What Do We Do with Huawei?

A recently unsealed indictment of Chinese telecoms equipment manufacturer Huawei accuses them of literally stealing robot technology from T-Mobile USA:

On or about May 29, 2013, a HUAWEI CHINA engineer emailed A.X. and copied other HUAWEI CHINA engineers who were working on the xDeviceRobot project… The HUAWEI CHINA engineer asked A.X. to determine the diameter of a part of Tappy’s robot arm; specifically, the end tip of the conductor stick.

Later on May 29, 2013, A.X. used his badge to access the T-Mobile Tappy laboratory. As he was preparing to leave the laboratory, A.X. surreptitiously placed one of the Tappy robot arms into his laptop bag and secretly removed it from the laboratory. T-Mobile employees discovered the theft later that day, and contacted A.X. A.X. initially falsely denied taking the robot arm, but then later claimed he had found it in his bag.

Stories about Chinese firms stealing intellectual property are hardly new. One old friend of mine told me about a time he was trying to sell his company’s software in China. To avoid software piracy his business had implemented a system where the software would only run in conjunction with a particular dongle. But the would-be intellectual property thieves responded in the most straightforward fashion possible: they phoned him and asked for advice on how to hack the dongle. What lifts the Huawei crisis to a new level is the extent of their market share and the degree to which telcos have already become dependent on Huawei’s equipment. The indictment involving T-Mobile recounts incident after incident after incident where Huawei staff attempted to steal T-Mobile’s secrets. In each case the offending staff were told off or had further restrictions placed upon them, but T-Mobile seemingly were unprepared to sever their contract with Huawei. This is the level of complacency within businesses that has led the US government to get involved.

One riposte is that the Trump administration is picking fights with China that previous administrations would have avoided. There may be some truth to this, but Trump has not invented a time machine so he could incriminate Huawei engineers accused of stealing tech from T-Mobile in 2013. Nor is Trump responsible for Oxford University deciding not to receive further research funding from Huawei.

Arguments about politicization of trade with Huawei are strongest when they involve government bans of Huawei technology, as has occurred in Australia, New Zealand, Czechia and the USA. There is less evidence of political interference in other situations where Huawei has been deemed unsafe to use. For example, British incumbent operator BT has been removing Huawei equipment from its core mobile network even though the UK government has a long-standing agreement with Huawei where a seemingly independent (but Huawei-funded) body verifies that Huawei equipment is secure. Last year this latter body, the Huawei Cyber Security Evaluation Centre (HCSEC), did issue a report which identified security risks for the first time in its history, but these were too nebulous to justify a major reversal on the use of Huawei tech.

The telecoms industry has entered a period of strategic uncertainty. Irrespective of decisions made by specific companies or countries, it is possible for the USA to impose sanctions of a similar type to those that previously brought ZTE to its knees. Some will calculate that installing Huawei networks is foolish if the US government can effectively stop those networks from being maintained. Others may simply look at the low price tag for Huawei 5G tech and decide they would prefer to rely on the Chinese than the Americans. High levels of Chinese investment in several parts of the world, including Africa, will lead some nations to look East and embrace better mobile tech rather than fretting about security or appeasing the US.

Though the mainstream media bundles them all together, the concerns surrounding Huawei relate to several distinct threats. One involves the outright theft of technology, as exemplified by the robotic arm stolen from T-Mobile USA. Another involves dependency on networks which could be switched off or disrupted if there was an international conflict involving China. A third involves espionage in general, with networks gathering huge amounts of data about millions of people and potentially being used for targeted 24/7 surveillance of specific individuals. Whilst journalists may lump these dangers together, at least they draw attention to them, which cannot be said for much of the telecoms industry.

It is understandable that private sector businesses prefer to let national governments do the heavy lifting when it comes to security, but how long can telcos and industry bodies ignore the risks of working with Huawei when institutions as varied as Oxford University and New Zealand’s Government Communications Security Bureau are saying Huawei cannot be trusted? The European Union is struggling to decide how to respond, with the German government seemingly backing Deutsche Telekom’s desire for the cheapest possible network equipment even though two European businesses – Nokia and Ericsson – have much to gain from Huawei being shut out of 5G procurement.

Meanwhile the GSM Association has also been reluctant to adopt a meaningful position on the security and privacy risks of using Huawei tech. This time last year Huawei was hailing the eight awards it received from the GSMA, including the award for outstanding contribution to the mobile industry. Mobile World Congress is the GSMA’s centerpiece event and biggest money-spinner, and one of the themes for this year’s show will be ‘Digital Trust’:

Recent scandals have eroded trust in the digital ecosystem. Coupled with the growing introduction and interest in legislation around privacy and the ethics of data usage as we enter the AI era, we are at a pivotal juncture in the evolution of the Internet. Digital trust analyses the growing responsibilities required to create the right balance with consumers, governments and regulators.

How do they keep a straight face whilst simultaneously taking money from Huawei as the ‘attendee lanyard sponsor’ for the entire event? And what exactly is the remit of the GSMA’s Fraud and Security Group? Their stated purpose is to…

…drive the industry’s management of fraud and security matters related to GSM technology, networks and services, with the objective to maintain or increase the protection of mobile operator technology and infrastructure and customer identity, security and privacy such that the industry’s reputation stays strong and mobile operators remain trusted partners in the ecosystem.

How can they be driving security whilst ignoring the fact that big telcos including Vodafone and BT are retreating from Huawei tech because of security concerns? In what sense are they protecting the industry’s reputation by having nothing to say about Huawei at a time when Huawei’s 5G network technology is being described as an unacceptable security risk by journalists across the Western world? Thankfully the GSMA’s leadership has finally mustered enough courage to propose an internal conversation about the issues surrounding Huawei, with Reuters reporting that GSMA Director General Mats Granryd has asked for the topic to be discussed at their next board meeting. This meeting is scheduled to be held alongside Mobile World Congress, during the final week of February.

None of this analysis should be taken as criticism of a particular race or nationality, because corporate ethics are ultimately the responsibility of corporate bodies, irrespective of the birthplace or skin color of their employees. Huawei might have some cultural characteristics that are different to those found in other companies, such as physical exercises for trainees, as photographed above. Honesty, however, is prized the world over. We all know that stealing a robot arm is wrong, and we all know that spying on a neighbor is wrong. Greed and the lust for power may blind corporate executives and politicians to the truth, but they cannot reverse universal morality. If Huawei discourages bad behavior, then staff are more likely to behave well. But if they encourage immoral actions, then all are at risk, and some of us need to take a stand, even if bodies like the GSMA prefer not to.

It is at this point that I reflect on the number of Commsrisk readers who may not have reached this paragraph of the article, having already concluded it is not relevant for the work they do. I can only shake my head, and wonder at their naivety. Is there anybody reading this who has not, at some point, had superior access to data about customers, and the calls they make? A company that is willing to steal a robotic arm may also be prepared to steal a CDR. Huawei’s range of offerings extends far beyond handsets and 5G network equipment, and also includes BSS systems. There are former employees of Huawei who now work for other businesses with access to huge amounts of data which could be abused – should we assume that Huawei can no longer influence them, just because they changed their employer?

As illustrated by the theft of T-Mobile’s robot arm, there is widespread complacency about security, and many prefer to hope for the best instead of taking decisive action to prevent wrongdoing. Such naivety begs the question of whether functions that have significant access to data, such as RAFM teams, need to be more closely supervised by security professionals. We should also be asking whether the purchase of networking and business support systems should be subject to greater review by the telco’s Chief Information Security Officer, or by another c-level executive whose primary focus is managing risk rather than increasing profits.

I do not know how the world will respond to the seeming threat posed by Huawei’s technology. Perhaps Huawei will do more to show they can be trusted. Perhaps the fears of the US government will dominate, with most other governments choosing to follow their lead. Perhaps the prevarication of the Germans will become the international norm, with governments lying to voters about having the cheapest possible networks and the most robust security. Or perhaps the world will split into two irreconcilable camps, with some shunning Huawei and others preferring the economic advantages that will accrue from a cheaper and ultimately more extensive roll-out of high-speed mobile data network coverage. But whatever decisions are made, and whether people choose the truth or prefer the lies, we cannot go on pretending that Huawei is just another supplier like any other.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.