Government confusion/mixed messages
Sometime ago the prime minister and/or the home secretary was moaning about WhatsApp aiding terrorists and how they cannot crack it which I do not buy fully. Which brings up two thoughts. 1. Politicians not knowing what they are talking about - possible. 2. Politicians lying - hmm.
In 2010 the government opened the “The Cell” in Banbury, an evaluation centre for products. At first there were concerns about it and in 2015 it got a good bill of health with room for improvements of course. In April this year Theresa May approved a deal to use them and in May there are various concerns. Mixed messages from politicians to say the least.
Is Huawei spying on us?
An American politician said some years ago “we are afraid of China’s capitalism not communism”. China and its people love making money locally and abroad. Most normal citizens are not interested in Chinas “confused” politics. It would be foolish for China to intentionally backdoor products since if it was proven it would seriously harm their reputation. That said it is tough to 100% prove such a claim.
China is different to Iran, Russia, North Korea and others. The latter’s are primarily interested in harming us in the physical and virtual world plus stealing our IP. Whereas China is usually “clocked” for stealing our IP rather than building a new product from scratch. From what one man told me, is Huawei’s networking gear is faster and cheaper than Cisco’s and is likely modelled on Cisco!
Let’s imagine for a second none of the top management at Huawei are on the regime’s books. There are two options for products to be “bugged”. Firstly: the state could simply push staff into Huawei under the guise of a job - any country can do this. It would be tough for Huawei to spot this and even harder to refuse someone a job if they suspected them of being employed by the state.
Secondly: China could issue a “subpoena” to them to swap out portions of the code and refusing would very likely land you in jail. Coding is currently done by humans and they make mistakes which may introduce a remote connectivity security flaw. All products, Chinese, Western and others have bugs discovered in, which could cause UI (user interface) errors or worse security flaws. It is impossible to rule out state interference in Huawei due to, well… you have little choice in China.
Non-mainstream Chinese brands are not known for their quality or security posture. This is not to say poor security is being introduced on purpose, the answer is culture and money. Rushing products out the door and security being five thoughts away is common in all countries and companies. Meltdown, Spectre, Heartbleed, EternalBlue and more are well known Western security flaws and it is hard to know how they came about. Everyone spies - some get caught more than others (e.g. China).
Protectionism
Everyone does it, not just Trump against China since he took office. The European Union has done it for far longer, quote: “A non-EU company is 'dumping' if it exports a product to the EU at a price lower than the normal value of the product”. For years they introduced anti-dumping taxes against Chinese porcelain. The EU to has a rule to, they prefer suppliers within The Bloc.
Apart from Huawei who could supply 5G kit? Nokia (Finland, EU), Ericsson (Sweden, EU), Intel (US), HPE (US) and Qualcomm (US). China is an outsider being non-American nor EU registered which brings one advantage… cost. Contrary to popular belief the world is run by money. Cheaper quotes typically win though this pumps most of the cash outside of your borders and does not help people in the West with shares in the suppliers named above.
Trade/politics
Two events from April and May mysteriously appear like “coincidences”. 8/6 https://www.thesun.co.uk/news/8817170/philip-hammond-cosies-up-to-china-in-bid-to-grab-a-piece-of-countrys-multi-billion-investment-drive/ and 24/4 https://www.reuters.com/article/us-britain-huawei-tech/uk-to-allow-huawei-limited-access-to-5g-networks-telegraph-idUSKCN1RZ2HD. Oddly the article from The FT is published one day before the conference where Chancellor Hammond is attending in Beijing.
Last month in the U.S, a similar though less strong connection could be spotted. 16/5 https://www.bbc.com/news/world-us-canada-48289550 and eight days later https://www.bbc.com/news/business-48392021.
The finale… should we use Huawei 5G kit at all?
In cyber security we do risk assessments and think about: cost, security, usability, probability and impact. Some companies do risk assessments and pretty much accept everything and do little security, this is a discussion for another day. From The Daily Mail’s article on 24/4, https://www.dailymail.co.uk/news/article-6952983/Theresa-defies-security-warnings-APPROVE-Huawei-deal-help-build-Britains-new-5G-network.html, it does not give great detail nor do other media outlets.
If I was running the 5G private sector rollout and Huawei was potentially part of the deal I would ask:
- What items of Huawei made kit are going to be used?
- Is Huawei going to supply engineers from China?
- What vetting/clearance do the engineers from China and UK have?
- What is the value of the kit* and/or labour deal?
- What assessments has the state (NCSC) done?
- Will NCSC assign staff to constantly monitor the programme or just test it at the end?
- How much would it cost more to only use European and American kit?
*Nowhere have we seen the actual total value of Theresa May’s deal with Huawei.
Based upon the seven points above, there could be two outcomes:
- It only costs hundreds of millions, or a billion or two to remove Huawei from the equation
- To remove Huawei from the equation it costs billions extra. If so, accept the risk if it is low or put mitigating controls around it - not that anything is ever 100% perfect
If you went for option one, plenty of European and American companies would be lining up to replace Huawei which would make employees and shareholders happy!