I’ve written before about the reports from the UK’s centre set up to vet Huawei products (the most recent one here: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf
Their conclusion was that, although they had become suspicious of attempts to include malicious code in switches and other products, they couldn’t actually conclude that there had been such attempts because the code was so poorly constructed.
Now a different case has come to light. Huawei was contracted to build a repository for the Papua-New Guinea government’s data and operations. It opened in 2018.
A report was commissioned by the PNG government, and carried out by the Australian Strategic Policy Institute (paid for by Australia’s DFAT). Those who’ve seen the report say that it points out that:
- Core switches were not behind firewalls;
- The encryption used an algorithm known to be broken two years earlier;
- The firewalls had also reached the end of their lives two years earlier.
In other words, the installation was not fit for service.
The article (below) takes the view that this was malice. But Huawei’s track record again makes it impossible to tell.
As well as making it easy for Huawei to access the system illicitly, the level of security also made it possible for any other country to gain access as well. This is one of the major undiscussed issues around Huawei — maybe they are beholden to the Chinese government and might have to share data with them, but the quality of their security means that the threat surface of their equipment is large. So using Huawei equipment risks giving access to Russia, Iran, and North Korea, as well as China.
The PNG project was paid for by a loan from a Chinese bank. Sadly there was no budget for maintenance so the entire system degraded into uselessness before it could even get seriously started. But the PNG government still owes China $53 million for building it (Belt and Road = Bait and Switch?).
(behind a paywall, but there are other versions).