Can you trust Huawei... or any other networks supplier for that matter? Chinese telecoms giant Huawei may well be the world's most controversial technology company. It's also probably one of the most well-known names on the US government's "entity list", where it was placed in May this year. A placement on the effective trade blacklist – although it has since been given a reprieve until August – …
is that they dont have the necessary backdoors for snooping
You're close to "the ball": The Chinese Security agencies don't want to share the backdoors with the west. This bit, the west can "tolerate", however, the biggest grievances is the price of their kit.
Huawei’s prices “were not market-based,” said an equipment industry executive who has worked for years in North America. “They made no sense.”
Roger Entner, an analyst at Recon Analytics, estimated Huawei and its compatriot, ZTE, charged 30% to 50% less than rivals.
You mean they were competing on price? OMG those bloody commies, that's not how you wring the most amount out of people with the least amount of effort.
You create a cartel, split up the market then generally charge the same price, like any real libertardian capitalist that thinks the 'market' will fix itself and self regulation works for the consumer. Competition? We don't need no stinkin' competition.
Nonsense, let me give you some criteria :
- amount of bugs discovered in software
- mean time to patch bugs
- overall efficiency of products
- friendliness toward the NSA/China/Russia/Other
- level of security implemented in software
- level of security implemented in hardware
There you go. It may take a bit of preperation, but I'm sure you can assign a number to those criteria and thus obtain a ranking.
I read one of the analysis papers on huawei.
Lots of bad flaws, but as far as I could tell, most were in the admin interface. That's bad, but if you're an enterprise, your admin interfaces are all firewall-protected, right? So, mitigations are in place.
Talk to me about the exploitable flaws in the routing and switching engines. The other stuff is negotiable.
As for competing on price and using "slave labour". Check out Cisco's prices for RAM. No fancy IP involved there. Profiteering I think.
So Trump promotes US business. That's his job. No one else needs to agree with him.
Probably the most rigorous public testing of Huawei's equipment is carried out by the UK's Huawei Cyber Security Evaluation Centre, a Banbury-based operation known as "the Cell" run by signals intelligence agency GCHQ. As the name suggests, it only tests Huawei kit, not that of its rivals, so it's not possible to draw comparisons.
Really, they should test kit from other peddlers as well... As a security expert you will need to do such a thing in order to compare the various aspects of all kits when measured/compared against each other.
Other manufacturers are not as pervasive throughout the UK (well BT/Openreach) telecoms infrastructure
BT's current infrastructre has a LOT of huawei in it (often wondered if 21CN was a percentage of chinese kit in network not 21st century network....)
Plus given that the kit is also widely used in countries we have an interest in spying on (its cheap and china will sell to just about any regime) makes sense to concentrate on knowing your enemy, the others are all a moot point due to either being owned by entities in 5i countries or have sanctioned backdoors at NSA/GCHQ's request.
Dont confuse the "security" in the centers title for the meaning that infers protection, add the air quotes and go for the spooky cold war meaning. They are looking to pwn the kit and understand its weaknesses, neuter or contain any threat and ultimately use that knowledge for our own advantage, be it tapping comms, or saving a few billion on core infrastructure; not protect enterprises or put a kite mark on the kit....
I'd say those are not key areas. How well a country protects it's citizens data has nothing to do with typical vendor selection of tin. Mainly because that's a political issue rather than technical, ie any legislation like GDPR. You could also argue it'd rule out any US kit given Facebook, Google etc, and being mixed up with TLAs.
It's also where security theatre and trust, or lack of trust becomes a big issue. Saying stuff has 'military grade' security can be used in marketing, but generally meaningless. Saying it meets EAL 7 may give more confidence given that's an ISO(15408). But then getting kit certified and granted an EAL rating is expensive, time consuming and may only be applicable to a specific model, or implementation.
It's an area where the TLA's could do more to help, assuming they are trusted. So CESG does do evaluations, but could arguably do more. Problem is the usual one, funding, or lack thereof. The Huawei 'Cell' is a good example. It gives a thorough hairy eyeball to Huawei tin, but as it's a JV between CESG and Huawei, it doesn't examine other vendors. One solution could be to expand that model using some industry and government funding.
But it's still going to face trust issues, especially when TLAs are suspected of having backdoors. Or even legislating for back doors, eg my usual example of US CALEA compliance. Mandatory for tin used in the US, and there's a trust element that any back doors will only ever be used by their intended audience. Again that's where the 'key area' is problematic given legislation in countries generally has a requirement for lawful intercept.
Rest is part of doing business. Issue an RFP stating how tin will be used, standards it must comply with, service and support levels required etc and wait for responses. Then shortlist suppliers, possibly down to 1 and invite them to supply tin for your R&D site, where it'll be given a thorough going over by your test engineers.. Which BT did with Huawei and 21CN, so lots of compliance, interoperability and other testing. But that's expensive, time consuming and assumes you haven't RIF'd lots of engineers & flogged off your R&D site to property developers. And most non-BT's don't have that kind of luxury anyway, so often wait for an anchor customer like BT to adopt a vendor's kit before buying it yourself. Or you may be forced/better off buying that kit anyway because it needs to interoperate with Openreach.
SDN's one example where the dream requires interoperability, along with exposing control plane functionality you'd normally want to keep hidden. Or there's stuff like optical networking and OTN ONI's for wholesale interconnects. If vendor's tin came with an NSA/GCHQ seal of approval, it may provide more confidence though.
What doesn't help is simply saying 'This is not secure because China'. Test and tell us what is secure. Enough. At that point in time. In a given configuration.. So nice idea, but non-trivial..
Just a rehash of all the accusations and insinuations why you cannot choose Huawei, and even if you could, it might be more convenient to bow to US demands. It's not balanced, taking GCHQ public declarations as the highest truth, free from any geopolitical influences. It doesn't even mention that of all of the accusations there has never been actual facts found of wrongdoing such as spying for the Chinese government.
Maybe you should consider who has been the most aggressive at spying on the world. Is it the Chinese gov? I don't think so. I think those revelations brought by Snowden are still enlightening. Its the US gov who demands to capture all of the world telecom and apparently Huawei is a serious issue for them.
No. Not unaware, probaly just USians with their fingers in their ears shouting 'U S A' while checking their history books again to re-assure themselves that they won WW2 and without them you'd be speaking German now.
Luckily there are a lot of Americans, who do seem to be waking up.
The simple answer is no you can't.
While Huawei doesn't have a stellar nor good for that matter record about patching CVE's even the best one Google is always at least two steps behind caring good maintained developer community.
This is still on the half acceptable level as at least it relies on open source Linux stack where at least you can snoop around & see what's going on.
What about dominant users space vendor such as Qualcomm whose modems work on property RTOS (which orginalni whose open source but ain't anymore ) & you only have property binary blobs? Well that's just triple A security threat!
The other side of the mirror reflection is a hardware. Somehow it showed so far how most security co processors had a design flows which contained security exploits that could be used as backdoor's. That's hard printed, property and hard to both find and fix. On the other hand there ware a lot of similar issues with even very popular & licensable general purpose CPU core's (ARM A53 erratums) & we are witnessing a numerous new find popping out one's regarding out of orde core's on all architectures (while Intel leads a pact). In fact it's so serious that good old (welcome back) Linus broke the code of conduct in adresing them. At the end seeing is believing & the future should be based on both sides of the glass in open & transparent designs/code. With RISC V we are at least a step closer to our own security regarding the hardware side. There is no such thin as a trust worthy government or good honest corporation so don't follow leaders & watch your parking meters.
"More broadly, China passed a law in 2017 which obliges its companies to co-operate with the state."
Hmmmm, sounds like another country I'm very familiar with...
https://www.theregister.co.uk/2018/10/20/cryptobusting_is_only_bad_if_youre_a_commie_and_were_not/
"Hemmings said that while plenty of western technology companies get involved with military and security work, the difference is that they can choose not to – unlike Chinese ones."
When I read that, first thought was Patriot Act, especially in light of the fact that non-compliance with a National Security Letter, let alone a FISA Court warrant, results in prison time without the benefit of even going to court. We've already seen companies shut themselves down rather than even try to fight. The only reason Microsoft is still in their fight is that it was a federal judge overreaching and that's percolating up the judicial process. If the federales has used either of the above, Satya would be staring through jail bars right now and neither he, nor his lawyers, would even be able to say why.
A related observation, what is Freedom House smoking/dropping? I do pay attention to Australian news (APAC is my favorite beat) and they should be farther down the list, closer to the US, on the basis of what's happened recently. Typical NGO.
I'm guessing that router software is complicated, but well understood. The trick would be to use Huawei hardware with the firmware rebuilt from source code by a team of open-source-world programmers, under Ross Anderson's supervision. If you could negotiate and build such a thing, you'd have everything the UK needs. If you could keep GCHQ out of it, it might also be an international hit.
I see no mention of the price of licensing or other services. If 5G dominance goes to suppliers outside USA it might have a serious impact on the USA's trade balance numbers. I think I would like to know more about the money before worrying too much about the spying, which everybody does anyhow.
"The report makes the case that Huawei is effectively government controlled, and that its 98 per cent ownership by a trade union committee..."
Funny that, since the employees believe that employees own all the shares. Let me see, who do I believe? Chinese people who actually work there and claim to own shares, or some committee of blimps in England who claim to know better?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
