Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

4/1/2019
06:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Nuanced Approach Needed to Deal With Huawei 5G Security Concerns

Governments need to adopt strategic approach for dealing with concerns over telecom vendor's suspected ties to China's intelligence apparatus, NATO-affiliated body says.

A new research report from the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) recommends that the US government and its allies take a nuanced approach to dealing with China's Huawei as a potential supplier of next-generation 5G technology.

While outright banning of the company's products may be viewed as necessary by some governments, there is room for other options, such as implementing a government oversight body to evaluate Huawei's hardware and software, the report says.

The UK's Huawei Cyber Security Evaluation Centre (HCSEC) is the best example of how effective such an oversight body can be in addressing security and intelligence concerns tied to the use of Huawei's technologies, CCDCOE says.

HCSEC is controlled by the UK's National Cyber Security Center and, since 2010, has played a fundamental role in assessing the trustworthiness of Huawei's technologies in the country, the report says. Just last week, HCSEC issued a scathing report that criticized Huawei for not having secure software development practices.

Huawei has established similar security assessment centers in Germany and recently Brussels, though those centers do not have a dedicated oversight board like the UK's HCSEC.

"Instead of a blanket ban, the model of inclusive, competent, and transparent oversight embodied in the UK Huawei supervisory board is a good example" of options that governments might want to consider, says CCDCOE, a body of cybersecurity experts from 21 nations. "Such 'confidence building' and risk mitigation measures may, however, be accessible only to countries with extensive resources and expertise." 

The US government has prohibited the use of Huawei's technologies — including 5G — citing national security concerns over the company's alleged ties to China's government and intelligence apparatus.  

5G wireless technology supports much higher speeds than 4G, much better device connectivity, and reduced latencies. The technology is expected to enable a =new set of next-generation applications and use cases in areas such as robotics, virtual reality, and smart cars.

Huawei has established itself as an early leader in the space and is the only company currently able to produce all of the elements of a 5G network, the CCDCOE report says. Its closest competitors — Nokia and Ericsson — don't yet have a viable alternative. Huawei and a handful of other Chinese telecommunications companies have been leaders in setting global standards for 5G and obtaining patents around the technology.

US officials have said that using Huawei's technologies — especially next-generation 5G network technology — could expose the country to espionage and spying by China's government and military. The US is now trying to get other Western nations to take a similar stance in banning the use of Huawei technologies.

Long-Standing Concerns
Fueling those concerns is China's long record of corporate espionage and intelligence-gathering activities against the US and other Western countries that it considers as economic and military rivals. Ninety percent of economic espionage incidents between 2011 and 2018 have involved China, CCDCOE says. Huawei itself has been directly accused of similar actions leading to the arrest of its CFO in Canada earlier this year.

Recent Chinese laws, including the National Intelligence Law of 2016 and the 2014 Counterintelligence Law, have exacerbated concerns by specifically requiring organizations like Huawei to cooperate with and support national intelligence activities, CCDCOE says. Such acts have raised considerable concerns about the ability of Chinese state actors to introduce backdoors in technology products from the country.

"Core communications networks constitute fundamental infrastructure and therefore are an essential national interest, bearing national security implications," the report says.

The fact that Huawei's 5G technology will be deployed for backbone communications networks means that it would become part of the core national communications infrastructure for any country. Governments should therefore approach any discussions involving the acquisition and use of 5G technologies from a national security perspective, rather than from a purely technological one, the NATO-affiliated body says.

Huawei itself has described the US government's stance as being motivated by geopolitical and economic rivalry. The company has accused the US of attempting to unfairly restrict its business; earlier this month, it filed a lawsuit in a Texas federal court challenging the constitutionality of the ban against the use of its products.

The US, though, is not the only country with concerns over Huawei's dominance in an area as critical as 5G networking. The CCDCOE report identifies other nations, such as the Czech Republic, Australia, Japan, and New Zealand, as imposing restrictions on the use of Huawei products.

Germany and other EU nations are considering similar restrictions. But they have not taken the step yet, citing the lack of conclusive evidence tying Huawei to the Chinese government or military. "There is growing appetite among EU member states and NATO allies on EU/NATO coordination in this matter," the report says.

But shutting the door entirely on cooperation with Huawei may backfire as well, the report warns. Such an action would potentially deprive industries in Europe and other regions of an opportunity to develop 5G services and leave development to be led by Chinese companies.

Ezra Gottheil, an analyst with Technology Business Research, says the US itself is unlikely to be hurt. "I don't think the US is in danger of falling behind in the use and development of 5G if it continues to ban Huawei," he says. "I think alternative vendors like Ericsson can deliver on 5G."

At the same time, US officials are preparing for the fact that many countries over the next few years will transition to 5G networks based on technologies from Huawei and other Chinese vendors. According to a Washington Post report Monday, US cybersecurity experts have begun discussing ways to use encryption, network segmentation, and stronger security standards to minimize risk to critical systems when connecting to networks based on 5G technology from Huawei and other Chinese vendors.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ChristopherJames
50%
50%
ChristopherJames,
User Rank: Strategist
4/16/2019 | 4:01:05 AM
Already in the market
It sounds like a fair deal to me since they are indeed able to provide the technology that is needed and they are already in the market. Since there is still an underlying concern over their security lapses, perhaps that component could be addressed separately so as not to disregard their credibility fully.
ChadL196
50%
50%
ChadL196,
User Rank: Author
4/2/2019 | 1:49:29 PM
why not all vendors?
There's certainly reasonable grounds for concern over Huawei, but clearly intentionally or not, vendors like Cisco are also at risk of compromise by their own governments. So stricter 3rd party oversight, testing and scrutiny like Huawei is facing are probably good things for any vendor in that space. 
schopj
50%
50%
schopj,
User Rank: Strategist
4/2/2019 | 10:02:27 AM
Sounds like they are playing dumb
When looking at the report from the UK, it looks an awful lot like Huwei might be introducing vulnerabilities on purpose while playing dumb and hoping no one notices.  It sounds like their development process is to blame for this.  So, either by design or due to bad development processes, the result is the same, Huwei products are likely to contain backdoors and vulnerabilities that could be exploited by not only the Chinese government, but any government who finds these vulnerabilities before the InfoSec community does.  
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1817
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
CVE-2013-2091
PUBLISHED: 2019-11-20
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
CVE-2012-1257
PUBLISHED: 2019-11-20
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
CVE-2013-1816
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
CVE-2011-4455
PUBLISHED: 2019-11-20
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.