If there is a back door. No one’s been able to find one in Huawei’s kit, but Alan Burkitt-Gray asks if we’re taking the wrong approach to network security
Make no mistake. The telecommunications industry is driven by the US-versus-China trade war. The first battle in the telecoms field was over ZTE in 2017-18 and the second, still raging, is over its Chinese rival, Huawei.
The US is alleging that Huawei can’t be trusted because it is controlled by China and the Chinese Communist Party, and that its network equipment is insecure, allowing China to spy on anyone whose traffic goes through Huawei systems.
Huawei vigorously denies this – though it would be surprising if it did anything other. It insists it’s owned by its employees, and some Huawei staff-shareholders have told me how much they get in dividends. The only on-the-record observation we have by a major tech company was in June 2013 when Google offered a comment to the Guardian newspaper, which was working with the New York Times on the Edward Snowden revelations.
“Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a back door for the government to access private user data.”
Two crucial points in that paragraph: Google discloses user data when instructed by the US government, just as the US says Huawei will on instruction from Beijing. Second, it doesn’t provide a back door.
Of course, all regulated telecoms operators in all countries have to provide information to law-enforcement agencies, and this is no secret – though something telcos don’t like talking about.
But, back doors? One of the persistent allegations about Huawei is that it provides back doors to the Chinese authorities, back doors that could be accessible worldwide, given the interconnected nature of the world’s telecoms networks.
Huawei strongly denies it, and no one has ever found any sign of them – in particular those people whose job it is to look for back doors. The UK’s Government Communications Headquarters, GCHQ, is the country’s digital intelligence service, based in Cheltenham in the west of England. (Government officials in London speak of all spooks as “the friends”; GCHQ staff are “our friends in the west”.)
GCHQ runs a unit called the Cell, just over an hour’s drive away in Banbury, whose sole job is to tear apart Huawei’s equipment and software. The Cell – officially the Huawei Cyber Security Evaluation Centre (HCSEC) – is staffed with security-vetted cyber intelligence professionals but is funded by Huawei as a cost of doing business in the UK.
The Cell has been rude about the standard of Huawei’s software engineering. In March, it reported “serious vulnerabilities” and said it could give “only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK”.
The impression is given that this is because of sloppy engineering, not through deliberate policy, and Huawei has announced a long-term plan to upgrade its engineering standards at a starting price of $2 billion.
But I spoke to one cyber security professional – nothing to do with the Cell, GCHQ or Huawei, or indeed any telecoms company – who has also looked at the company’s software, and other vendors’ software.
This person, speaking with me on a guarantee that I didn’t use their name or give any other identification, wondered whether sloppy could be a disguise or an excuse. It’s easy to insert “innocuous-looking bits of code that are malicious”, my contact said. Many vendors “have iffy software too”, though no one has raised the same sort of issues.
As a board-level executive with one of the top European telcos said to me at Mobile World Congress in Barcelona in February, “the difference is that European and North American countries are democracies and China isn’t”.
Much has been made of the UK’s National Security Council’s apparent decision in April to allow Huawei kit to be used in the radio access network (RAN) for 5G but not in the core. Vodafone already uses Huawei kit in its RAN and told Capacity in March that it wouldn’t use the vendor for the core.
Is that wise? I turn back to my anonymous cyber security friend. This is what they said: “If I were going to bug someone’s communications I’d do it at the edge – not in the core where the target data is overwhelmed by the gigabytes that are travelling along the fibres.”
Think about the old movie image of a private detective in a grubby mackintosh bugging someone’s phone.
He wouldn’t go to the long-distance lines with his crocodile clips and tape recorder.
Where you go is the telephone pole or junction box outside the target’s home, or at least the relevant telephone exchange, where you can find what you’re looking for without needing to filter out the noise.
Same with 5G. If you want to bug someone, go to the cellsites around the target’s home and office, not to the core.
Back in the early days of the web, people said you shouldn’t put anything in an email that you wouldn’t write on the back of a postcard. We’ve forgotten that. Electronic communications are inherently incredibly insecure.
View this network security analysis as a digital page in the June/July edition of Capacity magazine and see what other great articles you may have missed out on!