I’ve done quite a bit of research on the issue of Huawei and network security. Here are the key areas that I will cover in this review of the available information. You will find references I used for research at the end of the post.
- The network has to work before it can secured. (Huawei has substantial problems with product quality and reliability. )
- Software Quality and poor process is unsafe. (UK Govt audit body is clear on this)
- Insider Threats by Chinese Nationals is real. (The Chinese Government Intelligence Law which can compel citizens: “any organization or citizen shall support, assist, and cooperate with state intelligence work according to law.”)
The overall result is that its hard to tell what’s insecure by compromise and what insecure by being unsafe to operate.
Types of Software Vulnerability
People who have reviewed Huawei code (and have the right skills to do so), highlight two areas of concern: software quality and development process. These people judge that Huawei code is badly written and likely due to immature or unstructured software development process and people.
This leads to a consistent pipeline of unstable products. This is confirmed in my own discussions with network operators who confirm that Huawei products come with oversize number of bugs, flaws and problems.
Software with bugs more likely to have security problems. If the developers aren’t using good code practices or adopting best practices then its more likely some bugs will have security ramifications. Don’t always assume malicious activity.
Security people hate this idea but need a you need reliable, working service to be able to secure it. Also confusing, security problems can lead to reliability problems. Make sure you understand the difference.
UK Government Oversight
The UK government operates an independent oversight board monitoring Huawei as part of its national security policy. This oversight was established in 2014 in response to a range of security concerns about Huawei.
The most recent report highlights exactly this:
I think in this context, the notion of national security has a primary requirement for a stable and reliable communication network. A secondary but equivalent requirement is a trustworthy and secure network because Governments must not deny the network to citizens. In other words, the 3G/4G network has to work before it can be secured.
The report states that Huawei was unable to repeatedly produce a binary for analysis.
While I wonder how many Western network companies would be able to meet these requirements, its clear that Huawei cannot repeatably offer the same code to its auditors. I’m pretty sure if Cisco or Juniper had millions of dollars riding on a network like this they would fly out the person who runs the build process, and ensure that code exactly mirrored the one down in Austin and San Jose. The fact that Huawei – for whatever reason – hasn’t been able to do this is reason for concern.
What might be the reasons for this ?
- Huawei is inserting other code after the auditors have inspected and hoping to get it passed into production. The post-audit is detecting this. What can’t be determined if this is poor process or security event.
- Its seems reasonable to assume Huawei internal processes are poorly setup, probably manual and based on poor software tooling. If so, this highlights a lack of competency.
It’s been observed that some of Huawei’s binaries have historically been put through binary packers, which is a bit of a head scratcher thus making it difficult to reverse engineer and inspect for back doors. Other network companies do not do this and thus are often more easily trusted.
Draw your own conclusions as to whether security risks are being hidden or they are choosing to protect their IP from competitors. I will note that Chinese companies steal from each other more than they steal from western companies (its cheaper to do it locally).
Huawei is very keen to fix problems, bugs and feature request for customers. Perhaps because of relatively poor software development practices and quality control, any good sized Huawei network deployment comes with some number of Huawei employees to fix those problems. Those engineers will often work on the customers premises with full access to the network and to customer systems.
Chinese law requires organisations and citizens to support, assist and cooperate with intelligence work, which analysts say can make Huawei’s equipment a conduit for espionage. ABC News Australia
Huawei is a Chinese company that delivers services to the Chinese government which National Intelligence Law which lacks an independent judicial review and is directed by the political party and itcompels “all organisations and citizens” to assist in the country’s intelligence work. There are suggestions that Huawei employees have been detected giving access to unauthorised 3rd parties (believed to be Chinese spy agencies) in Australia.
Insider threats are a difficult problem to address since any large Huawei network has a large team onsite to support it (see point 2 below) and creates a realistic threat to network and thus national security. These teams speak only Chinese, communicate on Huawei’s network and a limited number of managers handle all communication.
For example, I’m told that BT in the UK has a team of over 500 Huawei employees in dedicated support roles getting their gear to work properly. BT does not pay these people directly.
I would also point out that this is a likely a tactic of other western government agencies too but that they haven’t been caught out in public (yet). While Western spy agencies cannot coerce citizens but they can subvert or co-opt them in other ways.
Lessons and Takeaways
So here are some possible lessons that struck me as I researched this article:
Lesson: Your supply chain includes the people that work on your systems and they are the highest risk to your security. I’ll bet that you aren’t doing much to vet people who have full access to your network infrastructure and, often, to the entire IT security infrastructure such as firewalls, inspection and taps etc.
Lesson: Poor quality products with persistent bugs, flaws are an operational risk. For critical infrastructure, product quality is the same as a same as a security risk.
Lesson: Huawei has been co-operative with all governments especially the UK by paying for and assisting in conducting product audits. It could be a few bad actors in the organisation operating inline with Chinese law whom they would be subject to. It would be difficult for any person to refuse a government request no matter which country is your home.
Observation: It strikes me that Huawei may strongly need input from skilled network operators to improve their products, processes and staff. If product development and maintenance is so poor, then both Huawei and the Chinese government itself is well served when these products become stable and reliable.
Source: UK Govt Huawei Oversigh Report PDF, Page 3: HUAWEI CYBER SECURITY EVALUATION CENTRE (HCSEC) OVERSIGHT BOARDANNUAL REPORT 2018- https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/727415/20180717_HCSEC_Oversight_Board_Report_2018_-_FINAL.pdf
Link: Huawei banned from 5G mobile infrastructure rollout in Australia – ABC News (Australian Broadcasting Corporation) – https://www.abc.net.au/news/2018-08-23/huawei-banned-from-providing-5g-mobile-technology-australia/10155438
Link: BT removing Huawei equipment from parts of 4G network | Technology | The Guardian – https://www.theguardian.com/technology/2018/dec/05/bt-removing-huawei-equipment-from-parts-of-4g-network
Link: BT Moves to Extract Huawei From Its Core | Telecom Ramblings – https://www.telecomramblings.com/2018/12/bt-moves-extract-huawei-core/
Link: Japan government to halt buying Huawei, ZTE equipment: sources | Reuters – https://www.reuters.com/article/us-japan-china-huawei/japan-government-to-halt-buying-huawei-zte-equipment-sources-idUSKBN1O600X
Link: Inside the OPM Hack, The Cyberattack that Shocked the US Government | WIRED – https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/
Link: Top-ranked Australian university hit by Chinese hackers: media | Reuters – https://www.reuters.com/article/us-australia-cyber/top-ranked-australian-university-hit-by-chinese-hackers-media-idUSKBN1JW1KE
Link: Beijing’s New National Intelligence Law: From Defense to Offense – Lawfare – https://www.lawfareblog.com/beijings-new-national-intelligence-law-defense-offense – July 2017
Link: What you need to know about China’s intelligence law that takes effect today — Quartz – https://qz.com/1016531/what-you-need-to-know-about-chinas-intelligence-law-that-takes-effect-today/ – June 2017