Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 PM
Connect Directly

Nuanced Approach Needed to Deal With Huawei 5G Security Concerns

Governments need to adopt strategic approach for dealing with concerns over telecom vendor's suspected ties to China's intelligence apparatus, NATO-affiliated body says.

A new research report from the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) recommends that the US government and its allies take a nuanced approach to dealing with China's Huawei as a potential supplier of next-generation 5G technology.

While outright banning of the company's products may be viewed as necessary by some governments, there is room for other options, such as implementing a government oversight body to evaluate Huawei's hardware and software, the report says.

The UK's Huawei Cyber Security Evaluation Centre (HCSEC) is the best example of how effective such an oversight body can be in addressing security and intelligence concerns tied to the use of Huawei's technologies, CCDCOE says.

HCSEC is controlled by the UK's National Cyber Security Center and, since 2010, has played a fundamental role in assessing the trustworthiness of Huawei's technologies in the country, the report says. Just last week, HCSEC issued a scathing report that criticized Huawei for not having secure software development practices.

Huawei has established similar security assessment centers in Germany and recently Brussels, though those centers do not have a dedicated oversight board like the UK's HCSEC.

"Instead of a blanket ban, the model of inclusive, competent, and transparent oversight embodied in the UK Huawei supervisory board is a good example" of options that governments might want to consider, says CCDCOE, a body of cybersecurity experts from 21 nations. "Such 'confidence building' and risk mitigation measures may, however, be accessible only to countries with extensive resources and expertise." 

The US government has prohibited the use of Huawei's technologies — including 5G — citing national security concerns over the company's alleged ties to China's government and intelligence apparatus.  

5G wireless technology supports much higher speeds than 4G, much better device connectivity, and reduced latencies. The technology is expected to enable a =new set of next-generation applications and use cases in areas such as robotics, virtual reality, and smart cars.

Huawei has established itself as an early leader in the space and is the only company currently able to produce all of the elements of a 5G network, the CCDCOE report says. Its closest competitors — Nokia and Ericsson — don't yet have a viable alternative. Huawei and a handful of other Chinese telecommunications companies have been leaders in setting global standards for 5G and obtaining patents around the technology.

US officials have said that using Huawei's technologies — especially next-generation 5G network technology — could expose the country to espionage and spying by China's government and military. The US is now trying to get other Western nations to take a similar stance in banning the use of Huawei technologies.

Long-Standing Concerns
Fueling those concerns is China's long record of corporate espionage and intelligence-gathering activities against the US and other Western countries that it considers as economic and military rivals. Ninety percent of economic espionage incidents between 2011 and 2018 have involved China, CCDCOE says. Huawei itself has been directly accused of similar actions leading to the arrest of its CFO in Canada earlier this year.

Recent Chinese laws, including the National Intelligence Law of 2016 and the 2014 Counterintelligence Law, have exacerbated concerns by specifically requiring organizations like Huawei to cooperate with and support national intelligence activities, CCDCOE says. Such acts have raised considerable concerns about the ability of Chinese state actors to introduce backdoors in technology products from the country.

"Core communications networks constitute fundamental infrastructure and therefore are an essential national interest, bearing national security implications," the report says.

The fact that Huawei's 5G technology will be deployed for backbone communications networks means that it would become part of the core national communications infrastructure for any country. Governments should therefore approach any discussions involving the acquisition and use of 5G technologies from a national security perspective, rather than from a purely technological one, the NATO-affiliated body says.

Huawei itself has described the US government's stance as being motivated by geopolitical and economic rivalry. The company has accused the US of attempting to unfairly restrict its business; earlier this month, it filed a lawsuit in a Texas federal court challenging the constitutionality of the ban against the use of its products.

The US, though, is not the only country with concerns over Huawei's dominance in an area as critical as 5G networking. The CCDCOE report identifies other nations, such as the Czech Republic, Australia, Japan, and New Zealand, as imposing restrictions on the use of Huawei products.

Germany and other EU nations are considering similar restrictions. But they have not taken the step yet, citing the lack of conclusive evidence tying Huawei to the Chinese government or military. "There is growing appetite among EU member states and NATO allies on EU/NATO coordination in this matter," the report says.

But shutting the door entirely on cooperation with Huawei may backfire as well, the report warns. Such an action would potentially deprive industries in Europe and other regions of an opportunity to develop 5G services and leave development to be led by Chinese companies.

Ezra Gottheil, an analyst with Technology Business Research, says the US itself is unlikely to be hurt. "I don't think the US is in danger of falling behind in the use and development of 5G if it continues to ban Huawei," he says. "I think alternative vendors like Ericsson can deliver on 5G."

At the same time, US officials are preparing for the fact that many countries over the next few years will transition to 5G networks based on technologies from Huawei and other Chinese vendors. According to a Washington Post report Monday, US cybersecurity experts have begun discussing ways to use encryption, network segmentation, and stronger security standards to minimize risk to critical systems when connecting to networks based on 5G technology from Huawei and other Chinese vendors.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
4/16/2019 | 4:01:05 AM
Already in the market
It sounds like a fair deal to me since they are indeed able to provide the technology that is needed and they are already in the market. Since there is still an underlying concern over their security lapses, perhaps that component could be addressed separately so as not to disregard their credibility fully.
User Rank: Author
4/2/2019 | 1:49:29 PM
why not all vendors?
There's certainly reasonable grounds for concern over Huawei, but clearly intentionally or not, vendors like Cisco are also at risk of compromise by their own governments. So stricter 3rd party oversight, testing and scrutiny like Huawei is facing are probably good things for any vendor in that space. 
User Rank: Strategist
4/2/2019 | 10:02:27 AM
Sounds like they are playing dumb
When looking at the report from the UK, it looks an awful lot like Huwei might be introducing vulnerabilities on purpose while playing dumb and hoping no one notices.  It sounds like their development process is to blame for this.  So, either by design or due to bad development processes, the result is the same, Huwei products are likely to contain backdoors and vulnerabilities that could be exploited by not only the Chinese government, but any government who finds these vulnerabilities before the InfoSec community does.  
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-19
OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.
PUBLISHED: 2020-02-19
In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,
PUBLISHED: 2020-02-19
JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function. NOTE: this is a discontinued product.
PUBLISHED: 2020-02-19
Hitron CODA-4582U devices allow XSS via a Managed Device name on the Wireless > Access Control > Add Managed Device screen.
PUBLISHED: 2020-02-19
Western Digital WesternDigitalSSDDashboardSetup.exe before allows DLL Hijacking.