Huawei Analyst Summit – former UK Government CIO says, 'Put us to the test'

Though the accusations made against Huawei by the US authorities have mounted up,  there has not been much in the way of evidence laid out on the table to back them up.

The company is accused of being a cyber-security risk and of offering communications systems that have 'backdoors' – a means by which the Chinese authorities can access user communications traffic and, therefore, spy on whoever is using the systems.

The Huawei Analyst Summit gave the company – in the form of John Suffolk, Senior VP, Global Cyber Security and Privacy Officer - a chance to rebut these accusations and set out what steps the company has taken, and plans yet to take, to ensure that security is as good as it can be.

In a week when the UK looks set to invite Huawei into its own 5G roll out, Suffolk has some interesting credentials, having been the UK Government's  CIO and CISO for seven years before joining the company in 2011. He is also Deputy Chair of the Huawei Cyber-security Evaluation Centre (HCSEC), which is fulfilling the company’s obligations in terms of handing over information to the UK’s National Cyber-security Centre (NCSC).

The HCSEC opened at the end of 2010, as part of an agreement between Huawei and the Government. It evaluates a wide range of Huawei products used by UK telecoms operators to mitigate any perceived security risks arising from their use. The HCSEC Oversight Board was established in 2014 to examine and guarantee its work.

Suffolk has some deeply-held views on the subject of cyber-security, not least that the on-going march of technical development means that it is almost impossible to achieve with any certainty. The key factor there is, in his view, the development of new, more comprehensive ways to manage risk. He would also like to see these coming as policies and standards set out by governments:

There's no such thing as a zero-risk connected business. You just look at cloud computing environments around the world, you don't know where the servers are, you don't know what people are around them, you don't know the supply chain to fulfill that. So let's be realistic about the risk.

The HCSEC oversight mechanism in the UK is where the company, as he describes it, `stands naked’ in front of the government security people, examining what the company is doing, and offering up recommendations and how it can improve its software. And every year, the Oversight Board comes up with a report which gives the results of their views of all the things they've tested and looked at in the previous year.

What came out in the last bulletin was that the company needs to improve its software engineering on some of the old products. This is where it is now investing $2 billion to do just that, with the high-level plan on how the money will be spent due to appear in late spring:

This is about enhancing the resilience and the capability of our products for customers around the world. And we very much welcome their input and insight because governments have to protect the country, operators have to protect their network, and we have to protect all of the networks of the operators.

That open source stuff

At the moment however, much of the criticism of the company’s security stance is aimed at the lack of point solutions for point problems. For example, the latest criticism has been concerned with its use of OpenSSL code in its communications systems, a problem highlighted earlier this year by French software testing tools provider, CAST.

As Suffolk observed, the use of open source code has been a key driver in the overall development of new applications and services, and so long as the open source communities maintain the code, there are normally many advantages and few negatives to the process:

But the challenge is that sometimes communities break up and you are reliant on code, which is now embedded in your product, but there is no community maintaining it. We and our customers are quite clear, if we build anything into our products and services, whether it's open source or proprietary, we have the responsibility to make sure it does its job and only does its job. So it is a challenge.

Any support failure by a community can mean re-writing that code so it can be maintained internally, though discovering such failures is not always easy for, as he pointed out, every business now needs to know where every software component comes from, what the development plan is and, if you find you can't use that component, that you can find an alternative.

There is a longer running debate around whether open source is safer because anyone can look at it, compared to proprietary source where only certain people look at it. He feels that open source can cause complacency as well, because people think everybody else is looking out for it:

You can't do it manually, you need to invest in the technology to make sure you know where every component is.

An additional problem here is that Huawei, like other businesses with any history, then has a long tail of legacy systems that have to be maintained and supported. There are many customers that do not have the money to throw out existing working technology just because Huawei has some new technology available, says Suffolk:

They have to keep it there because we have committed to allowing customers to sweat their assets. Some of the design thinking that we did five and 10 and 15 years ago is not a good thing. And again, let me use an analogy. Do you think a car that was designed to 10 years ago? is a safe of the car designs today? So the UK Government comes along quite rightly and says you've got a lot of clutter in here. And we can take action. We've announced the $2 billion program to do that.

So I subscribe to the model which says you have to look at everything. You have to work using the ABC model - assume nothing, believe no one, check everything. So do not assume you're open source is safe. If someone tells you it is, don't believe them: go and check it for yourself. And if you don't do that, my belief is you are derelict in your duty.

So while Huawei is happy to use open source code, and applications from third party providers, it is in no mind to give away the 30% or so of the code that represents the company’s 'Crown Jewels'. It is however, more that ready to let anyone: customer, network operator or national regulatory authority, come and inspect and test the products and software. The objective is to provide openness, transparency and the ability to verify whatever they feel needs verification.

These days, everything is a software `bitsa’

As with most other equipment makers, only a minority of both hardware and software comes from within the company. Most of it comes from a complex supply chain of component and code suppliers, from major-name global vendors through to local small businesses. He accepts, however, that this is irrelevant when it comes to cyber-security and that, because it is branded 'Huawei’, the company is deemed responsible for 100% of that problem.

The Huawei view, he said, is to treat the current situation as an opportunity and listen to the concerns of customers and push further in terms of testing and scrutiny. The goal is to try and do it right because that way they learn more, and improve the products. He sees this as a virtuous circle.

The company’s commitment to this idea of allowing extensive testing and the validation of cyber-security through third party examination and testing raises an interesting point – just how far does Huawei think this should go? It claims that it is the only comms equipment vendor taking product and software testing to such lengths – specifically because of the accusations made against it – so should other vendors face similar testing? Should there be an independent agnostic body applying such testing worldwide? Suffolk responds:

We've had a debate over the last two years. We have a test center running 24 hours a day, 365 days a year. We use all the international code scanning tools from commercial companies, plus we've built our own, and it is all automated. There are lots of companies that provide testing tools and every time we find an issue, or see something on a black hat conference, or find a vulnerability, we go and look, we see if we can build a test.

I would be really interested to talk to companies that might want to see about how we could enhance the test and the automated test scripting. I'm very happy for them to maybe talk about how they could make value from our testing. I think it's a great idea. It's something we've considered and I'm very happy to have those conversations.

Europe is working towards a standard across Europe and he thinks that is a very, positive step forward. Assuming the UK leaves Europe he hopes that the UK will follow suit:L

I think the more countries we can bring together into a standard that we all agree with, even if the standard isn't perfect.

My take

It is interesting to observe the equanimity with which Suffolk and Huawei accept the situation that Donald Trump keeps trying to lay on the company, and end up turning it into a feature that its products are far more thoroughly and comprehensively tested than any other comms equipment available. And given the fact that just about every other vendor is going to be making use of open source components in their own code – and the code of third party suppliers - and quite probably accepting that they are suitable 'on the nod’, it sets up an interesting situation. Either the accusation have to become ever more strident, or eventually the US authorities may be forced to admit that its home-made alternatives may not be tested anywhere near as thoroughly.