'Cyber Security by Logo' Won’t Work With Huawei — or Any Other Company

[IS] Opinions

Technology

‘Cyber Security by Logo’ Won’t Work With Huawei — or Any Other Company

Posted to Technology January 30, 2019 by Kevin Curran

The arrest of Sabrina Meng, the CFO of Huawei, has thrust a global Chinese technology company into the public spotlight. In addition to smartphones and laptops, Huawei sells the switches and routers used to run many of the world’s telecommunications networks. It has invested heavily in 5G, the fifth-generation wireless technology that will underpin many sectors of tomorrow’s digital economy.

America worries that China’s technological ambitions will thwart U.S. plans for continued global dominance. Without producing any significant evidence to support its claims, the U.S. has long accused Huawei of having ties to the Chinese government, and is pressing its allies to ban the company’s equipment from their networks. Some have bowed to pressure; others are weighing their options.

Although U.S. pressure to block Huawei is based more on geopolitical and commercial considerations than on any actual threat, the U.S. stokes fear by waving the red flag of cyber security.

To alleviate this concern in the UK, in 2010 Huawei and the British government established a Cyber Security Evaluation Centre (CSEC) in Banbury, UK to scan the company’s equipment and software code for vulnerabilities. The Centre is run by Huawei along with some of its customers, including BT, and is supervised by GCHQ, the British signals intelligence agency.

This sensible approach to managing risk reflects a fundamental truth about cyber security: that the only way to make sure a piece of software does not contain back doors is for independent experts to audit the code. This is a far more effective strategy than banning individual companies in an attempt to achieve “cyber security by logo.”

By identifying issues that need addressing, the CSEC is working as designed. In July, the fourth annual CSEC report to the UK’s National Security Adviser identified two “shortcomings in Huawei’s engineering processes.” First, the software code built by Huawei’s engineers sometimes produces different outcomes in the tests run by CSEC than it does when it’s installed in actual UK telecom networks. Second, GCHQ found that some software used by Huawei’s third-party suppliers is not updated often enough to be secure.

Exposing such shortcomings is exactly what the CSEC is designed to do. Huawei has agreed to completely overhaul its software engineering processes and is pledging to spend US $2 billion over the next five years to improve the way it develops and maintains software.

For its part, Ireland seems quite happy with Huawei. No warnings have been issued by Ireland’s Department of Communications or its telecom regulator. Its largest mobile provider, Eir, is using Huawei equipment to link the country’s mobile network with equipment provided by Ericsson. Eir says it has no concerns and “would not have selected Huawei if we believed there was any risk for our customers”.

In the UK, Huawei has been supplying access gear to fixed and mobile networks for more than 15 years. For the last four, the Banbury facility has subjected Huawei’s gear to rigorous testing by experts. If there was a smoking gun, someone should have found it by now.

Perhaps that’s why Ireland hasn’t imposed any restrictions on Huawei. One hopes that other countries will follow suit and resist the fear-mongering that might otherwise push them to make irrational decisions which protect no one and impose unwanted costs on businesses and individuals.

About the Author

Kevin Curran

Kevin Curran is a Professor of Cyber Security with the School of Computing, Engineering, and Intelligent Systems at Ulster University in Northern Ireland. He wrote this for insideSources.