Is Huawei a National Security Proxy for China?

Much has been made of recent pronouncements in both the U.S. and the U.K. concerning whether the Chinese telecommunications giant Huawei is a national security threat.

On the one hand, we have the U.K.’s Huawei Cyber Security Evaluation Center (HCSEC) Oversight Board issuing a report in late-March to the U.K.’s National Security Adviser. Within the report, the HCSEC identified “significant technical issues” within “Huawei’s engineering processes, leading to new risks in the U.K. telecommunications networks.” Furthermore, the report highlights the lack of progress in the mitigation of issues identified in a similar report from the HCSEC to the National Security Adviser in 2018.

On the other we have the U.S. intelligence and defense communities declaring Huawei to be a risk to the nation’s infrastructure should Huawei’s 5G equipment be installed.  The U.S. is urging countries to prohibit Huawei’s participation in their 5G buildouts. Some have aligned with the U.S., while others have gone in the opposite direction.

HCSEC Report on Huawei

In rather stark terms, the HCSEC notes that “it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated.”

The HCSEC noted it has little confidence that Huawei has the technological acumen to address its product defects. A key issue appears to be that the defects are preventing the HCSEC from determining whether the “source code examined” is “that used to build the binaries in the UK networks.”—thus signaling to the National Security Adviser that the potential for a bait and switch is possible and may not be detectable.

Claroty

Huawei continues to use both an aging operating system and processes and procedures, which gives the HCSEC great pause and concern “about the time elapsed since discovery of this issue without a credible plan being presented,” according to the report. The HCSEC then eviscerated Huawei’s lifecycle management of the “software component as presenting significant cyber security and availability risks.”

The HCSEC concluded that the shortcomings are not “a result of Chinese state interference.”

UK Surprises

Then, on April 24, the U.K. surprised all with change in economic diplomacy, approving Huawei to be a part of the U.K.’s 5G network buildout. However, Huawei’s participation was restricted to “noncore” portions of the network. While not explicitly defined, it is expected that this will be similar to the level of participation which Huawei currently enjoys within the U.K.’s 4G network.

Huawei and Chinese Government Respond

Huawei’s response to the HCSEC report took a conciliatory tone, acknowledging its software engineering capabilities with the statement, “We understand these concerns and take them very seriously.” Huawei agreed with HCSEC that the function of the oversight board is working, pledging $2 billion to upgrade the Huawei software engineering capabilities.

With respect to the U.S. government admonishments on the cyber and espionage threat posed by Huawei, Deputy Chairman of the Board and Rotating Chairman of Huawei Guo Ping was quoted by the Financial Times as saying, “The U.S. government has a loser’s attitude. They want to smear Huawei because they can’t compete with us.”

Many more chapters remain regarding the Huawei-Chinese government relationship and how those using Huawei’s products may be placing their country’s infrastructure at risk.

Christopher Burgess

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher

Application Security Check Up