Cyber-espionage has been going on for years. In one famous example in 2012, it emerged that China had hacked UK defense firm BAE Systems to steal data about a $264 billion F-35 Joint Strike Fighter (JSF) jet. And it wasn’t the first time the country had been accused of stealing military jet plans.
But recently, the focus has moved to Chinese companies, particularly those that manufacture network equipment as 5G services start to roll out. So, why is all the focus on Huawei, and how secure is it to use its products and services?
Founded in Shenzhen, Guangdong, in 1987 by Ren Zhengfei, a former People's Liberation Army officer, the firm is owned by 80,000 of its 180,000 employees. Like its rivals Nokia and Ericsson, Huawei has manufactured mobile network equipment for years.
During the last decade or so it has stormed into the consumer market as a smartphone manufacturer and now owns 16% of the market. At Mobile World Congress (MWC) this week, it became the latest to announce a folding smartphone with the launch of the Mate X.
The story so far
There is growing concern about Huawei from governments around the world. So much so, that many have blocked telecoms companies from using Huawei gear in next-generation 5G mobile networks.
So far, the US and Australia have banned Huawei from providing equipment for their 5G networks, while Canada’s relationship with the firm is under review. There is also concern among European telecoms network operators, with some considering removing Huawei’s equipment. BT, for example, has
removed Huawei equipment from key parts of its 4G network.
At the same time, the UK has expressed concerns, with the National Cyber Security Centre (NCSC) asking Huawei to fix issues that could pose a new risk to the network.
The US is particularly concerned about Ren’s military background. And the State Department's top cyber official, Robert Strayer, certainly thinks there is an issue.
"A country that uses data in the way China has - to surveil its citizens, to set up credit scores and to imprison more than 1 million people for their ethnic and religious background - should give us pause about the way that country might use data in the future," Strayer said, according to The Washington Post . "It would be naive to think that country, [given] the influence it has over its companies, would act in ways that would treat our citizens better than it treats its own citizens."
Meanwhile, the daughter of Huawei’s founder,
Meng Wanzhou was last year arrested by Canadian authorities, after the US government alleged that she was assisting Huawei in dodging US sanctions on Iran. She and the firm deny any wrongdoing.
Are Huawei phones safe?
Last year, Huawei phones were banned by networks including Verizon and AT&T after being labelled a security threat. Meanwhile, tech site Tech.Co interviewed Timothy Heath, senior international defense research analyst at the RAND Corporation, who believes it is entirely plausible that the firm’s phones could be used to spy:
“The threat is legitimate, given the murky links between Huawei and Chinese authorities. The Chinese state has the authority to demand tech companies like Huawei turn over useful information or provide access to the communications and technologies owned and sold by Huawei.
"Chinese authorities can use this information and access to facilitate espionage or cyber attacks over Huawei communications technologies. Consumer tech devices like phones that rely on Huawei technologies will be easier for Chinese authorities to penetrate and exploit for these reasons.”
He added: “Tech companies play a critical role in developing the dual use technologies that the PLA needs to fight a hi-tech war against world class militaries like that of the United States.”
What about Huawei network equipment?
As an equipment vendor, it is technically possible for Huawei to conduct espionage through the network, or even for it to disrupt communications with disastrous consequences. As more devices are connected to the internet, including autonomous vehicles and electrical grids, this threat becomes all the more real.
The risk becomes bigger with 5G because the way the networks are designed and run makes it harder to monitor security, according to the head of the UK's intelligence service MI6, Alex Younger.
However, many of the UK providers including EE, Vodafone and Three have been working with Huawei to build their 5G networks. They are currently waiting for the UK government to decide whether they will be permitted to carry on doing so, with a decision coming in Spring this year.
China's National Intelligence Law passed in 2017 says organizations should "support, co-operate with and collaborate in national intelligence work".
But a Huawei spokesperson says: “We are a private company owned by employees and comply with applicable laws and regulations. If we are forced to maliciously violate the trust of our customers, we would rather shut the company down. We are committed to developing the most innovative and secure technology, to bring digital to every person, home and organization for a fully connected, intelligent world. We will make all sacrifices – at any cost – to defend security without hurting any country, any organization, or any individual. This is our highest agenda.”
What does Huawei say?
It’s Mobile World Congress this week so what better place for Huawei to hit back at recent comments from the US? During his keynote
Huawei chairman Guo Ping denied that the firm spies on behalf of its country’s government. It has "no evidence, nothing", he said, adding that the vendor had never planted backdoors in its equipment and would not permit third parties to meddle with its kit. Guo said, according to Business Insider : "Carriers are responsible for the secure operations of their own networks. Carriers can prevent outside attacks."
He also hit out at the US government for its new law allowing it to demand data stored with Amazon, Microsoft, or other cloud providers.
What should you do?
First, don’t panic. Ian Thornton Trump, head of cyber security at AMTrust international, points out: “If nation states are going to hack, they are going to hack. This has very little to do with security; this has everything to do with market protectionism and vendettas against companies that don’t bend to the will of the US.”
He therefore thinks security is a side show “being used as leverage and FUD to promote someone else’s products and services”. He says: “There has been no public mention of a security issue with Huawei and you can bet an indictment that if it did have a back door this would be blasted to the media.
“The indictment of Huawei is about intellectual property theft – allegedly and perhaps not even an American company – and selling to Iran using front companies. How a Chinese company is subject to American law is of course the big and larger question.”
Huawei is certainly producing some innovative phones and it’s been working on network equipment for years. Of course, intelligence personnel will know a lot more about what’s happening behind the scenes, so it’s important to be wary. But at the same time, much of this is about political posturing: Do we really think Huawei has manufactured a folding phone so it can tap all our calls and take over the network? Probably not.
This week at Mobile World Congress (MWC) in Barcelona Spain, Huawei's chairman Guo Ping deflected recent criticism his firm has received over security flaws and backdoors in its products. Guo immediately turned his ire to America and the National Security Agency (NSA) and its program called PRISM. This NSA program allowed the agency to access highly sensitive stored documents, emails, photographs, and data from major companies. Further, it was discovered that leading social media platforms like Google , Facebook , Yahoo, YouTube, Skype, PalTalk, etc. all provided the NSA with direct access to their users’ information in exchange for immunity from future prosecution. Ping rightfully denied that Huawei ever had backdoors in its products. He suggested these allegations were due to the company’s tremendous investment in 5G R&D, arguing that Huawei should get a pass. When it comes to security, though, nobody gets a pass. Further, recent arrests of key employees, including Huawei's founder’s daughter (and CFO), has increased scrutiny and speculation about the company’s nefarious intentions.
For countries, proactive incident response helps mitigate overall risk
All countries have spy agencies and those organizations rely on data and intelligence to be effective. Reverse/social engineering, malware/viruses, phishing schemes are all useful tools for agencies to target specific users and gain access to sensitive data or critical infrastructure. Exploiting backdoors and packet sniffing is much more difficult and tends to produce random results. That said, from a cyberwarfare perspective, a top goal for most nation-states is to have a "killswitch" to stop security incidents and Internet traffic from hostile nations they conflict with. Ukraine is an excellent example of what happens when a country is ill-equipped to stop
cyber-aggression . It is virtually impossible to build a hack-proof network; however, organizations can employ practices to mitigate damage caused by hackers during a breach. Case-in-point, network equipment vendors have a responsibility to deploy solutions that are secure and uphold industry standards for data protection and integrity—such as the Network Equipment Security Scheme (NESA) spearheaded by the GSMA and 3GPP. Carriers and service providers have even more responsibility to deploy proactive security measures to safeguard the flow of traffic through their networks. Even if there are security vulnerabilities in the networking equipment, a proactive incident response program can reduce the threat and attack-plane.
Is there such a thing as "manageable risk" in cybersecurity?
Claims and subsequent action by the United States and other countries have put Huawei, Supermicro, and ZTE under a negative spotlight and the effects have been damaging from a revenue, brand, and loyalty perspective. Although the UK's National Cyber Security Centre (NCSC) deemed Huawei as a "manageable risk," these companies will be challenged to regain their credibility and reputations in the security industry. Although it is nearly impossible to prove the claims against each company, it does force every equipment vendor to determine which side of the fence they are on and perhaps incentivize the industry to make meaningful long-term changes and safeguards—especially as 5G becomes a reality. While these companies are on their heels, rivals like Cisco, Ericsson , Nokia , etc. have a healthy competitive opportunity to grow market share. However, as a wise person once said, “what comes around, goes around” it will be easier for the industry to take care of itself before clueless bureaucrats and politicians do it for them. Since Huawei has established itself from a 5G perspective, it could also take a market leadership role in de-stigmatizing the security of Chinese-made equipment. Additionally, it could work with the industry to set meaningful standards for security before someone does it for them. This will not only help Huawei, but its Chinese counterparts and the industry as a whole.
