It’s My Way or the Huawei
It’s My Way or the Huawei by Russell Bennett
[This is an executive summary of a new article available from UC Insights: “It’s My Way or the Huawei: The security implications of sourcing critical communications infrastructure in a globalized world.”]
A few months ago, I read an article in the Economist that highlighted the fact that Huawei had just surpassed Ericsson to become the world’s largest telecom equipment manufacturer. These gains were attributed to the provision of high quality equipment at a low price. However, the article also highlighted the various concerns related to cyber-warfare exploits being propagated by Chinese actors.
Despite being prepped by the Economist article, no-one was more surprised than I that on October 8, the U.S. House Permanent Select Committee on Intelligence (HSCI) published a report recommending that Huawei and ZTE (H&Z) equipment be boycotted in the U.S.
It turns out that Huawei had requested a government investigation; presumably with the expectation that they would be exonerated. The report states that the HSCI was dissatisfied with the degree of cooperation provided by H&Z. The outcome was that the HSCI made the following recommendations:
1. That U.S. government systems and U.S. government contractors should exclude the products and components of ZTE and Huawei.
2. The private sector and U.S. network providers were "strongly encouraged" to "consider the long term risks of doing business" with ZTE or Huawei.
I am not a computer/network security expert, nor am I privy to the classified information to which the HSCI has access. It is hard to imagine how this report could be viewed as anything other than protectionist by the Chinese government and H&Z fervently deny the accusations. However, this issue raises larger questions about the security of networks and the information contained therein.
Cyber warfare is an ongoing issue with attacks being perpetrated daily by a range of hostile actors. It has been alleged that many cyber assaults emanate from mainland China. Given the control that the PRC exerts on its domestic network, it is not unfair to assume that the Chinese government is at least aware of this.
However, let’s not fool ourselves that this is a one-sided effort. One cyber-attack that was actually celebrated was the insertion of the "Stuxnet virus" into the Iranian nuclear development program. Various experts, including General Michael Hayden, former director of the U.S. National Security Agency (NSA) and of the CIA, have said that Stuxnet was a good thing. However, a precedent was set by Stuxnet, with the implication that the potential and actual threats to our networks are only going to escalate.
The takeaway here is that the notion of excluding Chinese switches from service provider and enterprise networks is going to reduce the risk of cyber-attack is naïve and that the goal of securing our networks is actually much more complex than the banning the equipment of certain vendors.
One of the concerns of the HSCI regarding H&Z technology is that it could be (or is being) used to extract proprietary information from western companies and used to develop competing industries with very low cost structures. However, electronic surveillance is an expensive and low yield undertaking that could only be conducted productively in certain very high stakes operations. Just imagine how much effort it would take to glean useful economic intelligence from the average enterprise. There are, however, many cheaper, more scalable and much more easily targeted ways to access corporate IP:
-
The patent databases
-
The competitive employment environment
-
Immigration and education of foreign students
-
Reverse immigration and emigration
-
Joint ventures
Ironically, every western vendor that stands to benefit from a boycott of H&Z outsources a proportion of its product manufacturing to China. So this raises a much larger question: how safe or secure is any product, regardless of the domicile of the vendor, or the country of origin of the product or its component parts?
Microsoft’s adverse experience with cyber-security probably places them among the world leaders in this domain; so two papers published over a year ago are worthy of mention:
Of particular relevance to the H&Z situation is the creation in the U.K. of a Huawei Cyber Security Evaluation Center that is aimed at building mutual trust. With the advent of globalization, there is no other option and it is completely unrealistic for any country, large or small, to expect be able to deploy only domestic technology in critical infrastructure. However, the requirements of transparency and verification are at odds with vendors’ competition and differentiation strategies and governments’ security requirements.
The existing threats of network intrusion, cyber-vandalism and information theft ensure that enterprises and network operators have already put a raft of security measures in place. So it is not clear to me how the alleged exploits in H&Z technology can operate unrestricted in a secure environment. Furthermore, every incident only serves to strengthen our capability and resolve to protect our networks.
Cyber-security has evolved into a technology cold war, similar to the "arms race" and the "space race." But this isn’t a bad thing, in my opinion: as long as perceived threats are managed, they also spur progress. The only sure way of maintaining a sustainable competitive advantage is being first to market with the best technology; copying what others have already done is well understood to be a losing business strategy.
The only way to ensure that there are no cyber-warfare exploits in the products of any company is to verify before trusting. This can only be done economically by developing multi-lateral protocols for ensuring the security of our increasingly pervasive technology infrastructure.
[For access to the full version of this and other UC Insights articles, please go to ucinsights.com.]