Huawei security chief: Blocking one company doesn’t address full security risk

PROVIDENCE, Rhode Island—At this year’s Competitive Carriers Association (CCA) annual convention, both FCC officials and Huawei executives were on-site addressing network security in front of audience members, including some rural wireless carriers that stand to be impacted by ongoing tensions between the U.S. and China.

Huawei was put on the U.S. Commerce Department’s Entity List in May due to national security risks, effectively blacklisting the Chinese telecom equipment giant and certain affiliates from purchasing certain technology and components from American companies. The Trump administration has also pressed global allies to exclude Huawei from next-generation 5G networks, raising concerns that the Chinese government could use the vendor as an apparatus for attacks or cyberespionage.

Huawei has consistently denied allegations, and the company’s chief security officer Andy Purdy told FierceWireless that Huawei has gotten caught up in the broader trade dispute between the U.S. and China at “no fault of our [Huawei’s] own,” and that the company recommends developing an approach that addresses security risks posed by all vendors.

“Blocking [Huawei] isn’t going to make America safer, you need a comprehensive approach,” Purdy said, adding Huawei encourages efforts like those by the European Union through ENISA (European Networking Information Security Agency), which is working to create broad risk mitigation mechanisms.

He also said there are multiple governments in the world that have the ability to “virtually implant hidden functionality in hardware or software that’s very difficult to find.”

“There needs to be testing in place to make sure that whoever's equipment it is, has not been tainted by the conduct of some hostile government or some other hostile sophisticated malicious actor,” Purdy said. “Blocking one company doesn’t help you address that very real risk."

Starks calls out Huawei

In the U.S., Huawei already supplies telecom equipment for about 40 rural wireless companies, and the government is weighing options for how to identify and fix insecure equipment, including a so-called “rip and replace” method, which could cost between hundreds of millions to more than a billion dollars.

FCC Commissioner Geoffrey Starks has taken the lead at the agency in addressing this issue, and held a workshop over the summer to gather input from stakeholders on approaches, including funding for smaller operators who may be unable to shoulder the economic burden. The government is also considering withholding federal funds from operators that use network equipment deemed as potentially risky.

While speaking at a CCA keynote on Tuesday, Starks acknowledged that stretching out the replacement timeline, and letting insecure equipment simply age out of service could save millions.

“We must weigh this potential savings, however, against the possible risk to our national security while this equipment remains in place,” Starks said. He also called out concerns over Huawei specifically.

“Experts say that the equipment made by Huawei and other Chinese manufacturers presents serious security vulnerabilities. According to these experts, Huawei software does not have the same consistency from installation to installation as its competitors. Programming variations make it difficult or impossible even for Huawei to know exactly what software is deployed in a given build, and whether the equipment will accept software updates,” Starks said. “Security experts tell us that this ‘bugginess’ in Huawei software means that it has ‘front doors’ accessible by both the company and by bad actors familiar with exploiting inconsistencies and flaws in Huawei code.”

Huawei's defense

Huawei, for its part, sponsored a seminar at the event titled “Let’s Collaborate to Make America’s Communication Networks Safer,” where panelists stressed the need for consistent rules and standards for securing telecom networks.

Speaking at the session, Purdy said there is a need to create better monitoring capabilities in general and greater transparency, and pointed to efforts by GSMA and 3GPP working with operators and equipment vendors to create standards and a certification process for next-generation telecom equipment.

“As part of transparency, in our space when equipment vendors are working with operators to service the equipment or service the networks there are methods that can be used and should be used that make it quite clear to both the telecom operators and the governments if necessary that there is limited ability of the equipment vendors to access any data that they’re not supposed to access or to turn over that data to anyone they’re not supposed to turn it over to,” said Purdy. “Methods that provide both assurance and transparency are absolutely essential as part of verification and conformance.”

He said the company is hopeful for efforts in other countries like Germany and Europe to create global measures for knowing and being able to test and ensure trustworthiness of products and services. The U.K. notably is still deciding whether to bar Huawei equipment from its own 5G networks.

RELATED: CCA members look for answers amid U.S. crackdown on Huawei

Speaking to FierceWireless, Purdy said that he thinks due to the U.S.-China trade dispute Huawei hasn’t been able to engage in discussions with the U.S. government that would otherwise normally take place to potentially resolve the company’s situation.

When asked what those talks would entail, Purdy said: “We would have discussions with them about what real cybersecurity risk is, what’s necessary to be done about it, and talk about proven mechanisms to address risk, such as those that allow Nokia and Ericsson to do business in the United States in a fairly unrestricted way because they have government monitored risk mitigation agreements in place, and we’d like to talk to the government about whether something like that could be developed for us.”

Earlier this year the FCC denied an application from a different Chinese entity, China Mobile, which was seeking authorization to provide telecom services in the U.S. That application was denied on the grounds of national security risks related to influence by the Chinese government on recommendations from U.S. security officials and found that a risk mitigation agreement would not be effective against threats because of the company’s ties to the Chinese government.

In his keynote, Starks noted the FCC is now also reviewing the existing authority of two other Chinese telecom carriers to determine if they present the same type of threat.

Resolution between the U.S. and China remains to be seen, but Purdy said he thinks that once that happens it’s likely the U.S. will “finally be willing to talk to [Huawei], and we look forward to that.”