
Huawei risk can be managed, say UK cyber-security chiefs - gadders
https://www.bbc.co.uk/news/business-47274643
======
fredley
This is interesting. What this says to me is that the UK is essentially saying
to China "Yeah we'll play your game". They're expecting some sort of attack,
but they reckon that they've got the capability (at GCHQ or wherever) to
counter that, and possibly turn the tables by feeding back
counterintelligence.

It could potentially be a good book in 1-200 years' time once all this is
declassified.

~~~
unmole
Or, could it be possible that they audited the code and found no backdoors or
security issues? Now that would be crazy! /s

~~~
giancarlostoro
On that note, backdoors would either be hidden in proprietary apps, or
delivered through OTA updates. Maybe a mix of both. I'd be interested in a
diff of stock binaries vs recompiled "source" binaries to see if they differ
significantly enough.

------
thornjm
Some context for those unfamiliar; Huawei and the UK government setup the
“Huawei Cyber Security Evaluation Centre” to review Huawei device inner
workings and updates before deploying in the UK.

Despite this, it sounds like the UK is still removing Huawei devices from the
most critical areas of their networks.

------
tarcyanm
The way I heard it is that the U.S. could not domestically provide an off the
shelf end-to-end 5G solution. In addition, Huawei had at some point declined
to install NSA backdoors. This was essentially the backdrop that led to Huawei
being tarred and feathered.

~~~
doktrin
> The way I heard it

> In addition, Huawei had at some point declined to install NSA backdoors

I think a statement like this needs some corroboration beyond word of mouth

~~~
amaccuish
> I think a statement like this needs some corroboration beyond word of mouth

I'd like to see that same standard applied to the initial allegations against
Huawei. Still no proof that they've done anything wrong.

~~~
roca
The question is not whether they've done anything wrong yet. The question is
what they will do if Xi Jinping orders them to deploy a backdoor.

------
creato
Aren't most of the alternatives to Huawei EU companies? e.g. Ericsson, Nokia?
If they are acknowledging there is a risk, why not buy from them instead?

~~~
Dahoon
Two things I have seen mentioned from industry people: Huawei is a lot better
in R&D (use more money than Apple) and getting some feature you want deployed
is easier and faster. Secondly Huawei is not only cheaper but also higher
quality.

I know this doesn't fit with the witch hunt on Chinese companies the US is
running but there you have it.

~~~
justinjlynn
Not only that, they also heavily benefit from the R&D done at other companies.
Add in generous subsidies from their parent government and you have a very
attractive commercial offering, certainly.

Indeed, this kind of money is rarely invested without a known, outsized,
expected return and, in this, I seriously doubt Huawei and their owners are
lacking in intelligence. I mean, who do we think they are - Winnie-the-Pooh?

~~~
bwilli123
Not only that, Boeing and Airbus also heavily benefit from the R&D done at
other companies. Add in generous subsidies from their parent government and
you have a very attractive commercial offering, certainly.

Indeed, this kind of money is rarely invested without a known, outsized,
expected return and, in this, I seriously doubt Boeing and Airbus and their
owners are lacking in intelligence. I mean, who do we think they are - Winnie-
the-Pooh?

~~~
justinjlynn
Power is as power does, or so I've been told.

------
alt_f4
how does one manage a closed source binary with a backdoor in it in one's
network equipment

~~~
unmole
CSEC has access to the code that is runs on Huawei's kit. Huawei is required
to have reproducable builds to show that the code running in the network is
the exactly same as what was vetted by CSEC.

~~~
roca
Which provides exactly no protection against hardware backdoors.

HCSEC had 30 staff in 2015. Are they claiming to have done a line-by-line
audit of all Huawei's code by now?

~~~
acqq
Obviously software build reproducibility

“Huawei is required to have reproducable builds”

doesn’t protect from hardware backdoors. That solution is the proper solution
to the software backdoors, again:

“the code running in the network is the exactly same as what was vetted by
CSEC.”

~~~
roca
I know it's obvious. The point is that some tens of HCSEC staff (mostly Huawei
employees) thoroughly "vetting" tens of millions of lines of Huawei code for
backdoors would prove nothing, even if it wasn't ludicrous, which it is.

~~~
acqq
> would prove nothing

 _It could surely prove something_ : those are reproducible builds. That means
you can prove _after some breach is detected_ that it originates from the
given sources, if it is so. That in turn means that if something happens it
won’t be Huawei employees who would investigate these sources. I’m sure that
once a company offers the sources like this the company itself won’t plan to
mess with the sources. Because then the unwanten intervention can be proved.

------
entity345
The UK is in the midst of Brexit and is trying to increase trade with China.
In addition, the Chinese seem the only ones able or willing to supply nuclear
plants to the country...

They cannot afford to fall for the US-led hysteria.

------
amelius
Did they also consider DOS attacks of various kinds?

~~~
gadders
Yeah. I mean one attack is eavesdropping on conversations, but almost as bad a
threat would be to just remotely disable the equipment.

------
skilled
Looking forward to seeing Huawei OS being announced, and the backlash that is
going to trigger across the whole world.

~~~
unmole
Huawei already has an OS for IoT applications:
[https://en.wikipedia.org/wiki/LiteOS](https://en.wikipedia.org/wiki/LiteOS)

~~~
ShorsHammer
Source code here:
[https://github.com/LiteOS/LiteOS](https://github.com/LiteOS/LiteOS)

------
arethuza
"Managed" by who exactly?

