Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 PM
Connect Directly

Nuanced Approach Needed to Deal With Huawei 5G Security Concerns

Governments need to adopt strategic approach for dealing with concerns over telecom vendor's suspected ties to China's intelligence apparatus, NATO-affiliated body says.

A new research report from the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) recommends that the US government and its allies take a nuanced approach to dealing with China's Huawei as a potential supplier of next-generation 5G technology.

While outright banning of the company's products may be viewed as necessary by some governments, there is room for other options, such as implementing a government oversight body to evaluate Huawei's hardware and software, the report says.

The UK's Huawei Cyber Security Evaluation Centre (HCSEC) is the best example of how effective such an oversight body can be in addressing security and intelligence concerns tied to the use of Huawei's technologies, CCDCOE says.

HCSEC is controlled by the UK's National Cyber Security Center and, since 2010, has played a fundamental role in assessing the trustworthiness of Huawei's technologies in the country, the report says. Just last week, HCSEC issued a scathing report that criticized Huawei for not having secure software development practices.

Huawei has established similar security assessment centers in Germany and recently Brussels, though those centers do not have a dedicated oversight board like the UK's HCSEC.

"Instead of a blanket ban, the model of inclusive, competent, and transparent oversight embodied in the UK Huawei supervisory board is a good example" of options that governments might want to consider, says CCDCOE, a body of cybersecurity experts from 21 nations. "Such 'confidence building' and risk mitigation measures may, however, be accessible only to countries with extensive resources and expertise." 

The US government has prohibited the use of Huawei's technologies — including 5G — citing national security concerns over the company's alleged ties to China's government and intelligence apparatus.  

5G wireless technology supports much higher speeds than 4G, much better device connectivity, and reduced latencies. The technology is expected to enable a =new set of next-generation applications and use cases in areas such as robotics, virtual reality, and smart cars.

Huawei has established itself as an early leader in the space and is the only company currently able to produce all of the elements of a 5G network, the CCDCOE report says. Its closest competitors — Nokia and Ericsson — don't yet have a viable alternative. Huawei and a handful of other Chinese telecommunications companies have been leaders in setting global standards for 5G and obtaining patents around the technology.

US officials have said that using Huawei's technologies — especially next-generation 5G network technology — could expose the country to espionage and spying by China's government and military. The US is now trying to get other Western nations to take a similar stance in banning the use of Huawei technologies.

Long-Standing Concerns
Fueling those concerns is China's long record of corporate espionage and intelligence-gathering activities against the US and other Western countries that it considers as economic and military rivals. Ninety percent of economic espionage incidents between 2011 and 2018 have involved China, CCDCOE says. Huawei itself has been directly accused of similar actions leading to the arrest of its CFO in Canada earlier this year.

Recent Chinese laws, including the National Intelligence Law of 2016 and the 2014 Counterintelligence Law, have exacerbated concerns by specifically requiring organizations like Huawei to cooperate with and support national intelligence activities, CCDCOE says. Such acts have raised considerable concerns about the ability of Chinese state actors to introduce backdoors in technology products from the country.

"Core communications networks constitute fundamental infrastructure and therefore are an essential national interest, bearing national security implications," the report says.

The fact that Huawei's 5G technology will be deployed for backbone communications networks means that it would become part of the core national communications infrastructure for any country. Governments should therefore approach any discussions involving the acquisition and use of 5G technologies from a national security perspective, rather than from a purely technological one, the NATO-affiliated body says.

Huawei itself has described the US government's stance as being motivated by geopolitical and economic rivalry. The company has accused the US of attempting to unfairly restrict its business; earlier this month, it filed a lawsuit in a Texas federal court challenging the constitutionality of the ban against the use of its products.

The US, though, is not the only country with concerns over Huawei's dominance in an area as critical as 5G networking. The CCDCOE report identifies other nations, such as the Czech Republic, Australia, Japan, and New Zealand, as imposing restrictions on the use of Huawei products.

Germany and other EU nations are considering similar restrictions. But they have not taken the step yet, citing the lack of conclusive evidence tying Huawei to the Chinese government or military. "There is growing appetite among EU member states and NATO allies on EU/NATO coordination in this matter," the report says.

But shutting the door entirely on cooperation with Huawei may backfire as well, the report warns. Such an action would potentially deprive industries in Europe and other regions of an opportunity to develop 5G services and leave development to be led by Chinese companies.

Ezra Gottheil, an analyst with Technology Business Research, says the US itself is unlikely to be hurt. "I don't think the US is in danger of falling behind in the use and development of 5G if it continues to ban Huawei," he says. "I think alternative vendors like Ericsson can deliver on 5G."

At the same time, US officials are preparing for the fact that many countries over the next few years will transition to 5G networks based on technologies from Huawei and other Chinese vendors. According to a Washington Post report Monday, US cybersecurity experts have begun discussing ways to use encryption, network segmentation, and stronger security standards to minimize risk to critical systems when connecting to networks based on 5G technology from Huawei and other Chinese vendors.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
4/16/2019 | 4:01:05 AM
Already in the market
It sounds like a fair deal to me since they are indeed able to provide the technology that is needed and they are already in the market. Since there is still an underlying concern over their security lapses, perhaps that component could be addressed separately so as not to disregard their credibility fully.
User Rank: Author
4/2/2019 | 1:49:29 PM
why not all vendors?
There's certainly reasonable grounds for concern over Huawei, but clearly intentionally or not, vendors like Cisco are also at risk of compromise by their own governments. So stricter 3rd party oversight, testing and scrutiny like Huawei is facing are probably good things for any vendor in that space. 
User Rank: Strategist
4/2/2019 | 10:02:27 AM
Sounds like they are playing dumb
When looking at the report from the UK, it looks an awful lot like Huwei might be introducing vulnerabilities on purpose while playing dumb and hoping no one notices.  It sounds like their development process is to blame for this.  So, either by design or due to bad development processes, the result is the same, Huwei products are likely to contain backdoors and vulnerabilities that could be exploited by not only the Chinese government, but any government who finds these vulnerabilities before the InfoSec community does.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...