Chinese technology company Huawei is again making headlines in the UK, which is in a heated debate over the development of the UK’s 5G network and whether the company represents a security threat.
The UK has “arguably the toughest and most rigorous oversight regime in the world for Huawei,” according to Ciaran Martin, a top British intelligence official. It is home to a dedicated Huawei Cyber Security Evaluation Centre (HCSEC) for eight years, and has published five detailed reports scrutinizing Huawei, notably its source code — the crown jewel of any technology company.
One key question underplayed in the media storm over Huawei, however, experts told Xinhua, is that while Huawei came under the microscope in the UK, its non-Chinese competitors — Ericsson, Nokia and Samsung — are not equally tested, leaving the public in the blank as to how they would fare under the same set of rules.
Absent that knowledge, the push to shun Huawei in networks rings hollow on a central premise: its competitors’ gears would be more secure than the Chinese company’s.
DEFECTS IDENTIFIED WITH HUAWEI TECHNICAL
The latest UK report, formally known as the HCSEC Oversight Board Annual Report 2019 and published on March 28, detailed concerns about Huawei’s software engineering capabilities, but stated that the “NCSC (National Cyber Security Centre) does not believe that the defects identified are a result of Chinese state interference.”
It is a conclusion that’s been repeated by the UK intelligence agency in charge of cyber security that the security defects identified with Huawei are technical.
“As we said then, and repeat today, these problems are about standard of cyber security; they are not indicators of hostile activity by China,” said Martin, the CEO of the NCSC, in a public speech in Brussels on Feb. 20.
“The NCSC report provides an insight into the Huawei products under review and has highlighted that Huawei’s software practices need to improve to meet the NCSC review recommendations. The NCSC report indicates that it does not believe the defects identified are a result of Chinese state interference but are due to basic engineering competence and cyber security hygiene,” Mark Gregory, Associate Professor focusing on network engineering at Australia’s RMIT University, told Xinhua.
HUAWEI PROBABLY THE ONLY ONE TESTED
Nevertheless, the report’s findings of problems in technicality made damaging publicity for Huawei, which has said it is “the most scrutinized company in the world.”
What the reports didn’t cover was if Huawei’s products and softwares were less secure than those of its competitors, and that’s because these vendors were not subject to the same scrutiny as Huawei, at least in the case of the UK oversight regime, experts said.
“I don’t think any of the other vendors have been on such level of scrutiny to find out whether or not security risks exist in their software. Unless I missed something, I’m not aware of anyone else going through this process,” Stephane Teral, technology fellow and advisor for Mobile Infrastructure and Carrier Economics at the consultancy IHS Markit Technology, told Xinhua.
As part of a thorough due diligence analysis in the vendor selection process, all products, software and hardware are evaluated by telecommunication services providers who are clients of vendors like Huawei, said Teral, who has three decades experience in the Western telecommunications industry.
“What’s unique in the Huawei case is that the software was evaluated by a third party, as I say above, no other vendor has gone through this process and had they gone, I believe some bugs would have been found too,” Teral added.
“As Huawei is the only company that has agreed to submit its products for review it would be wrong to assume that other vendor products don’t have similar issues, especially when the number of patches being issued by other vendors to fix security problems are taken into account,” said Gregory, who also serves as managing editors of academic journals in telecommunication technology.
A VOLUNTARY, TOUGH PROCESS
Huawei recognized the need of foreign governments for more insight into the Chinese company and entered into the British rigorous oversight regime on a voluntary basis, a Brussels-based spokesperson told Xinhua.
“Although painful and somewhat humiliating, I consider this exercise very valuable for Huawei because they have now a new list of issues to address to make their product even stronger. In the end, Huawei will emerge even stronger from this tough process,” said Teral.
Neither Ericsson nor Nokia, when contacted by Xinhua, commented on the British oversight regime or if they were subjected to similar oversight arrangements. Samsung didn’t respond to a request for comment.
Ericsson said in a statement: “In all our manufacturing and software development facilities globally, Ericsson ensures that strict security controls are in place. In addition, we undertake close quality controls, tests and verifications to ensure compliance to our security standards and overall specification of our network solutions. Security audits of all our factories are done on a regular basis, where the sites are assessed, and risks reviewed.”
Nokia provided a statement that read: “Nokia follows a strict ‘design for security’ process. Regardless of geographical location where Nokia’s products and services are manufactured or made, the same criteria are applied to ensure security and integrity. We carry out extensive independent internal and external verification on security status and compliance.”
CALLS FOR A COMMON APPROACH
The lack of a common approach that covers all vendors have led to calls for a security assurance scheme by the industry and experts.
GSMA and 3GPP, two industry bodies, have proposed a voluntary scheme. If applied, it would involve an external auditor of vendors’ security related development and product lifecycle processes, and a competent test laboratory’s security evaluation of the vendors’ equipment.
“There is a global need for a telecommunications security assurance capability, something that the telecommunications industry has not embraced, yet there is mounting evidence that this capability is desperately needed,” Gregory said.
“A telecommunications security assurance program should be embraced that encompasses telecommunications equipment in networks irrespective of which vendor supplied the equipment,” he said.
Teral said he supports “a fair process to treat everyone equally.”
“In the end, we are all on the same page: the world wants a robustly secured 5G network,” he said.