Chinese telecoms manufacturer Huawei has opened its ‘largest’ Global Cyber Security and Privacy Protection Transparency Center. The announcement was typically long on platitudes and geopolitical virtue signaling whilst short on details such as how large the center is or what actual work will be done there. Hu Houkun (pictured), the current Rotating Chairman of Huawei, observed:
As an industry, we need to work together, share best practices, and build our collective capabilities in governance, standards, technology, and verification. We need to give both the general public and regulators a reason to trust in the security of the products and services they use on a daily basis. Together, we can strike the right balance between security and development in an increasingly digital world.
To be candid, if Hu had spouted such vacuous drivel on RAG TV then I would have threatened to throw him off the show. My career has involved decades of listening to repeated clichés about working together and best practices. I would be a lousy risk professional if I ever let them influence my judgment.
Sometimes the clichés come from well-meaning people but the emptiness of this kind of rhetoric means it is just as likely to be deployed by charlatans. When somebody opens a transparency center then I expect to learn something new as a result. Or to be truthful, I expect the opposite, because the likeliest reason for opening a transparency center is to generate some positive political and marketing buzz, but without making any of the concessions involved in being more transparent. Huawei has been repeating the same phrases about international cooperation for many years. Nobody needs to hear another Huawei sermon about what other people should be doing. The purpose of a transparency center should be to tell other people what Huawei is doing.
The low-information unveiling of Huawei’s transparency center was bolstered by the simultaneous publication of the Huawei Product Security Baseline. This remarkably thin document is a collection of platitudes, including:
In many countries, users’ communication content is protected by law. Huawei strictly complies with industry-wide security standards in product design to ensure communication data security.
Security hardening is performed on products by configuring security features and functions, installing patches, and removing or disabling unnecessary services, to improve product security and anti-attack capabilities.
Huawei will obey national laws. Huawei patches products. What could anybody learn from assertions like these? Or to put it another way, does anybody think a business might ever say the opposite?
The opening of Huawei’s transparency center was bolstered by flying in some useful idiots influential individuals to impartially explain why Huawei is at the forefront of corporate virtue. In particular, the speech of Mats Granryd, Director General of the GSMA, either demonstrated the strength of Huawei’s commitment to the GSMA-backed NESAS security assurance framework, or the GSMA’s desperate need for Huawei’s money, depending on your perspective.
The delivery of existing and new services in the 5G era will rely heavily on the connectivity provided by mobile networks and will fundamentally depend on the underlying technology being secure and trusted.
If the Director General of the GSMA really believes this then our industry is being led by gullible empty-headed fools. To begin with, it is a truism to assert that 5G services will be based on mobile networks. But then it is false to say delivery of services depends on technology being secure and trusted. SS7 is not secure. Facebook is not trusted. There are many examples of comms technologies that were actually delivered, and actually used by the public, despite the technology not being secure nor trusted. I will doubtless roam on a Huawei 5G network at some unknown time in the future, which only proves that even the most privacy-conscious users accept compromises every day. The world has seen too many auditing scandals, ranging from the collapse of Worldcom to the cheating of emissions tests by German car manufacturers, to naively believe that audits like NESAS cannot be corrupted. This leads me to believe Granryd should spend more time explaining why the GSMA can be trusted before he starts praising the incorruptibility of businesses that sponsor the GSMA.
Infamous short-seller Jim Chanos said last year that “we are in the Golden Age of fraud” not long after he shorted Luckin Coffee, the Chinese equivalent of Starbucks. Chanos was subsequently proven right when Luckin Coffee was found guilty of the largest accounting fraud ever committed by a Chinese firm listed on Wall Street. A growing number of scandals involving Chinese firms has not led the Chinese government to remove obstacles to foreign regulators that want to check the books of Chinese-owned but foreign-listed businesses. I would much rather see national agencies act in an unfettered way to protect citizens in each country precisely because unelected rulers like the Chinese Communist Party use international accords as a way of limiting transparency whilst simultaneously being able to claim they are champions of best practice.
Huawei has already suffered many blows from national authorities that have banned its 5G equipment and other technology. They are still fighting to compete as widely as possible, though more markets are being closed to them as governments assess the security implications of 5G upgrades. A recent success in being given conditional approval to sell to Vodafone Italy must be weighed against new bans in Romania and the Netherlands. India excluded Huawei from manufacturers allowed to conduct 5G trials, and the Biden administration is likely to persuade the United Arab Emirates to dump Huawei if they want to buy the latest American jet fighters.
Many governments will also be keeping a keen eye on the trial of a former Huawei employee accused of spying on Poland. Per Reuters:
Polish prosecutors allege that Wang Weijing, 39, using the cover of being a Huawei executive, spent more than seven years spying for China trying to bolster the company’s ability to influence the Polish government and “enable it to… manage the state… technology infrastructure”, court documents show.
Why would a Chinese spy spend seven years trying to influence the choice of technology used for a foreign country’s communications infrastructure if Chinese manufacturers make transparent products that cannot be subverted by spies? Huawei has followed the same approach in this Polish scandal as they have in other cases where Huawei employees have been charged with espionage or intellectual property theft. They fired the employee immediately, without waiting for the outcome of the trial, but still paid his legal fees. This is the combination of choices taken by a business that cares more about public relations than transparently seeking the truth.
Telecoms is a truly global business, and that means anyone working in telecoms will sometimes have to deal with individuals and companies with dubious ethics. However, acknowledging and being realistic about the spectrum of behavior from impeccably good to unconscionably evil is not an excuse for never drawing a line and never taking a stand. Huawei should be applauded if they want to transparently demonstrate their commitment to protecting the privacy of users. However, transparency involves divulging valuable information, not making hollow speeches full of comfortable clichés. Hu Houkin spoke of the need to give the general public “a reason to trust in the security of the products and services they use on a daily basis”. To do that requires more than posturing.
Huawei engineers have interfered in democratic elections in Africa, and have been caught stealing technology from a US telco, their management team failed to implement improvements after issues were repeatedly raised by UK security audits, and one of their team is now on trial for trying to subvert the national security of Poland. Against this, Huawei can show the general public that they have built their largest ever transparency center, they can get people with important-sounding job titles to make complimentary speeches, and they have plenty of support from bloggers and social media influencers that lack any apparent source of income but who spend plenty of time saying Huawei’s critics must all be corrupt racists. The bosses of Huawei may believe their public relations assets will guarantee an increase in public trust of their business. I find their public relations strategy makes me even more suspicious.