Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 PM
Connect Directly

Nuanced Approach Needed to Deal With Huawei 5G Security Concerns

Governments need to adopt strategic approach for dealing with concerns over telecom vendor's suspected ties to China's intelligence apparatus, NATO-affiliated body says.

A new research report from the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) recommends that the US government and its allies take a nuanced approach to dealing with China's Huawei as a potential supplier of next-generation 5G technology.

While outright banning of the company's products may be viewed as necessary by some governments, there is room for other options, such as implementing a government oversight body to evaluate Huawei's hardware and software, the report says.

The UK's Huawei Cyber Security Evaluation Centre (HCSEC) is the best example of how effective such an oversight body can be in addressing security and intelligence concerns tied to the use of Huawei's technologies, CCDCOE says.

HCSEC is controlled by the UK's National Cyber Security Center and, since 2010, has played a fundamental role in assessing the trustworthiness of Huawei's technologies in the country, the report says. Just last week, HCSEC issued a scathing report that criticized Huawei for not having secure software development practices.

Huawei has established similar security assessment centers in Germany and recently Brussels, though those centers do not have a dedicated oversight board like the UK's HCSEC.

"Instead of a blanket ban, the model of inclusive, competent, and transparent oversight embodied in the UK Huawei supervisory board is a good example" of options that governments might want to consider, says CCDCOE, a body of cybersecurity experts from 21 nations. "Such 'confidence building' and risk mitigation measures may, however, be accessible only to countries with extensive resources and expertise." 

The US government has prohibited the use of Huawei's technologies — including 5G — citing national security concerns over the company's alleged ties to China's government and intelligence apparatus.  

5G wireless technology supports much higher speeds than 4G, much better device connectivity, and reduced latencies. The technology is expected to enable a =new set of next-generation applications and use cases in areas such as robotics, virtual reality, and smart cars.

Huawei has established itself as an early leader in the space and is the only company currently able to produce all of the elements of a 5G network, the CCDCOE report says. Its closest competitors — Nokia and Ericsson — don't yet have a viable alternative. Huawei and a handful of other Chinese telecommunications companies have been leaders in setting global standards for 5G and obtaining patents around the technology.

US officials have said that using Huawei's technologies — especially next-generation 5G network technology — could expose the country to espionage and spying by China's government and military. The US is now trying to get other Western nations to take a similar stance in banning the use of Huawei technologies.

Long-Standing Concerns
Fueling those concerns is China's long record of corporate espionage and intelligence-gathering activities against the US and other Western countries that it considers as economic and military rivals. Ninety percent of economic espionage incidents between 2011 and 2018 have involved China, CCDCOE says. Huawei itself has been directly accused of similar actions leading to the arrest of its CFO in Canada earlier this year.

Recent Chinese laws, including the National Intelligence Law of 2016 and the 2014 Counterintelligence Law, have exacerbated concerns by specifically requiring organizations like Huawei to cooperate with and support national intelligence activities, CCDCOE says. Such acts have raised considerable concerns about the ability of Chinese state actors to introduce backdoors in technology products from the country.

"Core communications networks constitute fundamental infrastructure and therefore are an essential national interest, bearing national security implications," the report says.

The fact that Huawei's 5G technology will be deployed for backbone communications networks means that it would become part of the core national communications infrastructure for any country. Governments should therefore approach any discussions involving the acquisition and use of 5G technologies from a national security perspective, rather than from a purely technological one, the NATO-affiliated body says.

Huawei itself has described the US government's stance as being motivated by geopolitical and economic rivalry. The company has accused the US of attempting to unfairly restrict its business; earlier this month, it filed a lawsuit in a Texas federal court challenging the constitutionality of the ban against the use of its products.

The US, though, is not the only country with concerns over Huawei's dominance in an area as critical as 5G networking. The CCDCOE report identifies other nations, such as the Czech Republic, Australia, Japan, and New Zealand, as imposing restrictions on the use of Huawei products.

Germany and other EU nations are considering similar restrictions. But they have not taken the step yet, citing the lack of conclusive evidence tying Huawei to the Chinese government or military. "There is growing appetite among EU member states and NATO allies on EU/NATO coordination in this matter," the report says.

But shutting the door entirely on cooperation with Huawei may backfire as well, the report warns. Such an action would potentially deprive industries in Europe and other regions of an opportunity to develop 5G services and leave development to be led by Chinese companies.

Ezra Gottheil, an analyst with Technology Business Research, says the US itself is unlikely to be hurt. "I don't think the US is in danger of falling behind in the use and development of 5G if it continues to ban Huawei," he says. "I think alternative vendors like Ericsson can deliver on 5G."

At the same time, US officials are preparing for the fact that many countries over the next few years will transition to 5G networks based on technologies from Huawei and other Chinese vendors. According to a Washington Post report Monday, US cybersecurity experts have begun discussing ways to use encryption, network segmentation, and stronger security standards to minimize risk to critical systems when connecting to networks based on 5G technology from Huawei and other Chinese vendors.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
4/16/2019 | 4:01:05 AM
Already in the market
It sounds like a fair deal to me since they are indeed able to provide the technology that is needed and they are already in the market. Since there is still an underlying concern over their security lapses, perhaps that component could be addressed separately so as not to disregard their credibility fully.
User Rank: Author
4/2/2019 | 1:49:29 PM
why not all vendors?
There's certainly reasonable grounds for concern over Huawei, but clearly intentionally or not, vendors like Cisco are also at risk of compromise by their own governments. So stricter 3rd party oversight, testing and scrutiny like Huawei is facing are probably good things for any vendor in that space. 
User Rank: Strategist
4/2/2019 | 10:02:27 AM
Sounds like they are playing dumb
When looking at the report from the UK, it looks an awful lot like Huwei might be introducing vulnerabilities on purpose while playing dumb and hoping no one notices.  It sounds like their development process is to blame for this.  So, either by design or due to bad development processes, the result is the same, Huwei products are likely to contain backdoors and vulnerabilities that could be exploited by not only the Chinese government, but any government who finds these vulnerabilities before the InfoSec community does.  
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.