In a new white paper from China's Huawei, called Cyber Security Perspectives, the company calls for transparency to create and implement common international standards of cyber security - and has countered allegations of involvement in cyber-espionage that led the US House of Representatives intelligence committee to say that US companies and the US government should not work with Huawei (and ZTE) as they pose a security threat to the US.
“We can confirm that we have never received any instructions or requests from any Government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. ..(and).. never been asked to provide access to our technology or provide any data or information on any citizen or organisation to any Government, or the agencies,” declares Ken Hu, Deputy Chairman of the Board of Huawei and Chairman of the Huawei Global Cyber Security Committee in the white paper foreword.
The announcement contradicts statements from the US intelligence committee saying it had received internal Huawei documentation from former employees showing the company provides special network services to an entity alleged to be an elite cyberwarfare unit within the People's Liberation Army. In fact intelligence committee chairman, Republican Rep Mike Rogers went so far as to state: “Find another vendor [than Huawei] if you care about your intellectual property”, and both US and Australian companies have done just that.
In contrast, Martin Jordan, Director, Information Protection Team at KMPG told SC Magazine : “I can't see the logic of a mythical back door and state intervention in Huawei”. He added: “We have not actively come across any back doors in Huawei equipment; the company is not in the business of spying on say some network in Norfolk – its motivation is to make a profit and achieve commercial world domination. Any backdoor to government would be spotted and undermine its growth strategy for the next three to four years.”
The spotlight on suspected Chinese cyber-espionage intensified earlier this year following February 2013 publication of the Mandiant report, APT1, Exposing One of China's Cyber espionage units, which makes a compelling case to conclude that a group it identifies as Unit 61398 steals intellectual property from English-speaking organisations, operates at the level of hundreds of terabytes, and that it is acting with the full knowledge and cooperation of the government.While this may or may not be the case, Jordan disputes any link with Huawei, saying: “The espionage angle is just being used to hide resentment of foreign technology.” He compares the situation to the initial arrival of Japanese car manufacturers in the UK, when their safety standards were being questioned. “It was really just protectionism for a failing industry. We can see some of the same concerns with Chinese technology – its purely protectionism in a lot of cases. Many UK and US companies are proud to talk about their close links to government – but they don't like Huawei to say the same.”
At the London launch of the Huawei white paper, David Francis, Huawei's Cyber Security Officer for the UK market anticipated potential scepticism given that the report is a call for transparency and common standards in the industry, whereas the US has specifically criticised the company for failing to explain its relationship with the Chinese government and for not making its corporate structure and decision-making processes clear.
Francis began his presentation by showing his two phones, one a Huawei device, and the other a US handset (which appeared to be an iPhone), commenting how both contained components made in China, the US and elsewhere – he asked which was the more American? His point was that China produces product for the likes of CISCO and others, that Huawei uses components from other providers inside and outside China, and that the market is already globalised to the extent that manufacturing location is not the issue. Adding that it provides equipment to be used by operators, who would be the ones to be approached if there were any approach from government agencies. In addition, he pointed out that even in countries that excluded them, such as Australia, people could not be sure where their messages were routed given the global nature of networks.
The crux of the document was a call for recognised international best practice, in which security was built in from the R&D stage, and not something bolted on at the end of the process, that this should encompass all aspects of production and staffing and through to secure delivery of devices, establishing agreed international standards. A practical overview of Huawei's approach walks through each of the aspects of design, build and deployment of technology involving cyber security considerations, including overarching strategy and governance structure, day-to-day processes and standards, staff management, R&D, security verification, third-party supplier management, manufacturing, delivery and traceability.
Jordan welcomed these moves, and the embedding of security throughout the Huawei process, suggesting that earlier issues had not been about Huawei equipment, “…but there have historically been issues with the quality of their code going into the equipment rather than any back doors. So it's good to see the company embracing secure development. They are going through what Microsoft, Cisco and others went through 12 yeas ago, instilling in staff the importance of security throughout the process.”
The UK has been courting Chinese investment, opening up to Huawei a decade ago – and has just announced that China can now invest in its nuclear power stations, which is about as critical as infrastructure gets – yet while the announcement was being made, Transparency International was issuing a survey condemning corruption in Chinese multinational companies – with Huawei Technologies one of the companies at the bottom with a zero score for organisational transparency.
Huawai's Francis says that any criticism the company receives should be fact-based, with hard evidence. Its own ABC mantra for security is, “Assume nothing, believe no-one and check everything.” It seems likely foreign security agencies will continue to adopt a similar response in relation the organisation for the foreseeable future – but while the UK and Europe appear willing to be convinced, the US and Australia remain highly sceptical.