing suppliers with a list of Huawei's top 100 security requirements, and constantly trying to improve its processes.

Purdy also said all of Huawei's supply chain security efforts are standards-based, specifically mentioning the Open Group Trusted Technology Forum, which is fostering the development of a global supply chain integrity program and framework, and a three-year program within the non-profit EastWest Institute centered on the global availability of secure products.

Even people in China -- domestic China -- if you ask them will tell you, 'Don't trust Huawei.'
Bin XieInformation security analyst, MD Anderson Cancer Center

"This is not a gold standard for what a company should do, but we want to contribute to the dialogue," Purdy said. "Hopefully we can learn from each other and work together to create some international standards that can provide a fact-based, risk-based level playing field based on in-depth accreditation of a company's compliance."

To that end, Purdy said no government should impose trade barriers in the name of security. Though he wouldn't directly condemn the policies of any specific nation, one attendee asked about China, which imposed strict new rules on technology vendors whose products are used in that country, including hardware backdoor requirements and handing over its products' full source code.

In recent years, Huawei has had some high-profile collisions with the U.S. government related to security, including a 2012 congressional panel that called the company a threat to national security and recommended it not be allowed to do business in the U.S.

Attendee Sowjanya O'Neill, a senior manager with Verisign based in Reston, Va., said she was surprised with how extensive its supply chain security program was and the way in which it's integrated throughout so many of the company's business activities.

However, O'Neill said she thought the discussion was missing some important aspects by not touching on issues related to nation-state cyberespionage, because those activities inevitably affect the supply chain.

Attendee Bin Xie, an information security analyst with the MD Anderson Cancer Center in Houston, Texas, said he doesn't trust the security and the integrity of Huawei products, largely based on past experience working with them.

"If 30% of the suppliers are in China," Xie said, "how do you make sure they're secure, when most manufacturers in China don't even follow their own government's standards?

"Even people in China -- domestic China -- if you ask them will tell you, 'Don't trust Huawei,'" Xie said, because of its close ties to the Chinese government. "They want to survive, so they have to" lend support to China's national interests.

Dig Deeper on Information Security Incident Response-Information