Who’s Afraid Of Huawei?

Uploaded on 2019-09-24 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

As countries move towards the fifth generation of mobile broadband, 5G, the United States has been loudly calling out Huawei as a security threat. It has employed alarmist rhetoric and threatened to limit trade and intelligence sharing with close allies that use Huawei in their 5G infrastructure.   By Emily Taylor

While some countries such as Australia have adopted a hard line against Huawei, others like the UK have been more circumspect, arguing that the risks of using the firm’s technology can be mitigated without forgoing the benefits.

So, who is right, and why have these close allies taken such different approaches?

The risks
Long-standing concerns relating to Huawei are plausible. There are credible allegations that it has benefitted from stolen intellectual property, and that it could not thrive without a close relationship with the Chinese state.

Huawei hotly denies allegations that users are at risk of its technology being used for state espionage, and says it would resist any order to share information with the Chinese government. But there are questions over whether it could really resist China’s stringent domestic legislation, which compels companies to share data with the government. And given China’s track record of using cyberattacks to conduct intellectual property theft, there may be added risks of embedding a Chinese provider into critical communications infrastructure.

In addition, China’s rise as a global technological superpower has been boosted by the flow of financial capital through government subsidies, venture and private equity, which reveal murky boundaries between the state and private sector for domestic darlings. Meanwhile, the Belt and Road initiative has seen generous investment by China in technology infrastructure across Africa, South America and Asia.

There’s no such thing as a free lunch or a free network – as Sri Lanka discovered when China assumed shares in a strategic port in return for debt forgiveness; or Mexico when a 1% interest loan for its 4G network came on the condition that 80% of the funding was spent with Huawei.

Aside from intelligence and geopolitical concerns, the quality of Huawei’s products represents a significant cyber risk, one that has received less attention than it deserves.

On top of that, 5G by itself will significantly increase the threat landscape from a cybersecurity perspective. The network layer will be more intelligent and adaptable through the use of software and cloud services. The number of network antennae will increase by a factor of 20, and many will be poorly secured ‘things’; there is no need for a backdoor if you have any number of ‘bug doors’.

Finally, the US is threatening to limit intelligence sharing with its closest allies if they adopt Huawei. So why would any country even consider using Huawei in their 5G infrastructure?

Different situations
The truth is that not every country is free to manoeuvre; 5G technology will sit on top of existing mobile infrastructure.

Australia and the US can afford to take a hard line: their national infrastructure has been largely Huawei-free since 2012. However, the Chinese firm is deeply embedded in other countries’ existing structures – for example, in the UK, Huawei has provided telecommunications infrastructure since 2005. Even if the UK decided tomorrow to ditch Huawei, it cannot just rip up existing 4G infrastructure. To do so would cost a fortune, risk years of delay in the adoption of 5G and limit competition in 5G provisioning.

As a result, the UK has adopted a pragmatic approach resulting from years of oversight and analysis of Huawei equipment, during which it has never found evidence of malicious Chinese state cyber activity through Huawei.

At the heart of this process is the Huawei Cyber Security Evaluation Centre, which was founded in 2010 as a confidence-building measure. Originally criticized for ‘effectively policing itself’, as it was run and staffed entirely by Huawei, the governance has now been strengthened, with the National Cyber Security Centre chairing its oversight board.

The board’s 2019 report makes grim reading, highlighting ‘serious and system defects in Huawei’s software engineering and cyber security competence’. But it does not accuse the company of serving as a platform for state-sponsored surveillance.

Similar evidence-based policy approaches are emerging in other countries like Norway and Italy. They offer flexibility for governments, for example by limiting access to some contract competition through legitimate and transparent means, such as security reviews during procurement. The approaches also raise security concerns (both national and cyber) to a primary issue when awarding contracts – something that was not always done in the past, when price was the key driver.

The UK is also stressing the need to manage risk and increase vendor diversity in the ecosystem to avoid single points of failure. A further approach that is beginning to emerge is to draw a line between network ‘core’ and ‘periphery’ components, excluding some providers from the more sensitive ‘core’.

The limited rollouts of 5G in the UK so far have adopted multi-provider strategies, and only one has reportedly not included Huawei kit.

Managing the risks to cyber security and national security will become more complex in a 5G environment. In global supply chains, bans based on the nationality of the provider offer little assurance. For countries that have already committed to Huawei in the past, and who may not wish to be drawn into an outright trade war with China, these moderate approaches offer a potential way forward.

Chatham House

Emily Taylor is an associate fellow with the International Security Department at the Royal Instiute of International Affairs

You Might Also Read:

Five Things to Know About 5G:

AI Will Shape The Future 6G Network:

 

 

« Cyber Security Does Not Follow From Cyber Awareness
Thomas Cook In A Cyber Collapse »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ACI Worldwide

ACI Worldwide

ACI Worldwide powers electronic payments for more than 5,000 organizations around the world.

World Wide Technology (WWT)

World Wide Technology (WWT)

WWT is a technology solution provider in the areas of big data, collaboration, computing and cloud, mobility, networking, security and storage.

Maritime Cybersecurity Center (MCC)

Maritime Cybersecurity Center (MCC)

Maritime Cybersecurity Center is a not-for-profit organization focused on regional cybersecurity excellence and readiness, with a special emphasis on the maritime community.

Modulo Security

Modulo Security

Modulo provides automated Governance, Risk, and Compliance (GRC) solutions.

Windscribe

Windscribe

Windscribe is a Virtual Private Network services provider offering secure encrypted access to the internet.

Government Communications Security Bureau (GCSB)

Government Communications Security Bureau (GCSB)

GCSB contributes to New Zealand’s national security by providing information assurance and cyber security to the New Zealand Government and critical infrastructure organisations.

AlertSec

AlertSec

AlertSec Ensure is a U.S. patented technology that allows you to educate, verify and enforce encryption compliance of third-party devices.

VLATACOM Institute

VLATACOM Institute

Vlatacom Institute is privately owned accredited research and development institute, system integrator and turn-key solution provider. Areas of expertise include encryption and authentication.

ProLion

ProLion

ProLion provides Data Integrity solutions that ensure organisations’ data remains secure, compliant, manageable and accessible.

BT Security

BT Security

BT provides telecommunications and network infrastructure services to keep businesses around the world connected and secure.

SolCyber

SolCyber

SolCyber, a Forgepoint company, is the first modern MSSP to deliver a curated stack of enterprise strength security tools and services that are accessible and affordable for any organization.

ACI Learning

ACI Learning

ACI Learning - Training tomorrow’s industry leaders with formats for all types of learners in Audit, Cybersecurity, and IT.

HackersEra

HackersEra

HackersEra is a leading offensive cybersecurity service provider. We enable our clients to operate in a more secure environment efficiently and produce more value.

Aembit

Aembit

Aembit is the Identity Platform that lets DevOps and Security manage, enforce, and audit access between federated workloads

Port443

Port443

Port443 specialises in providing Security Orchestration, Automation and Remediation (SOAR) "as a service".

Blattner Technologies

Blattner Technologies

Blattner Technologies mission is to be the leading provider of predictive transformation services and tools in the Data Analytics, Artificial Intelligence and Machine Learning industry.