Huawei needs to be more open on security if it is to become a truly global player
Huawei is China's largest networking and telecommunications equipment supplier, with links to corporations worldwide and a major stake in the UK's vital infrastructure through its BT partnership. Doubts about its integrity and alleged vulnerabilities in its equipment are compounded by secretiveness. Time to open the kimono, says Kevin Eagles, principal CESG Listed Adviser Scheme consultant at VEGA Consulting Services.
‘Huawei, who?' – some of you will be asking. And, ‘hmmm, Huawei…' others of you will be knowingly musing.
The past few years have seen turbulent times for communications and network equipment suppliers. There have been mergers, takeovers, strategic alliances – and also companies folding. The demise of the mighty Marconi (which Huawei made an unsuccessful bid for in 2005) some time ago is a textbook classic and the recent breaking up of Nortel illustrates on a contemporary footing how rocky the comms and network supplier road can be. However, one exception to this rule has been a company called Huawei.
Huawei Technologies is the largest networking and telecommunications equipment supplier in the People's Republic of China. It is a privately owned high-tech enterprise that specialises in production, R&D and marketing of communications equipment and also provides customised network solutions for telecommunications carriers. Its products serve many of the top 50 telecoms operators.
The company puts ten per cent of its revenue into R&D every year, says chief marketing officer, Eric Xu Zhijun. Huawei has R&D centres in India, Indonesia, Ireland, Netherlands, Russia, Sweden and the US, as well as having a strong R&D capability in China itself. These R&D centres have helped to make it the world's top international patent applicant, ahead of Bosch, Panasonic, Philips and Toyota.
Huawei has links with many established and well-known corporations. In May 2007, Huawei and US security firm Symantec announced the forming of a joint-venture company, Huawei Symantec, to develop security and storage appliances for telecommunications carriers. Huawei owns 51% and Symantec owns the remaining stake. This firm is based in China.
Interestingly, at one point Nortel and Huawei were going to embark on a joint venture to sell ultra-broadband equipment in North America, but scrapped the deal in 2006.
In addition, for many years Huawei has been linked to 3Com. In 2003, Huawei entered into a joint venture (Huawei-3Com) with 3Com for Internet Protocol-based routers and switches, eventually selling its 49% stake back to 3Com in 2007. However things got rocky when in 2008 Huawei, in a partnership led by Bain Capital, attempted to take over 3Com in a $2.2 billion move. This deal was rumoured to be scuppered due to concerns within Washington about Chinese influence on a US firm, something 3Com denied.
These examples of collaboration illustrate how relentless Huawei has been in pursuing a strategy of market growth, diversification, pervasive influence and enhancement of its reputation as a credible and sustainable player in the comms space.
In what must rank as one of the most controversial (or, conversely, forward-looking) business decisions this decade, a pinnacle was reached when in 2005 Huawei was chosen by BT as a supplier to assist in the deployment of BT's Multi-Service Access Network (MSAN) and transmission equipment. This is providing the optical backbone for the UK-wide BT 21st Century Network (21C), sometimes referred to as the Next Generation Network (NGN). By default, this ties Huawei into UK plc comms – and its chief protection against terrorist attack, the UK Critical National Infrastructure (CNI).
However, this point has not gone unnoticed by the press and intelligence advisors, especially as Huawei was established in 1988 by Ren Zhengfei, a former soldier in the world's largest military force, China's People's Liberation Army (PLA). The London Times published an article on 29 March 2009, entitled “Spy chiefs fear Chinese cyberattack”. It said that intelligence chiefs had warned that China may be able “to shut down Britain” by crippling its telecoms and utilities. Equipment installed by Huawei “could be used to halt critical services such as power, food and water supplies”, the article continued.
There has also been more longstanding negative press. The 2004 Iraq Survey Group final report said Huawei supplied Saddam Hussein with an “illicit” communications system in 2000. And in 2003-2004, Cisco and Huawei were in dispute over Huawei's alleged copying of Cisco router designs.
However, Huawei is somewhat of an enigma, as it is a successful and rapidly expanding company in a new age of comms suppliers. It manufactures reliable equipment at competitive prices and is also emerging as a successful innovator: in March this year the company received a Financial Times (FT) award for ‘innovation and leadership in emerging markets', through its work on customised network solutions.
So, this enigma poses a dilemma. Reliable, innovative, cost-effective equipment and solutions versus some doubts about the alleged integrity of the company and alleged concerns over possible inherent vulnerabilities in its equipment.
The integrity of a company is holistic and cannot be set against a few incidents. In 2006, highly reputable companies Nokia and Siemens started a joint venture called Nokia Siemens Networks, which constituted the merging of their mobile and fixed-line phone network equipment businesses to create one of the world's largest network firms. However, recent unfavourable headlines have alleged that Nokia Siemens Networks provided the Iranian government with technology that allowed it to intercept the internet communications of its citizens.
It is also ironic if one wants to consider the trust questions raised by Huawei being a Chinese company with its code and printed circuit boards (PCBs) wholly made in China and possibly susceptible to malicious activity during the design and production processes. So much equipment and code from other vendors is produced in China and/or India now due to off-shoring that these types of threats have existed for a while, even if the vendor is North American or European. This statement is by no means dismissing the threats posed through off-shoring, it is merely shifting the goal posts to include other companies too.
At the time of writing, it is believed that the UK government does not directly use Huawei equipment but, as highlighted earlier in this article with BT's 21C, Huawei does have an indirect presence. In addition, with the Future Core Network (FCN) programme on the horizon within the UK Ministry of Defence, bidders for FCN may well choose to use Huawei as a supplier.
The key thing that would help Huawei with any security-related problem would be some form of reputable third-party assurance endorsed by a national body. This could be product evaluations under Common Criteria, which has international recognition or product and/or system evaluations by the CESG Tailored Assurance Service (CTAS), which has UK-only recognition.
None of Huawei's products or implemented systems currently has these badges of honour (which can include a code review), nor has any been entered into any of these schemes. Use of such schemes at the appropriate levels of rigour would go some way to dispel concerns that Huawei equipment may be exploited for espionage or cyberattack purposes. Not having these badges of honour tends to add fuel to the fire of suspicion.
An often mooted criticism of formal evaluations is that they can prove to be lengthy and expensive activities. Although this can be true to some extent, a vendor-supported evaluation, whereby the vendor assigns relevant staff to assist in the evaluation process, can prove to be effective in controlling the timescale and ultimate cost of the evaluation.
From a market perspective, governments around the world tend to favour evaluated products (either via their national schemes or Common Criteria), because it lessens the risk of using the product. This in itself is a compelling business case for vendors to enter their products into formal evaluation.
On another note, many software publishers with Enterprise Agreements with UK government departments (and departments in other nations' governments) – such as Microsoft and Oracle – tend to have their own systems for secure software development. Microsoft has its Security Development Lifecycle system and Oracle has its Software Security Assurance programme. Both systems are there to ensure that security is factored into software development. The UK's Technology Strategy Board Cyber Security Knowledge Transfer Network (KTN) is also investigating approaches to promote best practice in the secure software development process lifecycle.
Even though the code footprint of a comms device is not as vast as for a software application, the code is still quite large and complex and there would be mileage in Huawei adopting similar and provable techniques and processes for the secure development of the code in its products. This may also give it the edge over comms competitors that do not appear to have such a thing either.
In conclusion, a true test of Huawei's innovation and belief in its products would be strong consideration of initiatives to bolster the security viewpoint of its offerings. This would illustrate the credibility and strength of the company and its products.
In that light, it is surely a matter of not ‘if' but ‘when' Huawei bites the bullet and goes down the pathways of formal evaluations and secure code development processes. These two factors will go a long way to allay concerns and enhance the credibility of Huawei's products and services.
[7 There is no doubt that Ren Zhengfei served in the PLA, however, there are uncorroborated reports in the public domain which state that he was a veteran soldier and an Officer in the PLA.
 As of December 2008 the Common Criteria Recognition Agreement (CCRA) has 26 countries as members. NB: These 26 countries do have variances in mutual recognition relative the EAL rating and whether there are any cryptographic elements within the evaluation.
 The Technology Strategy Board (TSB) was established by the Government in 2007 to support technology research, development and commercialisation and advises Government on how to remove barriers to innovation and accelerate the exploitation of new technologies.