Chinese telecoms giant Huawei may well be the world’s most controversial technology company. It’s also probably one of the most well-known names on the US government’s “entity list”, where it was placed in May this year.
A placement on the effective trade blacklist – although it has since been given a reprieve until August – means American companies have to obtain licences to work with it, with those licence exceptions limited.
It had already been locked out of supplying equipment to America’s high-speed 5G networks over spying fears some time before.
Germany tells America to verpissen off over Huawei 5G cyber-Sicherheitsbedenken
Australia has imposed a similar 5G ban, and the US has been pressuring other members of the “Five Eyes” intelligence-sharing club to follow suit. In late June, the US ambassador to Britain, Woody Johnson, described allowing Huawei to help build such networks as being akin to “letting a kleptomaniac into your house”.
Huawei denies all such charges. In June, its global cybersecurity and privacy officer – and former UK government chief information officer – John Suffolk told a British Parliamentary committee that the company would rather close than buckle under wrongful pressure from governments. And at least some of the US opposition to the company appears mixed up with US president Donald Trump’s theatrical method of conducting trade negotiations.
I’m buying and selling tech, I’m no politico or diplomat: what do I do?
For those buying telecoms equipment professionally, this causes a problem. Huawei has 28 per cent of the global telecoms equipment market, according to US analyst Dell’Oro, ahead of rivals such as Cisco of the US, Sweden’s Ericsson and Finland’s Nokia, and in normal circumstances, it would be perverse not to consider it. So – assuming buying from the company is not ruled out by your government – what should you do?
Probably the most rigorous public testing of Huawei’s equipment is carried out by the UK’s Huawei Cyber Security Evaluation Centre, a Banbury-based operation known as “the Cell” run by signals intelligence agency GCHQ. As the name suggests, it only tests Huawei kit, not that of its rivals, so it’s not possible to draw comparisons.
Huawei savaged by Brit code review board over pisspoor dev practices
But its latest annual report was far from complimentary, reporting “serious and systematic defects in Huawei’s software engineering and cyber security competence”. It did not believe the defects resulted from interference by the Chinese state, but added it had reported “several hundred vulnerabilities and issues” to UK communications operators, and that some still existed.
Underlining this, Ian Levy – technical director of the National Cyber Security Centre (NCSC), a division of GCHQ – described Huawei’s security as “objectively worse” than that of Western equipment makers, adding recently: “Certainly nothing is perfect, certainly Huawei is shoddy, the others are less shoddy.”
“Personally I would be wary about using equipment whose vendor had copied a whole lot of software that they had no clue how to maintain,” commented Ross Anderson, professor of security engineering at the University of Cambridge’s computer laboratory, adding that he trusts Levy’s assessment. Some companies in the sector take a similar view, with researcher Finite State reckoning Huawei has “a weaker security posture” than its rivals.
Banhammer Republic: Trump declares national emergency, starts ball rolling to boot Huawei out of ALL US networks
Mike O’Malley, vice president of carrier services at security service provider Radware, said that Cisco and Nokia have integrated security services from third parties – including Radware – into what they offer: “They are viewing security as a differentiator,” he added. Ericsson can offer Radware’s services as add-ons but Huawei has developed its own, which O’Malley described as “a fairly rudimentary, low-level type of security”.
Tod Beardsley, director of research at cybersecurity company Rapid7, said that the big equipment suppliers have specific strengths and weaknesses, although he doesn’t think it is possible to rank them. Cisco and Huawei participate in the US-run Common Vulnerabilities and Exposures system for reporting problems, although Nokia and Ericsson also have good alternative methods for this, and he reckoned Nokia has a reputation for being very security-aware and fixing problems quickly.
Cisco discloses a lot of vulnerabilities, but Beardsley said: “That does not mean it is less secure. It ships more patches, which is ultimately positive.” It has been criticised for using the same default usernames and passwords for some lines of equipment, rather than using different ones for each device, however.
Balancing consumerization and corporate control