Huawei: Easier to bribe telco staff than build backdoors

It requires so much effort to build backdoors into networking equipment that work across different global communications networks and system configurations that it likely is easier and more effective to bribe a telco executive, says Huawei's chief cybersecurity officer.

It requires significant effort to build backdoors into networking equipment that can work across different global communications networks and technologies. In fact, it is probably quicker and more effective to bribe a telco executive to gain access into corporate networks, quips Huawei Technologies' global cybersecurity and privacy officer. 

John Suffolk, who is also a senior vice president at the Chinese tech vendor, further noted that to ensure they worked, the backdoors would have to take into consideration the wide range of products and services as well as technologies that spanned many years, with many different configurations. 

"Networks aren't the same," said Suffolk, in an interview with ZDNet. "When an organisation builds a network, the configuration is different and they use [equipment from] different [networking] suppliers. Even if you tried to build [a backdoor], it doesn't mean it'll work. And you'll need to know the [targeted] customer's architecture, how to bypass their controls, and there's no visibility on this."

"When you work out all the probability, it's probably simpler to bribe somebody in a carrier network to do it. You'll have a higher probability of success," he said, in response to repeated allegations that Huawei was building backdoors into its equipment on the request of the Chinese government. 

While dismissing any validity in such suggestions, he added that even if Beijing did ask for backdoors to be built, it would be impossible to build a functioning one. 

Asked why it seemed implausible that the Chinese government could be spying through tech vendors when the Prism scandal revealed the US government had committed a similar act, Suffolk noted that the 2014 surveillance programme was carried out without the apparent support of the US companies, which said they were not involved in the scheme. 

He added that Huawei was an equipment provider, not a service vendor or a telecom operator, and had no visibility or access to a telecommunication network. Carriers, too, would not open up their doors to any company, much less Huawei, he said. "The reality is that, because we're a Chinese company, we're under more scrutiny and that's a positive thing [in terms of security]."

The Prism scandal, however, did reveal how pervasive the US National Security Agency (NSA) was and how much of the internet they controlled, including access to almost any business they wanted. These revelations offered great insights into how governments worked, he noted. 

In a March 2019 statement, Suffolk had said: "At Huawei, we are proud that we are the most open, transparent, and scrutinised company in the world. We are proud that governments, customers, and their professional teams verify everything we do. 

"We are proud that we provide access to our most coveted and precious intellectual property to enable them to full satisfy themselves. That is not to say that we are perfect, or that we produce perfect code all of the time or that we execute every process right first time...We will continue to make multi-billion dollar investments in our R&D and where we find issues we will fix them, where we find we can improve we will improve."

Part of such efforts included a $2 billion investment over five years to resolve security issues the UK government's National Cyber Security Centre (NCSC) identified in its annual evaluation of Huawei Cyber Security Evaluation Centre (HCSEC).

Asked about the UK report, Suffolk acknowledged that Huawei's software--built over the past 10 to 15 years--contained old codes and design weaknesses that today were no longer perceived to be best practice.  

"So they quite rightly smacked our wrist and said we needed to do a better job," he said, noting that this was especially critical as the industry moved into a future where everything was mobile and technologies such as 5G and artificial intelligence were emerging. "So if you're starting off with a complex, old code, filled with old things, it's not sustainable in the future. And if you're going to be a global player, you need to step up and reengineer what you're doing."

He added that Huawei had to build its products to cater to a range of customers from around the world, some of which might not have deep pockets and would have to retain the same equipment for 10 to 15 years. 

Suffolk also noted that the UK government was able to uncover flaws in its software because Huawei had been transparent and, through its cybersecurity evaluation centres, enabled governments and customers to assess and test its products for any weaknesses.  

5G not any less secure

Much of the paranoia had been stoked by Huawei's increasing footprint in 5G, which fuelled concerns especially amongst governments worried about how 5G could impact the security of their national infrastructure.

In a recent survey by Carbon Black, 98% of Singapore companies expressed security concerns about 5G deployments, with 55% believing these would facilitate more destructive cybercrime activities. Another 55% believed they could open up more opportunities for cyber attacks. 

When asked, Suffolk said it was not uncommon for people to have concerns about any new technology and there had been a lot of misinformation put into the market. He also pointed to a "misunderstanding" that 5G was developed by Huawei when it was established by the industry and global community of vendors, which all chipped in on what they believed the standards should be. 

He admitted, too, the the telecommunication industry could have done a better job in the early days to explain what 5G was and why it actually delivered better security than 4G. 

In a research note released last week, EY said the impending launch of 5G networks next year would bring improved data speeds, low latency, and new levels of network responsiveness. Risks, however, also would be multiplied as 5G was expected to drive up mobile connections and connected devices, and businesses would need to manage more mission critical applications and data. 

"While 5G as a technology promises higher security protocols and standards that are superior to current 4G networks, the net result is that these new networks will create a much larger and more varied surface area open to attack," the consulting firm said.

It urged Asia-Pacific organisations to re-evaluate their risk exposure and tweak their cybersecurity strategy to put more emphasis on risk management, including incident response and compliance initiatives.

RELATED COVERAGE

Huawei 1Q revenue climbs 39 percent amidst US pressure

Chinese tech giant unveils ambitious plans to build the architecture needed to meet growing demand for more compute power and artificial intelligence, pledging to do so on an "open" ecosystem" and launching an AI training cluster that it says is 10 seconds faster that the current ResNet-50 record.

Huawei believes banning it from 5G will make countries insecure

Chinese giant warns of potential for backdoors in 6G thanks to AI.

5G to drive SEA mobile data traffic growth seven-fold by 2024

Mobile data traffic in Southeast Asia and Oceania will climb seven times to 16 exabytes per month by 2024, with growth fuelled by "rapid early momentum and enthusiasm" for 5G, reveals a study by Ericsson, which anticipates the mobile technology will account for 12 percent of subscriptions in the region by then.

Huawei denies existence of 'backdoors' in Vodafone networking equipment

The 'hidden backdoors" reportedly could have been used to spy on Vodafone's infrastructure. Huawei says otherwise.

Huawei and 5G: Hurry up and make the decision, government told

New Prime Minister must make a decision fast about whether to allow the Chinese company's equipment to be used in 5G, says influential committee.