Hacker News new | past | comments | ask | show | jobs | submit login
Huawei risk can be managed, say UK cyber-security chiefs (bbc.co.uk)
35 points by gadders 32 days ago | hide | past | web | favorite | 56 comments



This is interesting. What this says to me is that the UK is essentially saying to China "Yeah we'll play your game". They're expecting some sort of attack, but they reckon that they've got the capability (at GCHQ or wherever) to counter that, and possibly turn the tables by feeding back counterintelligence.

It could potentially be a good book in 1-200 years' time once all this is declassified.


Or, could it be possible that they audited the code and found no backdoors or security issues? Now that would be crazy! /s


On that note, backdoors would either be hidden in proprietary apps, or delivered through OTA updates. Maybe a mix of both. I'd be interested in a diff of stock binaries vs recompiled "source" binaries to see if they differ significantly enough.


Not really. The public reports detail the altogether deficient way the hardware and software is being developed and manufactured. Hauwei know what they are and have failed to improve (much) over the past few years.


Years ago someone was telling me about the GCHQ facility at Martlesham Heath that was reverse-engineering all the incoming kit for use by BT. I think that pre-dated the Huawei Cyber Security Evaluation Centre in Banbury. HCSEC is a bit odd, it seems to be a joint venture between the fox and hens to guard the henhouse.


Everyone expects attacks from everyone else... And conducts attacks on everyone else.


Some context for those unfamiliar; Huawei and the UK government setup the “Huawei Cyber Security Evaluation Centre” to review Huawei device inner workings and updates before deploying in the UK.

Despite this, it sounds like the UK is still removing Huawei devices from the most critical areas of their networks.


The way I heard it is that the U.S. could not domestically provide an off the shelf end-to-end 5G solution. In addition, Huawei had at some point declined to install NSA backdoors. This was essentially the backdrop that led to Huawei being tarred and feathered.


> The way I heard it

> In addition, Huawei had at some point declined to install NSA backdoors

I think a statement like this needs some corroboration beyond word of mouth


Not GP, but I, too find it suspicious that e.g. Cisco, I direct competitor to Huawei, gets caught with yet another new backdoor almost monthly[1], and apparently the US administration has no qualms with buying Cisco hardware or with Cisco continuing to sell unsecure hardware worldwide.

[1] https://www.tomshardware.com/news/cisco-backdoor-hardcoded-a...


I suspect the U.S. government prefers "these guys might suck, but at least they're our guys" as a threat model when the alternative is essentially a state-owned enterprise taking orders from one of America's largest geopolitical foes.


Huawei is in an employee-owned company, no state involved.


I know Huawei isn't literally a SOE (as far we can tell, anyway) but it has long-standing ties to the PLA, and the stark reality of modern-day China is that every large corporation in the country is effectively subservient to the CCP.


In the words of British Telecom's Chief Architect, "There is only one true 5G supplier right now and that is Huawei -- the others need to catch up."

https://www.lightreading.com/mobile/5g/bts-mcrae-huawei-is-t...


I don't see what that has to do with the alleged NSA backdoors.


NSA backdoors in Huawei gear?! Now this is something new...


If you take a look at the GP's statement, it included an alleged refusal by Huawei to install NSA backdoors. That's the part of the statement I'd like to see further qualified, because I think it deserves it.


> I think a statement like this needs some corroboration beyond word of mouth

I'd like to see that same standard applied to the initial allegations against Huawei. Still no proof that they've done anything wrong.


The question is not whether they've done anything wrong yet. The question is what they will do if Xi Jinping orders them to deploy a backdoor.


It is however, a mindless equivocation.


Aren't most of the alternatives to Huawei EU companies? e.g. Ericsson, Nokia? If they are acknowledging there is a risk, why not buy from them instead?


Two things I have seen mentioned from industry people: Huawei is a lot better in R&D (use more money than Apple) and getting some feature you want deployed is easier and faster. Secondly Huawei is not only cheaper but also higher quality.

I know this doesn't fit with the witch hunt on Chinese companies the US is running but there you have it.


Not only that, they also heavily benefit from the R&D done at other companies. Add in generous subsidies from their parent government and you have a very attractive commercial offering, certainly.

Indeed, this kind of money is rarely invested without a known, outsized, expected return and, in this, I seriously doubt Huawei and their owners are lacking in intelligence. I mean, who do we think they are - Winnie-the-Pooh?


Not only that, Boeing and Airbus also heavily benefit from the R&D done at other companies. Add in generous subsidies from their parent government and you have a very attractive commercial offering, certainly.

Indeed, this kind of money is rarely invested without a known, outsized, expected return and, in this, I seriously doubt Boeing and Airbus and their owners are lacking in intelligence. I mean, who do we think they are - Winnie-the-Pooh?


Power is as power does, or so I've been told.


Contrary to popular belief, Huawei isn't some big evil entity more or less under the thump of the Chinese state. It is owned by 80.000 of their own employees.


Hey now, I never said anything about them being evil or being under the thumb of their government. Why do you think I did?


>Two things I have seen mentioned from industry people: Huawei is a lot better in R&D (use more money than Apple) and getting some feature you want deployed is easier and faster. Secondly Huawei is not only cheaper but also higher quality.

So much for China being inferior copycats then...


Probably costs more and after the recent cell network outage here, caused by a certificate failure, I think they prioritise availability over absolute security. Huawei seem to produce some half decent stuff aside from the security issue.


It's also a message to those EU companies they need to remain price competitive. You can surely get a better deal if you have Nokia and historically-cheap Huawei battling for your order.


The thing is this isn't cheap Chinese gadgets. The main thing I see mentioned is that Huawei is years ahead. Being cheaper is just icing on the cake. Huawei use a lot more on R&D than the competition.


Oh no, I was thinking about IP infrastructure. Core/edge routers and the like. I don't see any technological advantage they have in that market but I could be wrong as I have not seen any product comparisons in a while. As I understood it, their wins are due to their pricing.


There is always a risk from buying technology from suppliers you have no full control over.

This is Brexit. The UK is trying not to depend on the EU too much either and are actively trying to diversify.


Are you claiming security policy is being driven by a need to pull back from the EU? Who do you know at GCHQ?


I am claiming that the UK has to be realistic.

The whole security story around Huawei is largely overblown and driven by the US's increasing realisation that they won't be the undisputed top dog for long.

The UK is not in that situation. They are a medium power leaving the largest trading bloc in the world and they need China. As such they need to be realistic when assessing risk and have a pragmatic approach.


Overblown?

Does anyone seriously believe that if Xi Jinping orders Huawei to deploy a backdoor, they will resist?


As I mentioned in another comment this is a risk that exists for every supplier that you haven't got full control over.

As someone else further mentioned, the UK has setup an evaluation centre with Huawei where GCHQ experts check Huawei products before deployment.

Again, let's not pretend that the the US are in good faith here even if security should of course always be considered. This is an obvious FUD campaign to slow the rise of a new superpower and of a major competitor in a sensitive industry.


It's disingenuous to pretend there's no difference between suppliers operating under the Chinese dictatorship and suppliers operating in Western countries with strong rule-of-law traditions. Even National Security Letters in the USA can be challenged in court.

It also matters what you think of the governments that are potentially exerting control. China is way down the list of governments I'd like to have access to critical infrastructure.

I can't tell what HCSEC thinks they're doing. Plenty of security research shows that in reality skilled engineers can plant backdoors no-one can find, especially at the hardware level. Apparently most HCSEC staff are Huawei employees so they don't exactly have an incentive to find backdoors. It sounds like a joke.


The practical difference between being spied on by the Americans or the Chinese seems pretty slight to most countries; this 'rule of law' jazz doesn't really apply for foreigners. Chinese might be more likely to conduct industrial espionage, but the Americans are more likely to bomb a given country. Both seem to be comfortable in-principle with snatching foreigners in foreign countries (although I think China has tended to target ex-Chinese nationals so far).

The real issue is that the UK is part of the 5 Eyes, so it has a special reason to be happier about being spied on by Americans.


> suppliers operating in Western countries with strong rule-of-law traditions

Get off your high horse a bit. Any moral credit US had was blown off the face of earth with Snowden revelations.

You probably don't understand a simple thing - for anyone outside of US ie in Europe, US vs China is not such a clear cut. There is tremendously long list of things US messed up in last 70 years and poured oil tankers-size amount of evil into this world and the consequences are and will be felt for decades to come. No slowing down in sight either.


> As someone else further mentioned, the UK has setup an evaluation centre with Huawei where GCHQ experts check Huawei products before deployment.

This betrays an incredible lack of foresight. Denying updates to products to evaluate in the first place is itself a point of serious potential vulnerability.

> Again, let's not pretend that the the US are in good faith here even if security should of course always be considered. This is an obvious FUD campaign to slow the rise of a new superpower and of a major competitor in a sensitive industry.

You're making this about the US when it doesn't have to be. That was the point of my comment: the UK has options that don't have anything to do with the US or China. I cannot believe that you genuinely view the risks of dealing with Sweden (Ericsson) or Finland (Nokia) and China for such sensitive infrastructure as comparable. I must have missed the Swedish hacking campaign of companies and governments worldwide for the last 10 years...


> This betrays an incredible lack of foresight.

No, this is an agreement to build an acceptable way forward for both sides by addressing issues (real or perceived).

> You're making this about the US when it doesn't have to be.

The whole campaign against Huawei has been launched and is led by the US.

This is where the noise comes from and this has made dealing with China more difficult for the UK because of that noise in the media.


how does one manage a closed source binary with a backdoor in it in one's network equipment


Probably by deploying another closed binary from a US supplier to "monitor" it.


CSEC has access to the code that is runs on Huawei's kit. Huawei is required to have reproducable builds to show that the code running in the network is the exactly same as what was vetted by CSEC.


Which provides exactly no protection against hardware backdoors.

HCSEC had 30 staff in 2015. Are they claiming to have done a line-by-line audit of all Huawei's code by now?


Obviously software build reproducibility

“Huawei is required to have reproducable builds”

doesn’t protect from hardware backdoors. That solution is the proper solution to the software backdoors, again:

“the code running in the network is the exactly same as what was vetted by CSEC.”


I know it's obvious. The point is that some tens of HCSEC staff (mostly Huawei employees) thoroughly "vetting" tens of millions of lines of Huawei code for backdoors would prove nothing, even if it wasn't ludicrous, which it is.


> would prove nothing

It could surely prove something: those are reproducible builds. That means you can prove after some breach is detected that it originates from the given sources, if it is so. That in turn means that if something happens it won’t be Huawei employees who would investigate these sources. I’m sure that once a company offers the sources like this the company itself won’t plan to mess with the sources. Because then the unwanten intervention can be proved.


The UK is in the midst of Brexit and is trying to increase trade with China. In addition, the Chinese seem the only ones able or willing to supply nuclear plants to the country...

They cannot afford to fall for the US-led hysteria.


Did they also consider DOS attacks of various kinds?


Yeah. I mean one attack is eavesdropping on conversations, but almost as bad a threat would be to just remotely disable the equipment.


Looking forward to seeing Huawei OS being announced, and the backlash that is going to trigger across the whole world.


Huawei already has an OS for IoT applications: https://en.wikipedia.org/wiki/LiteOS



"Managed" by who exactly?




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: