Pages

7 April 2019

Huawei and Managing 5G Risk

By Herb Lin 

Based on cybersecurity concerns, the United States, Australia and New Zealand have staked out policy positions that prevent or strongly discourage the acquisition of Huawei 5G technology for use in the national communications infrastructure of these nations. Other U.S. allies have announced or are considering policy positions that do not go so far and would indeed allow such acquisition at least to some extent.

Both sides have their public arguments, but the arguments are largely incompatible with each other. The pro-Huawei side argues that Huawei equipment has never been shown to be compromised, and that inspections and testing of Huawei hardware and software will prevent the implantation of vulnerabilities that would compromise their products. The anti-Huawei side argues that because Huawei is ultimately subject to the control of the Chinese government, the security of a communications infrastructure based on Huawei 5G technology depends on choices made by the Chinese government, thus placing control of a critical national infrastructure in the hands of a foreign government that poses—or at least in their view, should pose—an unacceptable security risk.


But these arguments obscure some important points and are silent on others. It’s worth unpacking the arguments and inserting some technical realities into the debate.

The pro-Huawei argument isn’t persuasive. I’ve heard various rumors of Huawei equipment being released in a compromised state (e.g., USB drives that contain malware), but I have seen no evidence or credible reporting to substantiate any of them.

At the same time, an old saying in the intelligence community holds that “we have never found anything that the adversary has successfully hidden”—or more colloquially, the absence of evidence is not evidence of absence. If we are unsuccessful in uncovering an implanted compromise, is it because no adversary planted one or because an adversary implanted it so cleverly that our techniques were unable to detect it? Those in the intelligence community are quite aware of this analytical problem, and a risk-management strategy driven primarily by intelligence community concerns would focus on adversary intent and capabilities, essentially dismissing the fact that “nothing bad has been found.”

Perhaps more to the point is that vulnerabilities have been found in Huawei equipment and the Huawei response has been deemed wanting. For example, the Register noted that in 2013 Huawei was notified of a firmware vulnerability in certain broadband gateways that could be exploited by adversaries to gain remote access. Though Huawei reportedly patched the vulnerabilities in the specific devices mentioned in the notification, other gateways in the same series using the same firmware were not patched. When the vulnerabilities were rediscovered in those other devices some years later, Huawei then patched them.

Information technology products and services contain vulnerabilities—with respect to that reality, Huawei is really no different from any other technology vendor. Whether the failure to patch a known vulnerability demonstrates a deliberate attempt by Huawei to render certain devices vulnerable is impossible to know, though I am inclined not to believe it. But the delay in patching the other devices does suggest a Huawei failure to address cybersecurity vulnerabilities aggressively, a point consistent with the Huawei Cyber Security Evaluation Center Oversight Board’s 2019 reportdiscussing “serious and systematic defects in Huawei’s software engineering and cyber security competence.”

As for inspections and testing of Huawei equipment to be deployed, such activities could raise confidence in the integrity of such equipment. Nonetheless, no reasonable amount of system testing can prove that the system is free of defects (e.g., security vulnerabilities, software bugs). Testing offers evidence that a system meets certain requirements (e.g., produces certain outputs when given certain inputs), but it is impossible to demonstrate that the system will not also do something undesirable.

A more important point is that with software and firmware updates, the functionality of any system running that software or firmware need not be identical to that which was in place before any given update. Indeed, if the system’s behavior were absolutely identical in all possible circumstances, the update would be entirely superfluous. So an inspection of “the system” at a moment before the update may not be particularly relevant to its behavior after the update.

In a world of unconstrained resources, it is possible to inspect and test every update that Huawei offers. But we don’t live in that world; moreover, whether such inspection would be adequate to provide well-founded assurances that nothing is amiss is a different and unresolved question. Also, even if such inspections did occur, they would take time, thus delaying the deployment of updates—and in the vast majority of cases, those updates would be benign and indeed necessary to fix bugs and patch security vulnerabilities. Thus, patch inspection and testing would have to be done after deployment. Assuming that a flawed (or vulnerable) patch had been installed, it would then have to be removed.

The anti-Huawei argument has some substance to it. Even stipulating that Huawei equipment has never been shown to be compromised and that Huawei installations would not be compromised in any way, the undeniable fact remains that Huawei is subject to Chinese law requiring Chinese organizations or citizens to “support, assist, and cooperate with state intelligence work.” On Feb. 20, the CEO of Huawei assertedon CBS This Morning that “we absolutely never install backdoors. Even if we were required by Chinese law, we would firmly reject that.” Such a claim would more believable if Chinese law made provisions for the appeal of such requirements to an independent judiciary, but to the best of my knowledge, the Chinese judiciary has never ruled against the Chinese Communist Party. (Of course, the history of U.S. government influence, both attempted and actual, over other global suppliers of technology products could also give pause to those contemplating such acquisitions.)

But the anti-Huawei argument is also misleading because it does not acknowledge possible risk-mitigation measures that could be taken should Huawei technology be adopted. In practice, the cybersecurity risks posed by embedded Huawei technology fall into the traditional categories of confidentiality, integrity and availability. Concerns about the compromise of data confidentiality and integrity can be addressed using known technical measures, such as virtual private networks (VPNs) and end-to-end encryption. Indeed, such measures are widely used today in securing confidential communications that take place over insecure channels. Concerns about availability are harder to address, because nothing prevents the vendor from installing functionality that will disrupt or degrade the network at a time of its choosing; the only known solution to the loss of availability (i.e., turning off the network) is backup equipment from a different vendor that can be used in an emergency.

All of these measures would add initial and ongoing inconvenience, complexity and expense to a decision to acquire Huawei technology. Ensuring end nodes are properly configured to use secure encrypted channels even on internal networks is hard to do under the best of circumstances. (Note that in the internet-of-things world that 5G technology is expected to support, internet-of-things devices serving as end nodes would have to be configured in just such a way—and would thus be more expensive than the same devices without such configuration.) Network segmentation becomes even more important in such an environment, although it is something that should be done in any case. Maintaining user discipline to take the necessary measures to operate safely is challenging as well. Backup channels entail extra expenditures, but presumably one would need backup channels only for critical functions. Thus, backup channels would be deployed less extensively than the full-blown network. Functionality limitations of backup channels would be relevant only in times of crisis or conflict. Under normal “peacetime” circumstances, the Huawei 5G could be expected to provide all of the necessary functionality.

By omitting any mention of risk-mitigation measures and their incremental costs in currency, convenience and complexity, the canonical anti-Huawei argument is overly simplistic, as it reduces the question simply to whether Chinese technology can be “trusted” given the Chinese government’s power over Chinese companies. In practice, the incremental costs of risk mitigation may be high enough to render Huawei technology uncompetitive, though on economic grounds rather than policy grounds.

Cognizant of their willingness to accept risk, policymakers should be weighing these costs against other considerations such as price, speed of deployment and functionality where Huawei technology might have an advantage over other vendors—and that comparison could reasonably go either way. The calculation is more complex but more accurately reflects the dilemma faced by policymakers. Reframing the debate in terms of the costs of risk mitigation would also have the salutary benefit of highlighting possible defects in Huawei’s underlying engineering and quality-control processes for all potential customers and giving those potential customers courses of action to mitigate risk should they decide to acquire Huawei technology.

No comments:

Post a Comment