Why Believe Huawei’s Security Promises?

Guo Ping, the current Rotating Chairman of Huawei, gave a short speech at Mobile World Congress (MWC) on Tuesday. I originally thought his keynote was so lacking in useful information that it was not worth commenting upon, but now I realize I was wrong. That is because too many journalists repeated Guo’s words as if they must be true. So let me review what Guo said, whilst providing slightly more analysis than the kind of repetition which could have been offered by a parrot.

Huawei Makes Good Tech and their 5G Is Really Fast

Guo made a strong case for buying Huawei equipment. They make stuff that works (and they sell it at a good price). Their 5G is fast. Guo indulged some false modesty by observing that science and tech website Zealer had recently reported that Huawei’s 5G is 20 times faster than that found in the USA, although real-world circumstances mean users would not enjoy quite such impressive speed.

I can hardly blame Guo for boasting. His claims about performance can be independently verified. That is why they are uninteresting: nobody needs to travel to Barcelona to learn that Huawei has taken the lead in manufacturing mobile network equipment. A European Commission study of global research and development expenditure found only four companies outspent Huawei last year (you can download the EC’s figures from here). Huawei’s USD15bn R&D budget was more than double that of Nokia or Qualcomm, and more than triple that of Ericsson. If there is a debate about mobile industry leadership to be held in Barcelona, it should involve Europeans and Americans discussing why they have fallen so far behind.

Huawei Can Be Trusted(?)

It is easy to understand why Guo took a crack at widespread American use of electronic network surveillance, referring to the NSA’s PRISM surveillance program, whose existence was first made public by Edward Snowden.

Prism, Prism on the wall, who is the most trustworthy of them all?

What strikes me as facile about the public debate is the notion that if Americans are caught lying this must show that Chinese promises are reliable. Is that not rather evidence that we should suspect everyone of abusing networks for surveillance?

Here, let me say this as clear as possible, Huawei has not and will never plant backdoors. And we will never allow anyone to do so in our equipment.

I hope that is true. But if it is false, would we expect the boss of Huawei to stand on stage at Barcelona and tell the world that they may plant backdoors from time to time?

The US security accusations on our 5G has no evidence. Nothing.

The speed of a 5G network can be independently proven. The non-existence of backdoors cannot be proven. All that can be said is that no backdoors have been discovered yet. Or perhaps they have been discovered, but comms spies have their own reasons not to share what they know.

What we do know about Huawei is that one of their engineers literally stole a robotic arm from T-Mobile USA and their legal defense will assert that he was a rogue employee who was not following company instructions. Huawei’s lawyers would deploy the same kind of argument if a backdoor was ever found in their network technology, not least because they have more than 180,000 employees. If Guo wanted to provide useful assurances he should have discussed how his company will monitor the integrity of its own employees, but he did not do that. His promises hence have the same worth as a Volkswagen executive reading the successful results of their diesel emissions tests.

Making Telcos Responsible for Security

The lamentably inept analysis provided by some other writers failed to emphasize the importance of the following statements by Guo:

As vendors, we don’t operate carrier networks, and we don’t own carrier data.

Carriers are responsible for the secure operations of their own networks.

For internal threats, carriers can manage, monitor, and audit all vendors and partners to make sure their network elements are secure.

Guo repeatedly used his limited time on stage to shift the burden of security to others. He observed how regulators and telcos are also responsible for security, when nobody was asking him to comment on whether regulators and telcos were doing a good job. He said vendors should comply with standards, when the reality is that compliance with a security standard is a minimum requirement, and nothing should prevent vendors from exceeding standards when it is in the public interest to do so. There is no assurance gained by listening to the boss of Huawei repeatedly talking about what everyone but Huawei should do.

I fear the seriousness of these issues may be lost on a simplistic anti-Trump segment of the media who want to portray every topic as a cartoon fight between the Trump administration and the rest of the world. Hostility to Trump is the only explanation I can find for the bizarre claim, made by some, that the EU and Vodafone showed ‘support’ for Huawei. This seems to be a terribly ignorant misreading of what is happening in the telecoms industry. If Vodafone was taking Huawei’s side they would not have suspended the use of Huawei equipment in core networks. And the MWC speech made by European Commissioner Mariya Gabriel was so vacuous that it said nothing at all.

Some people’s obsession with Trump leads them to a peculiar interpretation of what businesspeople are saying. It makes perfect sense for Nick Reed, CEO of Vodafone, to demand the Americans supply evidence of any vulnerabilities in Huawei tech. That is because, contrary to Guo’s speech, telcos do not want to be liable for unidentified backdoors in a Huawei network any more than airlines want to be liable if there is a hidden but fatal flaw in the design of a Boeing jet. Telcos would be quite happy to see the security costs be passed to governments, whilst governments want to pass the costs to anyone but themselves, and this is the combination of factors which explains why the EU keeps stalling for time.

The challenge of identifying backdoors should not be dismissed because some people dislike the current US President. Last year the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) issued a report that highlighted how gaps in its knowledge meant it could not be sure if Huawei tech was compromised. HCSEC is a well-funded, highly-experienced body of professionals overseen by government-appointed experts. They have only one job to do. If they literally cannot tell if Huawei’s technology is secure, then we should not be flippant about expecting others to do the same.

Guo did a good job fostering lots of positive press for Huawei. He showed himself to be a shrewd businessman and communicator, who persuaded credulous journalists to repeat his ‘no backdoor’ pledge. Guo succeeded without needing to promise anything that would further demonstrate the security of his company’s products. One way to address security concerns is to make Huawei cover the cost of rigorously auditing their products. Guo understands aspects of the telecoms industry that others choose to ignore, and especially the extent to which everyone likes to pass the buck, rather than paying the bill for security.

Telcos need to defend themselves by managing expectations more effectively than they have done so far. Does any regular reader of Commsrisk feel confident that telcos can be relied upon to monitor, audit and identify the kinds of backdoors that Huawei might put into a network? Many telcos claim they cannot afford relatively trivial amounts of spending on basic forms of assurance. Telcos variously admit that they do not know what network equipment they own, cannot identify manipulated traffic on their network, cannot tell who is defrauding them, and do not know how much their customers should pay them. So would you feel confident with relying on telcos to manage, monitor and audit the security of network elements made by Huawei?

You can read the transcript of Guo Ping’s speech here, and Huawei’s reiteration of its contents here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.