What a difference a year makes.
At this time last year, China-based network vendor Huawei was being accused of being a threat to U.S. national security because it could “provide Chinese intelligence services access to telecommunications networks,” according to the House Intelligence Committee report that made headlines. Now, the National Security Agency (NSA) in the U.S. stands accused of planting backdoors in network gear and weakening at least one encryption standard for its own cyber-spying purposes, based on documents released by former NSA contractor Edward Snowden.
In the midst of this turn of events, Huawei — which was effectively shut out of the U.S. telecom market after last year’s committee report — today sought to initiate a fresh dialog about global cybersecurity by issuing what it calls its “Cyber Security Perspectives” report.
“We’re trying to contribute to a broader collaboration on standards and best practices,” said Andy Purdy, Huawei chief security officer.
Huawei is making the argument that new standards for vulnerability assessment, tracking and fixing of software and hardware need to be developed, along with compliance testing. In its “Cyber Security Perspectives” report, Huawei also advocates that “governments, the industry and end-users worldwide need to collectively come to an understanding on how we will work together to define and agree on new, specific norms of behavior, standards and laws, and how we promote privacy and security in global networks.”
“The imperative is to try and have agreements on what is OK and not OK globally,” said Purdy, and especially to establish trust in governments and the private sector.
Huawei’s 52-page report outlines that company’s internal procedures and practices as a global manufacturer. The report contains no surprises in its discussion of code-quality checks, supply-chain safety, concern about open source, which Huawei uses to some extent, and vulnerability reporting.
But Huawei also wants to open the door to the possibility of a new approach to global cybersecurity and conformance testing that would likely tilt away from efforts driven by the National Institute of Standards and Technology (NIST) and the NSA, including the existing IT product-testing program called Common Criteria.
Common Criteria was created in 1998 by the U.S., Canadian and European governments as a way to have accredited labs test IT gear for security and assurance purposes and it’s sometimes a requirement in government procurements. China never joined the Common Criteria effort, though Huawei indicated it has had some equipment tested in Common Criteria labs.
“There are things that can be done that are a lot less expensive than the Common Criteria,” says Purdy. He says Huawei is advocating an approach that would rely on independent assessments but be “much more dynamic.”
And in the midst of the current atmosphere of suspicion over what intelligence agencies in the U.S., China and elsewhere may be doing to grab data by breaking into networks, Huawei again proclaimed its complete non-involvement in assisting any of it.
“Particularly, as the Deputy Chairman of the Board of Huawei and the Chairman of the Global Cyber Security Committee of Huawei, I would like to make our company’s position clear,” states Ken Hu in the opening pages of the Huawei report. “We can confirm we have never received any instructions or requests from any government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or any organization to any government, or their agencies.”
Huawei’s vice president of external affairs, Bill Plummer, said there is a “crisis of confidence” in the industry and “these concerns are reaching a fever pitch.” Suspicions about government-initiated cyber-spying are impacting the global information and communications technology (ICT) industry, threatening to lead to a “balkanization” based on perceived nationalistic concerns.
Huawei’s view, as reiterated in its report, has been that some “governments and politicians” are “using cyber security as a trade barrier without any evidence of any facts to support their efforts to lock companies out of their market.”
Huawei, for example, though China-based, likes to point out that the $35 billion company operates in over 140 countries and has deployed 130 LTE networks and more than 70 Evolved Packet Core (EPC) commercial networks. It has 330 managed services contracts and 70 cloud computing data centers. “Indeed, up to 70% of the components that are in Huawei’s technology portfolio are not from Huawei, but from a global supply chain with America being the biggest provider of components at 32%,” Huawei says in its report.
Plummer reiterated Huawei’s views about last year’s House Intelligence Report that blasted Huawei as a national security threat to the U.S., saying it was politically motivated. But it’s clear that the anti-Huawei campaign endures in some circles, where those close to U.S. intelligence agencies continue to publicly raise alarm bells about China and its home-grown high-tech firms. Gen. Michael Hayden did that last July as he sought to convince Australians not to acquire Huawei gear, accusing Huawei of clandestine activities and sharing of sensitive information with the Chinese state. Hayden is former head of the CIA and the NSA. At that time, Huawei publicly called Hayden’s remarks “unsubstantiated and defamatory,” noting no evidence had been presented.
Plummer says all these accusations about Huawei, presented without evidence, are “confounding” when heard. “You’re suggesting all these things and you’re not proving anything” while the recent revelations from the Snowden documents suggest a stark picture about the NSA. “Perhaps they’re looking in a mirror,” he adds.
The NSA stands accused of fostering backdoors through encryption-defeating efforts, with critics saying it will all backfire against the interests of the U.S. A NIST standard for what’s known as Dual Elliptic Curve Deterministic Random Bit Generator is now widely suspected of including an NSA backdoor. “The recent revelations have shaken a lot of people outside the U.S.,” says Purdy.
But one of the reasons that Huawei wants to start this cybersecurity dialog on a global basis is that the NIST Cybersecurity Framework, an effort launched via an executive order from the president, is expected to be published next February as a set of best practices that some think might later become requirements. Huawei wants to be part of the discussion as it moves forward.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org