Huawei cyber vulnerabilities

Second half of the article talks about excluded vendors, and adds some colour (and a little hair) to the picture …

“Historically, we have protected the sensitive information and functions at the core of our telecommunications networks by confining our high-risk vendors to the edge of our networks.

“But the distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network,” Burgess continued.

“In consultation with operators and vendors, we worked hard this year to see if there were ways to protect our 5G networks if high-risk vendor equipment was present anywhere in these networks.

At the end of this process, my advice was to exclude high-risk vendors from the entirety of evolving 5G networks,” Burgess said.

The comments add a new layer of context to the decision by the government to exclude the Chinese suppliers that came on the last day of Malcolm Turnbull’s Prime Ministership.

“5G technology will underpin the communications that Australians rely on every day, from our health systems and the potential applications of remote surgery, to self-driving cars and through to the operation of our power and water supply,” Burgess said.

“The stakes could not be higher.”

Sounds like a risk trade-off of quantity (limiting) over quality …

4 Likes

Interesting commentary on how 5G technology is expected to be pivotal.

In a previous work life one of our key risks was the potential for plant and equipment control systems to be hacked or compromised. These systems were until quite recently (ten years prior) rigorously separated from business/commercial and external networks.

Gradually the ability of more sophisticated systems to be monitored and controlled from afar typically using SCADA technology have become common place. These systems often also share access with other business systems over more general Ethernet and wireless linked networking.

There may be a lot more at risk than privacy and bank account details if future networks develop as suggested.:thinking:

However if Huawei is a concern, how can any one be sure their competitors are dependable and secure?

3 Likes

I think stories like this are often like icebergs. Consider the implications of what is known, then the implications of what is not common knowledge, either becoming known, or even just that the knowledge itself is known, becoming known. How deep the rabbit hole goes. I guess it isn’t knowledge if it’s not known, but you get the idea.

I reckon there would be a few people working ‘the issues’ …

The first three things on any list of must-have for a secure system - air gap, air gap, air gap - then theres list items four through twenty-something of other externalities - before getting to system, network and device intrinsic’s … it’s a fun game as you and many others I suspect know :wink:

4 Likes

Huawei continues to pop up in the news as the American’s worry; Australia has dutifully saluted.

My cynical nature is beginning to think the real problem with Huawei is that their products are at or above the top of the US manufacturers (or ‘friendlies’) and the US government will not tolerate that as a matter of national security or maintaining its commercial interests.

My suspicion is fuelled by being involved a trade dispute in the 1990’s whereby the underlying issue was a foreign manufacturer had a very high end computer product well beyond what the US manufacturer could produce; by banning the foreign product from the US through punitive taxation its potential market was less than halved. The goal was pushing the foreign vendor out of that business. It worked. It also set a certain US science back about 5 years since they could not get access, but that was another topic.

At the same time the US government poured its money into a competing technology and ‘changed the market’ to one it could win. 20 years later China is pushing the US aside as both a response to the US as well as flexing its own expertise in developing state of the art.

This thing about Huawei smells quite similar to me, excepting the US cannot change the communications market but they can severely handicap players. Research the company and products vis a vis those from the US and make up your own mind what it is probably about. Security? or dominance?

5 Likes

I’m not sure the logical operator needs to be ‘or’. The question of primary intended outcome ‘and’ welcome by-product might be part of the answer … ‘or’ ‘not’ :joy::rofl::joy::rofl:

4 Likes

6 posts were split to a new topic: BYO Routers Not Allowed for VOIP by Some RSPs

Something of which I was ignorant until just now. I have an old Y300 that I wanted to play around with and so began researching ‘rooting’ options. Huawei, it turns out, has locked their bootloaders. They used to provide unlock codes on request, but that stopped several months ago.

Among other things, unlocking allows the knowledgeable to poke around a 'phone’s innards.
[parania mode]
What is Huawei hiding?

2 Likes

Could be something, or just as likely the code that causes them to be accused of recognising benchmarks and upping performance and power drain to get that performance. So many possibilities, including just a new ‘policy’ so they no longer have to deal with code requests. Another possibiity is they are simply wanting to protect their so-called AI component.

3 Likes

Some interesting bedtime reading …

Hilighting mine…

  1. The Oversight Board has now completed its fifth full year of work. In doing so
    it has covered several areas of HCSEC’s work over the course of the year. The
    full details of this work are set out in Part II of this report. In this summary, the
    main highlights are:
    i. New secure premises for HCSEC completed - the previously reported
    acquisition of new premises for HCSEC had experienced some
    commercial delays, but has now completed successfully and the new
    facilities are fully operational;
    ii. The NCSC Technical Competence Review found that the capability
    of HCSEC has improved in 2018, and the quality of staff has not
    diminished, meaning that technical work relevant to the overall mitigation
    strategy can be performed at scale and with high quality;
    iii. The fifth independent audit of HCSEC’s ability to operate
    independently of Huawei HQ has been completed, with – again – no
    high or medium priority findings. The audit report identified one low-rated
    finding, relating to delivery of information and equipment within agreed
    Service Level Agreements. Ernst & Young concluded that there were no
    major concerns and the Oversight Board is satisfied that HCSEC is
    operating in line with the 2010 arrangements between HMG and the
    company;
    iv. Further significant technical issues have been identified in
    Huawei’s engineering processes, leading to new risks in the UK
    telecommunications networks;
    v. No material progress has been made by Huawei in the remediation
    of the issues reported last year, making it inappropriate to change the
    level of assurance from last year or to make any comment on potential
    future levels of assurance.

… and …

  1. The key conclusions from the Oversight Board’s fifth year of work are:
    i. In 2018, HCSEC fulfilled its obligations in respect of the provision of
    software engineering and cyber security assurance artefacts to the
    NCSC and the UK operators as part of the strategy to manage risks to
    UK national security from Huawei’s involvement in the UK’s critical
    networks;
    ii. However, as reported in 2018, HCSEC’s work has continued to
    identify concerning issues in Huawei’s approach to software
    development bringing significantly increased risk to UK operators,
    which requires ongoing management and mitigation;
    iii. No material progress has been made on the issues raised in the
    previous 2018 report;
    iv. The Oversight Board continues to be able to provide only limited
    assurance that the long-term security risks can be managed in the
    Huawei equipment currently deployed in the UK;
    v. The Oversight Board advises that it will be difficult to appropriately
    risk-manage future products in the context of UK deployments, until
    the underlying defects in Huawei’s software engineering and cyber
    security processes are remediated;
    vi. At present, the Oversight Board has not yet seen anything to give it
    confidence in Huawei’s capacity to successfully complete the
    elements of its transformation programme that it has proposed as a
    means of addressing these underlying defects. The Board will require
    sustained evidence of better software engineering and cyber security
    quality verified by HCSEC and NCSC;
    vii. Overall, the Oversight Board can only provide limited assurance that
    all risks to UK national security from Huawei’s involvement in the
    UK’s critical networks can be sufficiently mitigated long-term.

… of course there is a response from Huawei …

https://huawei.eu/media-centre/press-releases/statement-huawei-huawei-cyber-security-evaluation-centre-hcsec-oversight

… putting a rather different emphasis on the report to how I read it.

The 2019 OB report again recognises the effectiveness of the HCSEC. As the report says, “The oversight provided for in our mitigation strategy for Huawei’s presence in the UK is arguably the toughest and most rigorous in the world. This report does not, therefore, suggest that the UK networks are more vulnerable than last year.”

The 2019 OB report details some concerns about Huawei’s software engineering capabilities. We understand these concerns and take them very seriously. The issues identified in the OB report provide vital input for the ongoing transformation of our software engineering capabilities. In November last year Huawei’s Board of Directors issued a resolution to carry out a companywide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of US$2bn.

A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent. To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cyber security assurance and evaluation.

Fun times indeed …

2 Likes

The statement in the report “NCSC does not believe that the defects identified are a result of Chinese state interference” seem to reflect more on the ability or perhaps better said inability of the Huawei company to produce good code and sustain a level of good practice.

4 Likes

While OT, about 40 years back the Japanese manufacturers (Fujitsu, NEC, HItachi) got access to IBM’s mainframe OS source. It set Japanese software technology back at least a decade. Maybe Huawei got a copy too?

5 Likes

That’s funny … I wonder if IBM’s source has changed much in 40 years? Probably not, all in the name of stability … HP-UX is much the same, buy other peoples tech and watch it walk out the door when you sacrifice progress for ‘stability’ … it’s made HP what it is today, four separate companies - three of which holding hands as they spiral down the S-bend while the fourth makes bucket loads selling PC’s and ‘Ink’ … There’s conspiracy, and then there is utter ineptitude …

2 Likes

The plot thickens …

https://orgchart.mit.edu/node/27/letters_to_community/new-review-process-elevated-risk-international-proposals

Or just cold feet?

NOTE: At this time, based on this enhanced review, MIT is not accepting new engagements or renewing existing ones with Huawei and ZTE or their respective subsidiaries due to federal investigations regarding violations of sanction restrictions. The Institute will revisit collaborations with these entities as circumstances dictate.

3 Likes

The US has sanctions on so many countries it’s probably hard for companies to keep track of them! In fact, it has sanctions/tariffs on Chinese imports at the moment, so…

Off topic: why is it that one country imposes sanctions based upon its own messed-up internal politicking and the rest of the world is expected to follow?

4 Likes

It’s all fairly clear within the circles that need to know. Sometimes the reasoning is not divulged, because the reason might expose the threat - not all threats can so easily be advertised. Such is the nature of threats …

There are a range of reasons sanctions are imposed - from what I have seen it is very often a construction of an ill informed (by virtue of the nature of these issues) press that things like sanctions are ascribed to mere politics. Maybe sometimes it actually is, but in my experience there is more often than not (by a long shot) a defined need that is not obvious to someone buying ‘The Sun’ to make their judgement :wink:

Said country doesn’t ‘expect’ others to follow, but if you want to share the oranges at half time, you need to be on the same team …

2 Likes

The political will of the US government - but you know, and you know I know you know.

Subservience is what it is, and has it rewards, so long as one remains subservient in the proper manner. As with swing seats sometimes not being blindly subservient has its advantages also.

3 Likes

Because they can. For example ours is a country that has sacrificed its self interest for the US position 100% of the time since WWII.

1 Like

Threats can indeed be political, economic, or military, and some countries classify all of the choices at the same level.

1 Like

But did you know that I knew you knew I knew you knew?

1 Like

… if we have swung higher, it is because we’ve swung on the swings of giants …

Maybe we’ve got further to fall when the swing breaks though, just keep swinging … My personal view is that Australia is not typically being blindly subservient, maybe not always totally informed, but that works both ways as well …

I don’t believe it’s anything like 100% either in the context of this topic or generally - my perception is that political point-scoring is attempted/made of us agreeing our positions are the same by often making it look like we didn’t stand our ground. It seems often the case that the people scoring and defending said points may not be completely informed - certainly it is the case that what we have left of journalism in this country is not completely informed, sometimes not informed at all. In the context of this topic, often even just knowing some knowledge of something is out there is dangerous - that some scant knowledge of the Huawei issues is generally known is actually far more surprising than the fact issues exist - probably only because the brand is so (potentially) pervasive in a popular consumer market (namely the zombification of the masses through smartphone and internet tech :wink: ).

It’s not inconceivable one could lead to the next … hypothetically of course :wink:

no :rofl:

2 Likes