How Much Sense Does the Huawei 5G Security Saga Make?

What American children refer to as “telephone” — the game in which players form a line or circle and whisper an increasingly distorted message to another — is called “Chinese whispers” in the United Kingdom.

The ongoing tussle between the Chinese networking behemoth Huawei and the U.S. government has parallels to this child’s game. It involves telecom infrastructure, which is an obvious reference to the American term for the game. The term “Chinese whispers” likely has roots in the 17th century, when Europeans struggled “to understand China’s culture and worldview” while Chinese historically stereotyped Westerners “as secretive or inscrutable,” according to the Wikipedia page describing the game.

In any event, there is a definite “he-said, she-said” dimension to the ongoing Huawei-5G-security narrative, which, in one corner, paints Huawei as a spy, and, in the other, as a victim. No matter what happens with the feud, the ramifications could be considerable for the architecture that supports 5G, IoT and smartphone communications across the world.

Huawei has sued the United States, claiming its government has unconstitutionally banned its equipment while also arguing the government officials are unfairly accusing the firm of building unsecured equipment. Chinese foreign minister Wang Yi has backed the lawsuit, praising the company for standing up to the U.S. ban and accusations about the insecurity of its equipment. (Chinese media has also released the children’s song “Huawei Beauty” intended to drum up domestic support for the company.)

Before the lawsuit was announced, the company’s current CEO, Guo Ping, said at MWC last month: “Huawei has a strong track record in security for three decades serving 3 billion people around the world. The U.S. accusation our 5G [technology is insecure] has no evidence.” Ping also vigorously denied that the company created backdoors in its products.

Conversely, the U.S. government alleged since at least 2012 that the Huawei poses a national and international security risk. A central premise of the U.S. government is that burden of proof lies with Huawei in demonstrating that its equipment is secure and that the company is not beholden to the Chinese government or its military.    

Potentially giving credence to U.S. government concerns is a U.K. report summarized by news outlets like The Wall Street Journal and The New York Times that concludes Huawei’s networking equipment has “significant” security problems.

But another perspective is that if Huawei equipment has major security flaws, as the U.K. report suggests, it would not make the firm unique. Ordinarily, a report that any firm has a lackadaisical security approach to cybersecurity would be something of a footnote. Adversaries routinely continue to target easy-to-exploit vulnerabilities such as weak credentials, unpatched software and the like.

Cisco, one of the nearest counterparts to Huawei, has reported 3,112 vulnerabilities associated with its products since the late 1990s. A total of 847 of those are cited as having a “high” or “critical” impact. Cisco’s products are said to have included a number of backdoors over the years.

The fact that many routers — from an array of manufacturers — have poor security is part of what fueled the Mirai malware attack that knocked prominent websites offline in late 2016. The malware has continued to mutate. Last year, a Mirai variant targeted routers from MikroTik, Ubiquity, Cisco and ZyXEL. Last year, Bloomberg published an exposé claiming that a unit of China’s People’s Liberation Army had compromised servers used by nearly 30 major U.S. companies including government contractors via a hardware-based attack.  

Chet Wisniewski, principal research scientist at Sophos is mystified by the Huawei-is-insecure storyline. “If I put my attacker hat on, I’m thinking: ‘I don’t really care which brand [of networking equipment] you have,’” Wisniewski said. “I’m in.”

Cybercriminals attacking telecommunication companies routinely target routers and other networking equipment. The problem is heightened by the difficulty of taking such gear offline to patch, given the criticality of the cellular networks they support.  

Wisniewski said if he were managing a telecommunications company, he would “make sure that things going into and out of [the networking equipment] are secure and not worry about the device.” If everything going into and coming out of the device is encrypted, the threat of an attack on the network’s confidentiality is minimized.

Attacks on the network’s availability are more of a concern. “At the federal government level, the warnings we’re seeing about Huawei, I think, are driven by a worry of denial of service,” Wisniewski said. The fear is that the emergency communication infrastructure in a given city can be exploited via a denial-of-service attack. “Much of such infrastructure relies on cellular infrastructure these days,” Wisniewski added. “With copper infrastructure, it was almost impossible to cause a denial-of-service–type thing, which was a great resilience for things like 911.”

The argument that Huawei is purposely putting back doors into its networking gear to provide surveillance data to the Chinese government or the PLA also gives Wisniewski pause. “For one, governments don’t put back doors in anything because that’s stupid because you get caught,” he said. And spies generally don’t get caught. “So if you’re a government, you’re going to booby trap something. You’re going to plant a vulnerability of some sort in the code that looks like an innocent mistake that only, you, hopefully, know about, and that nobody else discovers.”

If Huawei put back doors into its products, they could be exploited not just by China’s People’s Liberation Army but by NSA and other intelligence agencies across the world. “Those Huawei routers are being deployed throughout China’s infrastructure as well, not to mention their partners and the whole Belt and Road in Africa they’re doing,” Wisniewski pointed out. “So is that a net negative? Probably more of their stuff is being used in our adversarial countries than is being used in our friendly countries because we have more diversity in our networks than they typically do.”

But as Huawei, one of the largest networking firms and telecom equipment makers in the world, seeks to establish itself as a 5G and IoT heavyweight, the U.S. government has stepped up a campaign to dissuade allies from using the Chinese company’s equipment. Recently, the U.S. threatened to withhold intelligence from allies using Huawei gear. “If a country adopts [Huawei equipment] and puts it in some of their critical information systems, we won’t be able to share information with them, we won’t be able to work alongside them,” U.S. Secretary of State Mike Pompeo said in a February television interview.

European countries such as Germany, Italy and the United Kingdom have resisted a blanket ban on Huawei equipment. “There are two things I don’t believe in,” German Chancellor Angela Merkel recently said. “First, to discuss these very sensitive security questions publicly, and second, to exclude a company simply because it’s from a certain country.”

But the recent backlash against Huawei is serving to dampen its international growth plans. It already is active in more than 170 countries across the globe and had emerged as a leading maker of 5G equipment.

If the Chinese government asked for 5G data related to the company’s equipment, Huawei would conceivably be forced to disclose it, thanks to China’s 2017 National Intelligence Law, which requires Chinese corporations and citizens in China to cooperate with the nation’s intelligence efforts.

The company already had government and Chinese military links. Founded in 1987 by Ren Zhengfei, a former engineer in China’s People’s Liberation Army, Huawei has reportedly received significant support from the Chinese government, according to Richard McGregor, author of “The Party: The Secret World of China’s Communist Rulers.” On its website, Huawei stresses its independence from the Chinese government.

Dean Weber, chief technology officer at Mocana, said the potential for collaboration between Huawei and the Chinese government, is a valid concern. Imagine if Cisco had direct ties to NSA, he said. “What we’re talking about is the concern that if Huawei even gets 50 percent of the 5G world, and has the ability of the Chinese government to execute a strategy on those devices that would be counter Western interests, we’re in trouble because once the infrastructures is in place, it’s there,” Weber said. “It will be 6G before you get 5G replaced.”

“Let’s say the U.S. caught Huawei with their fingers in the cookie jar,” Weber said. “No matter what they do at this point, they’re in trouble with the United States government for having their fingers in the cookie jar. It doesn’t mean the U.S. hasn’t had their fingers in the cookie jar for years because we have. But that doesn’t mean we’re going to sponsor somebody else doing it.”