With No Proof That China’s Huawei is Malicious, The Potential for Abuse Remains
The security of the supply chain is an area of increasing concern. If a malicious actor can introduce spyware or a backdoor into the supply chain, then every customer downstream is at risk. This is a concern for western governments, who fear that adversarial nations might use their local authority to compromise hardware and/or software originating from within their own borders.
China and Huawei are a focus for such concern for three primary reasons: China is a major originator of hardware and hardware components used in western countries; it has a form of government considered to be antagonistic towards western liberalism; and it exerts strong legal control over its own companies and people. The fear is that the Chinese government could force Huawei to insert backdoors into Huawei products sold to the west.
The result is typified in a speech by US federal CTO, Michael Kratsios, at the Web Summit held in Lisbon, Portugal, in November 2019. “The Chinese government has built an advanced authoritarian state by twisting technology to put censorship over free expression and citizen control over empowerment,” he said. “The government continues extending its authoritarianism abroad, and in no case is this more clear than with Huawei.”
While few people would question the first statement, he offered no validation for the latter. He mentioned an article in Le Monde from January 2018 that reported a five-year period of data exfiltration from an African Union computer system provided by China and extensively using Huawei produced equipment. However, there is no evidence of backdoors in the Huawei equipment; the incident has not damaged relations between the African Union and China; and Huawei has stated, “These data leaks did not originate in technology supplied by Huawei to the AU. What Huawei supplied for the AU project included data center facilities, but those facilities did not have any storage or data transfer functions.”
This is the current state of relations between the U.S. government and Huawei: U.S. rhetoric warning about the danger of embedding China-made hardware within western systems, accompanied by Chinese denials – but in both cases with no actual evidence.
It is against this background that former federal CIO Tony Scott of the TonyScottGroup (previously CIO at VMware and Microsoft and CTO at General Motors) has produced a paper titled ‘Supply Chain Cybersecurity’. He had begun to believe, he told SecurityWeek, that “much of the current conversation in Washington is focusing on individual foreign companies as a proxy for other issues. The point of the whitepaper is to say, we need to think about this in context, we need to look at where threats really come from, and how they’re dealt with and managed whether you’re a government consumer or in the private sector.”
Huawei and the supply chain
Scott’s paper never once mentions Huawei. It is about the supply chain problem for all companies. Nevertheless, the paper was commissioned and paid for by Huawei and is owned by Huawei.
“We paid for Tony to write the whitepaper,” Andy Purdy, Chief Security Officer (CSO) for Huawei Technologies USA, told SecurityWeek. “He decided on the content and is responsible for the content; but we are also responsible in paying for it.”
The obvious question then is, does Huawei believe that a satisfactory solution to the supply chain cybersecurity problem will solve its problems with the U.S. government?
Purdy, who previously served as a senior cybersecurity official for the U.S. Government, but now is paid by the China-based tech giant, acknowledges that the issue is complex.
“That’s a very complicated matter,” Purdy told SecurityWeek, “because the issues that we face with the US government are multi-faceted. Certainly, I believe that some of the trade war issues right now – the geopolitical context for that – is preventing the government, at its own choice, from even having a conversation with us.”
He continued, “That makes it very hard to know whether and how one or more of the issues that we have with the US government could be resolved. If the government is open to talking about the issues, I believe they can be resolved, and I think addressing the supply chain issues is part of that resolution. But it’s got to be part of a risk management approach that provides policies and processes not just by Huawei but also by our customers and by Huawei in terms of our internal compliance.”
Whether, how and to what extent solving the cybersecurity problems inherent in the global supply chain could provide confidence in Huawei equipment is debatable and fiercely debated.
Hank Thomas, CEO at venture capital firm Strategic Cyber Ventures, comments, “The dynamic nature of modern day supply chains, and the complexity of modern day code, makes our ability to test even a small sample of components coming through dynamic Chinese controlled supply chains impossible. We are in a great power competition with China and our networks are the high ground. We need to secure and hold this high ground and that means eliminating China from our network terrain or risk losing this competition and our way of life one day.”
SaltStack CTO and co-founder, and ex-intelligence employee, Thomas Hatch has a more nuanced and less definite view. “The primary mechanism to alleviate these threats,” he told SecurityWeek, “is through supply chain security. But how deep will that security need to go?”
His conclusion is that, “In a nutshell, supply chain security can alleviate some security threats. However, not the security threats that are most used by security services. They use other approaches simply because they cannot be easily discovered and circumvented.”
But Tony Scott concludes in his supply chain whitepaper, provided exclusively to SecurityWeek ahead of public release, a conclusion that is endorsed by Huawei’s Purdy, that there is one essential element missing from all current supply chain solutions: independent product testing. He believes that government-inspired backdoors in widely used products are unlikely. “With the likelihood of success being low and the likelihood of discovery being high, it simply blows up the whole theory that some people have that a government could massively influence a supplier – in this case Huawei, but it doesn’t matter who – into collaborating to do something similar to the US government fear.” He points out that a single discovered unambiguous backdoor would destroy Huawei’s entire global business.
Likelihoods, however, are not enough for confidence. Here, Scott’s paper (PDF) concludes that the necessary addition to supply chain security is independent product testing – similar in some ways to the UK’s Huawei Cell – but applicable to all products from all manufacturers.
“Independent testing is part of the supply chain answer to concerns over Huawei supply – a significant part,” he told SecurityWeek. “In today’s climate there is suspicion everywhere. Without some form of independent testing and verification, I don’t see how this gets resolved.” He points to UL (formerly the Underwriters Laboratories) as a potential model. “In the U.S.,” he added, “you cannot install an electrical device that doesn’t have a UL seal of approval It’s a model that works reasonably well.” (This is not a legal requirement, but has become a de facto commercial necessity.)
Purdy agrees, but still does not believe that supply chain security will provide a complete solution. SecurityWeek asked if encryption could help. He replied, “I think encryption could definitely be part of a solution.”
But there are still problems. Ray Walsh, data privacy advocate at ProPrivacy.com, points out that basic encryption would not prevent the backdoor collection of metadata. “Any backdoors in 5G networks,” he explained, “could theoretically be used to intercept and snoop on consumer metadata, which is known to disclose a lot of potentially sensitive information about internet users. Thus, even with the use of strong HTTPS encryption, some potential surveillance problems remain.”
He adds there is a question over the scale of data likely to be transmitted across 5G networks. “Due to the massive scale of data that will pass over 5G networks,” he told SecurityWeek, “particularly due to the explosion of IoT applications expected to proliferate – it seems likely that some data will pass through the masts unencrypted.”
Joël Alwen, Wickr’s chief cryptographer, takes a different view. “The fact is, it is impossible to trust much of the underlying infrastructure that Huawei provides for worldwide communications – which now includes or is about to include 5G and its technical components. This is precisely what informs Wickr’s ‘Zero Trust’ design, which among other things employs strong end-to-end encryption to secure messages along their entire path of transmission through the network,” he told SecurityWeek.
“By doing this we can render irrelevant questions about whether the network or related equipment is compromised, at least from the perspective of ensuring message confidentiality and integrity, because good or bad the network operator/attacker lacks the capacity to decrypt and read the messages transmitted through it.”
But there is still a further problem. The U.S. and other western governments don’t want encryption; and are pressing for their own backdoors into current end-to-end encryption offerings – which is ironic in the current context.
The Cell
The Cell – technically the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board – is a facility in Banbury, UK with unique access to Huawei equipment and code. It is overseen by the National Cyber Security Centre (NCSC), and its purpose is to ensure that the UK government can mitigate any risk associated with the use of Huawei equipment within the UK telecommunications sector.
HCSEC has never found a backdoor in any Huawei equipment. It’s latest annual report, from March 2019, is however, a masterpiece of diplomacy. There is no known backdoor – but there are numerous concerns about the quality of Huawei engineering and coding practices.
“The Oversight Board advises that it will be difficult to appropriately risk manage future products in the context of UK deployments, until Huawei’s software engineering and cyber security processes are remediated,” concludes HCSEC. “The Oversight Board currently has not seen anything to give it confidence in Huawei’s ability to bring about change via its transformation programme and will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC.”
HCSEC is concerned that current Huawei development practices could lead to future vulnerabilities within the products. On the one hand it is fair to say that few company practices could withstand the depth of HCSEC’s examination; but on the other hand, it is worth considering a comment from SaltStack’s Hatch.
Hatch has previously worked in the U.S. intelligence community, and has come to understand how the intelligence services evaluate such issues. One of the concerns he calls ‘technical negligence’.
“Technical negligence,” he told SecurityWeek, “cannot be alleviated with supply chain security, because this approach makes the back doors look as though they are innocent, common mistakes. It is for this reason that technical negligence is a much more common tool used by security services like the CIA. Many state actors stand accused but rarely, if ever, proven to have set up backdoors like these, and given the absence of political oversight into a foreign government, this poses a legitimate security risk that cannot be reasonably mitigated.”
Leaving the potential for future vulnerabilities (that could be exploited by Chinese government agents) would fall under the category of technical negligence. By highlighting this possibility while simultaneously saying that it has found no evidence of backdoors and that Huawei is showing signs of improving its internal processes, HCSEC has effectively converted the Huawei question from a technical one to a political one.
This is relevant to the UK situation. The government is expected to decide on the allowability of Huawei 5G equipment within the UK this week. Meanwhile, a US delegation led by deputy U.S. National Security Adviser Matt Pottinger met ministers in London on Monday, January 13, 2020. They provided a dossier that they claim contains new technical evidence against Huawei – but again, that evidence is not made public.
The UK is in an economically difficult position. Outside of the European Union, and with the economy perilously close to recession, it cannot afford to lose the trading partnership of either the U.S. or China. The effect of the latest HCSEC is to provide arguments for both accepting and banning Huawei equipment in the UK – it makes it a political rather than technical decision.
The trade war
Huawei claims that anti-Huawei sentiment is driven as much by current geopolitics as it is by any evidence against it. Current U.S./China relations are dominated by the ongoing trade war between the two nations. The Huawei suggestion is that U.S. government actions against it are effectively driven by this trade war – in effect, anti-Huawei sanctions are a form of protectionism for American companies and American global technological dominance.
The weakness in this argument is the same as the weakness in arguments against Huawei: there is not any – but in this case, there cannot be any – proof of the assertion. Nevertheless, it should be considered; but with the proviso that if circumstantial evidence against the U.S. government is given credence, then by the same argument, circumstantial evidence against Huawei should be given equal credence.
The anti-U.S. government attitude is well summarized by François Candelon, partner and managing director of the Boston Consulting Group (BCG) in Paris (reported in Le Monde on January 5, 2020): “The United States is attacking Huawei because it is the only Chinese company that is truly international. It generates half of its turnover outside China, which is not the case for Tencent or Alibaba, for example. But above all, if Huawei is banned in Europe, the continent will be twelve to twenty-four months behind in the deployment of 5G technology, which is critical for all companies. In fact, this ban would give American companies a competitive advantage on the European market…”
Anti-Huawei pressure is certainly being exerted on Europe. Apart from future trade warnings, there is a threat to reduce intelligence sharing. Given the dominance of the NSA in global intelligence collection, this is a major threat. However, it is clearly driven by politics rather than reason.
Senator Tom Cotton (R-Arkansas) has introduced a bill that would ban the sharing of U.S. intelligence with countries that use Huawei equipment in their 5G networks. His language, however, is intemperate: “The United States shouldn’t be sharing valuable intelligence information with countries that allow an intelligence-gathering arm of the Chinese Communist Party to operate freely within their borders. I urge our allies around the world to carefully consider the consequences of dealing with Huawei to their national interests,” he said.
This argument is dismissed by ex-federal CIO Tony Scott, who sees no possibility of leakage from intelligence networks regardless of national use of Huawei equipment. The bill, he told SecurityWeek, “is a political decision, probably designed to put pressure from a trade perspective. I don’t see it as a legitimate cybersecurity issue. In the classified networks,” he continued, “you must have a zero-trust approach. The thought that anybody’s equipment is trusted completely in those environments is antithetical to the way that such networks are designed, so I would not have any concerns at all.”
The implied threat has also been dismissed by Sir Andrew Parker, head of the UK’s MI5. In a recent interview with the Financial Times, he said he had no reason to believe that U.S./UK intelligence sharing would suffer if Huawei equipment was used in the UK’s 5G telecommunications network. On Tuesday January 14, 2020, the UK prime minister Boris Johnson also challenged Huawei’s opponents to offer a better alternative.
A path forward
Huawei maintains that it can be trusted. “Huawei is a global company, wholly owned by its employee shareholders,” Purdy told SecurityWeek. “While headquartered in Shenzhen, China, neither the government, nor the Chinese Communist Party have any influence or oversight on our business operations,” he claimed.
The U.S. government remains steadfast that Huawei cannot be trusted. It offers no proof beyond rhetoric that links the company to the Chinese government – which is undoubtedly very active in cyber attacks and cyber espionage against western organizations.
It is an impasse that cannot be solved without open-minded discussion between the two parties – something the U.S. government has resisted. As it stands, there are widespread accusations against Huawei, but not a single example of any proof.
No backdoor has ever been found in Huawei equipment, and there are strong economic reasons for Huawei – and the Chinese government – to avoid doing anything nefarious. But just as there has been no proof that Huawei is bad, it is impossible to prove that the company is good. The potential for abuse remains.
Potentials, however, can be managed. There is no hardware from any source that is not potentially harmful. Huawei hopes that improved supply chain security coupled with the use of encrypted communications across the 5G network and independent product testing – all supported by an open dialog between the parties – could pave the way to a solution.
Related: Intel’s Compute Lifecycle Assurance to Protect Platform Supply Chains
Related: The United States and China – A Different Kind of Cyberwar
Related: Firm Analyzes China, Russia-based Supply Chain Risks of Electronic Voting
Related: The Increasing Effect of Geopolitics on Cybersecurity
Related: Huawei Rejects Western Security Fears, Says ‘No Evidence’
