Regarding Chinese tech companies like Huawei, Americans are told the following: Trojans that have been expertly dissolved into the product code allow for remote control of networks by the Chinese Government. From our boardrooms in Midtown, to member offices on Capitol Hill, this narrative is rarely questioned. Even our diplomats repeat the warning: Ambassador Grenell recently told Berlin to steer clear of Huawei for 5G – or else.
Well, the United Kingdom just tossed an interesting curve ball into this debate. Their formal Huawei Cyber Security Evaluation Centre (HCSEC) – and yes, there really is such a thing – issued today a report citing “significant technical issues” in many aspects of Huawei’s software process, product architecture, operating system, and management ecosystem. Let me provide for you a brief overview of Huawei's report card:
First, the HCSEC cites failure in something called binary equivalence. They asked Huawei to demonstrate that the build process for identical source products would produce identical binaries. And it sounds like Huawei couldn’t do it. Candidly, this is usually a lay-up, and honestly, if you can’t pass this test, then you’ve got issues. (Oh, and by the way – any capable malicious developer can use this paper to beat equivalence tests. But I digress.)
Second, the HCSEC complained about Huawei’s configuration management – aka version control. It sounds like Huawei has been pushed by this group to fix weaknesses in this area for almost a decade. (Yes, the HCSEC was formed in 2010.) The fact that HCSEC’s demands were not followed seems mind-boggling. (Maybe Huawei needs a better translator for stilted words like “mandraulic” included in the report.)
Third, the HCSEC took issue with Huawei’s dodgy, out-of-the-mainstream software, which was deemed insufficient to support carrier-grade telecommunications. The Huawei operating system was reviewed in detail and the report concluded that a single memory space in an OS is no good. I agree with this assessment, and am surprised that Huawei has not upgraded to a more supportable platform. (I’m also impressed that the HCSEC went there.)
The report cites many more detailed deficiencies that fall generally into the category of bad software process. The HCSEC reviewed, for example, Huawei’s use of OpenSSL and found extensive evidence of vulnerable code, bad version management, and on and on. They even looked at Huawei’s eNodeB (which helps drive the engine under the LTE hood) and found insecure features and weak coding practices. That’s bad for LTE, and bodes poorly for 5G.
Sigh. On the one hand, we are led to believe that Huawei has super-expert developers who are cleverly embedding Trojans into their product to remotely enact world domination. But then we read from this UK report that Huawei developers not only can’t walk and chew gum, but that they can’t walk, and they can’t chew gum either. I don’t want to sound glib, but this whole thing seems spectacularly inconsistent.
I strongly recommend that the team at Huawei go buy some used copies of Engineering and Operations in the Bell System. When I started my career in telecommunications security back in the Roaring 80’s at Bell Labs, we were given this book and told that network equipment, such as that wonderful #4ESS machine, was expected to work perfectly for forty years with no failure. We were told to design accordingly. That’s carrier grade.
I sure wish we could get back to that.