Pages

4 October 2019

Five Jeez: Five Security Arguments Against Huawei 5G

by Jason Healey

Many analysts remain skeptical about the U.S. charges against Huawei as the U.S. government has not laid out the risks clearly, has released little if any information to justify the charges, and has seemingly backtracked depending on trade negotiations or appeals by Chinese President Xi Jinping. As Justin Sherman and Robert Morgus have argued, “many countries, particularly in Europe, now have reason to harbor doubts that U.S. claims might just be motivated by a trade war.”

In fact, the five main arguments against Huawei go well beyond mercantilism.

The first argument is not about risk, but justice. Huawei allegedly stole intellectual property from rivals, such as Cisco, getting subsidized R&D through online theft. Huawei should not profit from the fruits of its crimes, so appropriate remedies could include taxes or tariffs so that Huawei gear is at least as expensive as that of the competitors from which it stole intellectual property.

The second argument is that Huawei routers may have intentional back doors to allow the Chinese government access. No such back door or access has been discovered, but this might only prove that the conditions under which China would exploit such access—such as Taiwanese independence—have not been yet triggered. 

Not to get technical about the third argument, but Huawei code is crap. In 2012, security researchers revealed at DEF CON 20 that Huawei wouldn’t need to try and hide a back door in the code to gain access, since there are countless cavernous holes already.

These last two risks can be managed in many ways, patiently fixing the bugs, keeping insecure equipment out of critical networks, or tightly monitoring and segmenting the gear. However, the prospects for these types of risk mitigation look dim. The United Kingdom has had a group working with Huawei for years to intensively assess security and still concluded they can “only provide limited assurance that […] Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.”

The Chief Information Security Officer of Huawei USA, Andy Purdy, is a veteran homeland security cyber official who argues that if any country doubts critical information technology, it should lay out specific and transparent security requirements so that all providers can objectively pass or fail. This could be enough to handle the second and just maybe the third issue (with the UK experience suggesting Huawei would indeed fail).

Were the United States and China not facing off in conflict or had a shared view of the future, it might be sufficient. Unfortunately that is not the world we live in, nor will it be for many years.

The worst case, the fourth argument, is that Huawei has not just a backdoor but a kill switch. Huawei gear around the world would operate as normal, year after year, until a precipitating crisis. This risk seems distant as China is today only a competitor, not yet an enemy. But 5G will have a central role in the American economy and society, so the risk, while remote, is potentially massive.

China would only get to use this trick once, so it would have to be for an existential crisis, say a looming war with the United States over Taiwanese independence. The risk would vanish if the Chinese Communist Party could be convinced to loosen their control of domestic firms, but nothing seems less likely from Xi Jinping than such a root-and-branch reform of the entire economy. Barring that, the main risk mitigation is not using Huawei gear in any network that you aren’t willing to lose if China decides that a conflict with the United States is likely so it better get in a quick early punch.

The last argument is that the internet is supposed to be free and open, something China believes is an existential threat to the regime. The Chinese domestic internet is now just another element of repression and control. The more Chinese companies like Huawei are at the core of the internet, the more leverage the party will have to drive new technologies and standards so that the future internet is built to be an agent of control, not freedom. Again, there is little that can be done to manage this risk, barring a liberalization in China and convergence of U.S.-China long-term interests.

The best path to Huawei-free networks may be to embrace open-source solutions. Projects like O-RAN, the Open Radio Access Network might allow more vendors to enter the market to provide mobile technologies at lesser cost.

The future of the internet is too important, and Huawei too potentially beholden to the Chinese Communist Party, to allow Huawei in U.S. critical networks.

No comments:

Post a Comment