Huawei Dares Critics to Prove Security Vulnerabilities
Huawei today opened its largest cybersecurity center to date in a bid to revitalize its thus far failing effort to convince skeptics that data traversing its equipment and services is not susceptible to espionage.
Huawei today opened its largest cybersecurity center to date in a bid to revitalize its thus far failing effort to convince skeptics that data traversing its equipment and services is not susceptible to espionage.
The new Global Cyber Security and Privacy Protection Transparency Center in Dongguan, China, is the seventh and largest facility of this type to date for Huawei.
The vendor hasn’t moved the needle much on how its technology is perceived by governments and security practitioners that claim Huawei is beholden to the Chinese government and its military, but it’s holding out hope that a seventh testing center and related efforts could change the paradigm.
Huawei has consistently and repeatedly dismissed any notion that its network equipment and software provides a back door for Chinese spies to monitor traffic. But many Western governments are holding firm on laws and other mechanisms that have been enacted to ban the use of Huawei equipment within their respective borders.
Despite those blockades, Huawei still operates in 170 countries. It is the world’s largest supplier of radio access network (RAN) equipment, and it has business with about 1,500 network operators. The company said it has more than 3,000 security professionals on staff and that it allocates about 5% of its research and development spend, almost $1 billion last year, to boost the security stature of its products.
The Chinese juggernaut also today released a “Product Security Baseline,” which it describes as its first public disclosure of its product security baseline framework and management practices.
The new center, similar to those established in other countries, will look at all of Huawei’s products, including those for cloud computing, enterprises, and telecommunications infrastructure, John Suffolk, SVP and global chief security officer at Huawei, said during a briefing with journalists. “We look to the center to apply the same security baseline to all of our products where that baseline is applicable to that particular hardware,” he said.
Huawei also said it invites researchers, customers, and government regulators to visit its centers to test and verify the security stature of its products. Several thousand people visit these centers each year, according to Suffolk, including the U.K. government’s former CIO and CISO.
The company maintains that these centers are an effective olive branch, a willingness to open its doors to anyone that wants to take a deep dive into its technology to independently determine if its products or services are susceptible to security threats in any form.
“We just say bring who you want, bring your best experts, bring third parties, bring your tools, use our tools, stay as long as you want. We’re happy to shove food under the door for you, and as much as you can drink, and you can stay there for as long as you want to verify our products,” Suffolk said.
“Play around with the code, check for all sorts of things. It’s what we call the many eyes and the many hands. The more people looking, the more people touching, the more likely we’ll all find the truth,” he added. “We don’t determine how a third party or a customer will test our product. … What they do is up to them. We often do not have any visibility of what is going on.”
Huawei is trying to strike a balance. It is both outraged by claims that it is acting as a global spying apparatus for the Chinese government and willing to give its critics unrestricted access to test and prove those allegations independently. It’s also sprinkling in a little bit of humility in a bid to endear itself to those that don’t trust Huawei or its technology.
“There’s no company in the world that has all the answers to cybersecurity,” Suffolk said. That view also carries over to security standards because there’s no global agreement or broad compliance with many standards, he added.
“The problem with standards is they’re not standard,” Suffolk said, adding that Europe, the United States, and China don’t agree on security standards, nor do they accept standards enacted in those countries or others. “We don’t need more standards. We need to coalesce down to the core things that all technology should be able to do. So in this context, less is more,” he said.
“Our global objective is to improve the base security and capability of a product and then use the management standards to improve the execution of those products and services,” Suffolk said. Instead of arguing about standards or trying to reach consensus on specific requirements, there needs to be a greater focus on the core activities of technology, and a widely accepted view of what is good and what isn’t, he added.
“There are very, very good frameworks out there, but the issue is someone’s got to ask you to comply with it and someone’s got to be able to validate that you’re compliant,” he said. “When I look across our 1,500 carriers around the world here, very few people go into that level of detail. What they’re looking for is the outcome of a network design, they’re not looking for the inputs of a network design.”
Security standards are helpful, but “they’re not our savior,” Suffolk added. Governments have the resources to put these goals into action, but they are lazy and standards are a lazy mechanism to achieve compliance, he argued, adding that more emphasis should be placed on practical steps that can be taken today such as two-factor authentication.
Huawei believes global society and technology are at an inflection point, Suffolk said during prepared remarks at the opening of the new center. “It is not security or privacy that will get in the way of this. That’s not the challenge for us. A challenge of progress is fear — fear of the unknown,” he said.
There is also a “fear of difference. The world is different. Countries are different. Values are different. Beliefs are different. East and west are different. That fear creates mental and physical roadblocks,” Suffolk said.
Fear also in this context manifests itself among some of Huawei’s competitors and some governments, he added. A “fear to declare to the world our products were not good enough, and design was not good enough, and testing was not good enough. Or fear in some countries of not being No. 1. If I can’t be No. 1 in the product and services, then I will find other ways of stopping my competitors to make progress,” Suffolk concluded.
