Huawei: Malice or incompetence?

I’ve written before about the reports from the UK’s centre set up to vet Huawei products (the most recent one here: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf

Their conclusion was that, although they had become suspicious of attempts to include malicious code in switches and other products, they couldn’t actually conclude that there had been such attempts because the code was so poorly constructed.

Now a different case has come to light. Huawei was contracted to build a repository for the Papua-New Guinea government’s data and operations. It opened in 2018.

A report was commissioned by the PNG government, and carried out by the Australian Strategic Policy Institute (paid for by Australia’s DFAT). Those who’ve seen the report say that it points out that:

• Core switches were not behind firewalls;
• The encryption used an algorithm known to be broken two years earlier;
• The firewalls had also reached the end of their lives two years earlier.

In other words, the installation was not fit for service.

The article (below) takes the view that this was malice. But Huawei’s track record again makes it impossible to tell.

As well as making it easy for Huawei to access the system illicitly, the level of security also made it possible for any other country to gain access as well. This is one of the major undiscussed issues around Huawei — maybe they are beholden to the Chinese government and might have to share data with them, but the quality of their security means that the threat surface of their equipment is large. So using Huawei equipment risks giving access to Russia, Iran, and North Korea, as well as China.

The PNG project was paid for by a loan from a Chinese bank. Sadly there was no budget for maintenance so the entire system degraded into uselessness before it could even get seriously started. But the PNG government still owes China $53 million for building it (Belt and Road = Bait and Switch?).

https://www.afr.com/companies/telecommunications/huawei-data-centre-built-to-spy-on-png-20200810-p55k7w

(behind a paywall, but there are other versions).

Huawei vs Nortel

There’s a long summary of the evolution of Huawei and the early hacks against Nortel here:

https://www.bnnbloomberg.ca/did-a-chinese-hack-kill-canada-s-greatest-tech-company-1.1459269

Most headlines that contain a question can be answered “No” without reading the article, but this one is an exception.

More thoughts on Huawei

“5G” is marketing speak for whatever is coming next in computer networks. It promises 100 times greater speed and the ability to connect many more devices in a small space. However, “5G” is unlikely to exist as a real thing until two serious problem are addressed. First, there is no killer app that demands this increase in performance. Examples mentioned breathlessly by the media include being able to download an entire movie in seconds (which doesn’t seem to motivate many people), the ability for vehicles to communicate with one another (still years away), and the ability for Internet of Things to communicate widely (the whole communicating lightbulbs phenomenon seems to have put consumers off rather than motivated them). Second, “5G” will require a much denser network of cell towers and it’s far from clear how they will be paid for and powered. The 5G networks touted in the media today require specialized handsets that are incompatible with existing networks and exist only in the downtown cores of a handful of cities. So “5G” per se is hardly a pressing issue.

Nevertheless, it does matter who provides the next generation of network infrastructure because networks have become indispensable to ordinary life – not just entertainment, but communication and business. And that’s why several countries have been so vocal against Huawei’s attempts to become a key player.

There are two significant issues. First, a network switch provider can see, block, or divert all the traffic passing through its switches. Even encrypting the traffic content doesn’t help much; it’s still possible to see who’s communicating with whom and how often. Huawei, however much it claims to the contrary, is subject to Chinese law that requires it to cooperate with the Chinese government and so can never provide neutral services. It doesn’t help to say, as Huawei does, that because it never has acted at the behest of the Chinese government, it never will in the future. Nor does it help to say that no backdoor has ever been found in its software. All network switches have the capability to be updated over the Internet, so the software it is running today need not be the software it is running tomorrow. It is not surprising that many governments, including the US and Australia, have reservations about allowing Huawei to provide network infrastructure.

Second, the next generation of network infrastructure will have to be more complex than what exists now. A long-standing collaboration between the UK and Huawei tried to improve confidence in Huawei products by disassembling and testing them. Their concern, for a number of years, was that supposedly identical software built in China and built in the UK turned out to be of different sizes. This is a bad sign, because it suggests that the software pays attention to where it is being built and modifies itself accordingly (much as VW emissions testing software checked whether the vehicle was undergoing an emissions test and modified its behaviour ). However, their 2019 report concluded that the issue stemmed from Huawei’s software construction processes, which were so flawed that they were unable to build software consistently anywhere. The software being studied is for today’s 4G network infrastructure, and the joint GCHQ-Huawei Centre concluded that it would take them several years even to reach today’s software engineering state-of-the-art. It seems inconceivable that Huawei will be able to produce usable network infrastructure for an environment that will be many times more complex.

These two problems, in a way, cancel each other out – if the network infrastructure is of poor quality it probably can’t be manipulated explicitly by Huawei. But its poor quality increases the opportunity for attacks on networks by China (without involving Huawei), Russia, Iran, or even terrorist groups.

Huawei systems are cheaper than their competitors, and it’s a truism that convenience trumps security. But the long-term costs of a Huawei connected world may be more than we want to pay.

Huawei’s new problem

The Huawei Cyber Security Evaluation Centre (HCSEC) is a joint effort, between GCHQ and Huawei, to increase confidence in Huawei products for use in the UK. It’s been up and running since 2013.

In its 2018 report, the focus was on issues of replicable builds. Binaries compiled in China were not the same size as binaries built in the UK. To a computer scientist, this is a bad sign since it suggests that the code contains conditional compilation statements such as:

If country_code == UK

insert backdoor

In the intervening year, they have dug into this issue, and the answer they come up with is unexpected. It turns out that the problem is not a symptom of malice, but a symptom of incompetence. The code is simply not well enough engineered to produce consistent results.

Others have discussed the technical issues in detail:

https://www.theregister.co.uk/2019/03/28/hcsec_huawei_oversight_board_savaging_annual_report/

but here are some quotes from the 2019 report:

“there remains no end-to-end integrity of the products as delivered by Huawei and limited confidence on Huawei’s ability to understand the content of any given build and its ability to perform true root cause analysis of identified issues. This raises significant concerns about vulnerability management in the long-term”

“Huawei’s software component management is defective, leading to higher vulnerability rates and significant risk of unsupportable software”

“No material progress has been made on the issues raised in the
previous 2018 report”

“The Oversight Board continues to be able to provide only limited
assurance that the long-term security risks can be managed in the
Huawei equipment currently deployed in the UK”

Not only is the code quality poor, but they see signs of attempts to cover up the shortcuts and practices that led to the issue in the first place.

The report is also scathing about Huawei’s efforts/promises to clean up its act; and they estimate a best case timeline of 5 years to get to well-implemented code.

5G (whatever you take that to mean) will be at least ten times more complex than current networking systems. I think any reasonable computer scientist would conclude that Huawei will simply be unable to build such systems.

Canada, and some other countries, are still debating whether or not to ban Huawei equipment. This report suggests that such decisions can be depoliticised, and made based purely on economic grounds.

But, from a security point of view, there’s still an issue — the apparently poor quality of Huawei software creates a huge threat surface that can be exploited by the governments of China (with or without Huawei involvement), Russia, Iran, and North Korea, as well as non-state actors and cyber criminals.

(Several people have pointed out that other network multinationals have not been scrutinised at the same depth and, for all we know, they may be just as bad. This seems to me implausible. One of the unsung advantages that Western businesses have is the existence of NASA, which has been pioneering reliable software for 50 years. If you’re sending a computer on a one-way trip to a place where no maintenance is possible, you pay a LOT of attention to getting the software right. The ideas and technology developed by NASA have had an influence in software engineering programs in the West that has tended to raise the quality of all of the software developed there. There have been unfortunate lapses, whenever the idea that software engineering is JUST coding becomes popular (Windows 95, Android apps) but overall the record is reasonably good. Lots better than the glimpse we get of Huawei, anyway.)

China-Huawei-Canada fail

Huawei has been trying to convince the world that they are a private company with no covert relationships to the Chinese government that might compromise the security of their products and installations.

This attempt has been torpedoed by the Chinese ambassador to Canada who today threatened ‘retaliation’ if Canada joins three of the Five Eyes countries (and a number of others) in banning Huawei from provisioning 5G networks. (The U.K. hasn’t banned Huawei equipment, but BT is uninstalling it, and the unit set up jointly by Huawei and GCHQ to try to alleviate concerns about Huawei’s hardware and software has recently reported that it’s less certain about the security of these systems now than it was when the process started.)

It’s one thing for a government to act as a booster for national industries — it’s another to deploy government force directly.

China seems to have a tin ear for the way that the rest of the world does business; it can’t help but hurt them eventually.