Blocking HUAWEI 5G doesn’t address full security risk! said Huawei security chief
By Bevin Fletcher Sep 18,
2019, Fierce Wireless
Huawei (5G)
was put on the U.S. Commerce Department’s Entity List in May due to national
security risks, effectively blacklisting the Chinese telecom equipment giant
and certain affiliates from purchasing certain technology and components from
American companies. The Trump administration has also pressed global allies to
exclude Huawei from next-generation 5G networks, raising concerns that the
Chinese government could use the vendor as an apparatus for attacks or
cyberespionage.
Huawei has
consistently denied allegations, and the company’s chief security officer Andy
Purdy told FierceWireless that Huawei has gotten caught up in the broader trade
dispute between the U.S. and China at “no fault of our [Huawei’s] own,” and
that the company recommends developing an approach that addresses security
risks posed by all vendors.
“Blocking Huawei 5G isn’t going
to make America safer, you need a comprehensive approach,” Purdy said, adding
Huawei encourages efforts like those by the European Union through ENISA
(European Networking Information Security Agency), which is working to create
broad risk mitigation mechanisms.
He also said
there are multiple governments in the world that have the ability to “virtually
implant hidden functionality in hardware or software that’s very difficult to
find.”
“There needs to be testing in
place to make sure that whoever's equipment it is, has not been tainted by the
conduct of some hostile government or some other hostile sophisticated
malicious actor,” Purdy said. “Blocking one company doesn’t help you address
that very real risk."
Starks
calls out Huawei
In the U.S.,
Huawei already supplies 5G & 4G telecom equipment for about 40 rural
wireless companies, and the government is weighing options for how to identify
and fix insecure equipment, including a so-called “rip and replace” method,
which could cost between hundreds of millions to more than a billion dollars.
FCC
Commissioner Geoffrey Starks has taken the lead at the agency in
addressing this issue, and held a workshop over the summer to gather input from
stakeholders on approaches, including funding for smaller operators who may be
unable to shoulder the economic burden. The government is also considering
withholding federal funds from operators that use network equipment deemed as
potentially risky.
While
speaking at a CCA (Competitive Carriers Association) keynote on Tuesday, Starks acknowledged
that stretching out the replacement timeline, and letting insecure equipment
simply age out of service could save millions.
“We must weigh this potential
savings, however, against the possible risk to our national security while this
equipment remains in place,” Starks said. He also called out concerns over
Huawei specifically.
“Experts say that the equipment
made by Huawei and other Chinese manufacturers presents serious security
vulnerabilities. According to these experts, Huawei software does not have the
same consistency from installation to installation as its competitors.
Programming variations make it difficult or impossible even for Huawei to know
exactly what software is deployed in a given build, and whether the equipment
will accept software updates,” Starks said. “Security experts tell us that this
‘bugginess’ in Huawei software means that it has ‘front doors’ accessible by
both the company and by bad actors familiar with exploiting inconsistencies and
flaws in Huawei code.”
Huawei's
defense
Huawei, for
its part, sponsored a seminar at the event titled “Let’s Collaborate to Make
America’s Communication Networks Safer,” where panelists stressed the need for
consistent rules and standards for securing telecom networks.
Speaking at
the session, Purdy said there is a need to create better monitoring
capabilities in general and greater transparency, and pointed to efforts by
GSMA and 3GPP working with operators and equipment vendors to create standards
and a certification process for next-generation telecom equipment.
“As part of transparency, in
our space when equipment vendors are working with operators to service the
equipment or service the networks there are methods that can be used and should
be used that make it quite clear to both the telecom operators and the
governments if necessary that there is limited ability of the equipment vendors
to access any data that they’re not supposed to access or to turn over that
data to anyone they’re not supposed to turn it over to,” said Purdy. “Methods
that provide both assurance and transparency are absolutely essential as part
of verification and conformance.”
He said the
company is hopeful for efforts in other countries like Germany and Europe to
create global measures for knowing and being able to test and ensure
trustworthiness of products and services. The U.K. notably is still deciding
whether to bar Huawei equipment from its own 5G networks.
RELATED: CCA members look for answers amid U.S. crackdown on
Huawei
Speaking to
FierceWireless, Purdy said that he thinks due to the U.S.-China trade dispute
Huawei hasn’t been able to engage in discussions with the U.S. government that
would otherwise normally take place to potentially resolve the company’s
situation.
When asked
what those talks would entail, Purdy said: “We would have discussions with them
about what real cybersecurity risk is, what’s necessary to be done about it,
and talk about proven mechanisms to address risk, such as those that allow
Nokia and Ericsson to do business in the United States in a fairly unrestricted
way because they have government monitored risk mitigation agreements in place,
and we’d like to talk to the government about whether something like that could
be developed for us.”
Earlier this
year the FCC denied an application from a different Chinese entity, China
Mobile, which was seeking authorization to provide telecom services in the U.S.
That application was denied on the grounds of national security risks related
to influence by the Chinese government on recommendations from U.S. security
officials and found that a risk mitigation agreement would not be effective
against threats because of the company’s ties to the Chinese government.
In his
keynote, Starks noted the FCC is now also reviewing the existing authority of
two other Chinese telecom carriers to determine if they present the same type
of threat.
Resolution
between the U.S. and China remains to be seen, but Purdy said he thinks that
once that happens it’s likely the U.S. will “finally be willing to talk to
[Huawei], and we look forward to that.”