Published: 01 May 2019
Huawei Technologies Co. Ltd. brought the battle over U.S. security concerns to the American courts in early March 2019, as the China-based tech giant filed suit alleging that the U.S. government's restrictions on buying its goods is unconstitutional.
The lawsuit, filed in the U.S. District Court in Plano, Texas, takes aim at the 2019 National Defense Authorization Act, which prohibits federal agencies and contractors from buying equipment from Huawei as well as several other Chinese firms. U.S. officials assert that the Chinese company poses a national security threat, which is why they instituted the Huawei ban. In March 2019, a British government watchdog group found exploitable "defects" in Huawei's software and security.
Huawei denied the allegations both publicly and in its lawsuit.
Huawei's lawsuit is the latest move in a growing international dispute that has the potential to affect the future of 5G worldwide, the technology strategies of enterprises around the globe and the security posture of organizations using Huawei equipment.
Granted, the geopolitical elements surrounding Huawei are beyond most CISOs' conventional areas of concern. But experts said CISOs should nonetheless pay attention to this specific case and the larger issues at play, as those issues will likely affect their security decisions moving forward.
More specifically, experts said the concerns about Huawei equipment are a reminder that vulnerabilities and threats can come from anywhere -- including vendors and a company's supply chain -- so CISOs should be prepared with governance programs and layered, nimble security policies that reduce even those kinds of risks.
Huawei ban: Accusations and the company's defense
Huawei is headquartered in Shenzhen, China, and has a broad portfolio of products that makes it one of the biggest tech companies in the world.
Although not well known in the United States, it's one of the dominant players in many geographical and vertical markets. For example, research firm IDC said it saw strong sales of Huawei's smartphones last year, with 2018 volumes up 33.6% over the prior year. And IDC research found that Huawei is one of the most popular phone brands in the world, second to Samsung and ahead of No. 3 Apple.
Huawei is also a leading maker of cellular infrastructure equipment and, now, 5G technologies. And it sells enterprise products -- hardware, software and services.
However, government officials in the United States and elsewhere have raised Huawei security concerns, especially about its 5G offerings. They charge that the company is a proxy for the Chinese government and could use its equipment to spy and steal information.
The United States also alleges that Huawei employees have stolen American technology, and it's now seeking the extradition of Huawei chief financial officer Meng Wanzhou after her arrest in Canada in December 2018, on allegations that she helped the company get around the U.S. sanctions against Iran.
Australia, Japan and New Zealand have also banned use of Huawei's products; Canada debated a possible Huawei ban and, along with Germany, is planning to tighten security standards for data networks in a way that will affect Huawei products. However, in a surprise decision, U.K. Prime Minister Theresa May decided in late April 2019 to allow Huawei 5G products, over objections of many in the British security community.
Huawei countered the U.S. accusations, with Song Liuping, the company's chief legal officer, calling them "numerous false, unproven and untested propositions" when announcing its lawsuit. He continued: "Huawei is not owned, controlled or influenced by the Chinese government. Moreover, Huawei has an excellent security record and program. No contrary evidence has been offered."
John Suffolk, Huawei's global cybersecurity and privacy officer added: "At Huawei, we are proud that we are the most open, transparent and scrutinized company in the world. Huawei's approach to security by design development and deployment sets a high standards bar that few can match."
Proliferation of 5G
The brouhaha over the Huawei ban and the security of Huawei's 5G products comes at a pivotal time.
The rise of the internet and wireless technologies over the past two decades enabled billions of people around the world to become connected, but the next 20 years will see billions of things -- from autonomous vehicles to household refrigerators to manufacturing equipment -- become connected.
The internet of things requires a faster, more powerful telecommunications network, a demand that's driving the move from existing fourth-generation technologies to the fifth generation, or 5G. Telecommunications companies in Europe and other regions have relied heavily on Huawei technologies up to build up their 5G capabilities. U.S. telecommunications carriers, however, don't use Huawei 5G components, relying instead on products predominantly from Nokia and Ericsson, said Emanuel Kolta, an analyst with ABI Research's 5G and mobile network infrastructure research service.
As most CISOs aren't building out their own 5G networks, they're largely relieved of having to sort through the politicking over the Huawei ban and the company's 5G technologies, said Mark Hung, a former Gartner analyst focusing on 5G and IoT. "This is pretty much out of their hands," he said.
Huawei isn’t the first foreign tech company to face suspicions over its security. Kaspersky Lab, the Moscow-based antivirus maker, similarly came under scrutiny in 2017, and the U.S. passed legislation that year banning the use of Kaspersky products within the federal government.
The Kasperky products ban came after officials voiced concerns that the Moscow-based antivirus company could be vulnerable to influence and directives from the Russian government. Kaspersky Lab denied the charges, saying it has no ties to any government and would not aid any government with cyberespionage. It unsuccessfully tried to fight the ban in federal court.
Given the similarities in issues surrounding Kaspersky and Huawei -- and the possibility that new concerns will arise in the future against more tech companies based in China, Russia and other countries flagged by the United States for their cyberespionage -- experts said CISOs need to consider how the concerns around Huawei fit into the big picture.
"Some foreign tech companies are partially owned or influenced by their governments, and we know that some of these foreign governments have been accused of state-level cybersecurity offenses or are sponsors of hacking," said Syed Ali, a vice president at Bain & Co. and co-head of the firm's global cybersecurity advisory services. "If we assume those states are guilty, we can infer that the products of any tech companies they partially own or support could be compromised. Those companies could allow back doors to be incorporated into their technology, and those back doors could allow access to any data or the environments where they are deployed.
"So back doors are a concern for those reasons, and the other concern is the tech companies would allow, or have access to, sensitive data if a device is sent back for warrant or at end of lease," Ali said.
Although many organizations aren't buying Huawei's 5G telecommunications equipment, experts pointed out that they may indeed be buying other Huawei products as they upgrade their own infrastructure to prepare for broader 5G availability.
Ali said CISOs are thus asking about whether such purchases open up new security risks. "CISOs are concerned that they could potentially be opening up themselves to back doors right out of the box," he said. Ali added that CISOs are asking how they can be assured that there's no malicious code in the products they're buying or in any over-the-air updates.
Focus on security program
Ali and others said the news surrounding Huawei security concerns is a reminder for enterprises to have strong procurement policies and cybersecurity programs to ensure vendors don't compromise them. "CISOs still have to do their validation and testing," he said. Ali also noted that CISOs should develop security protocols that factor in the sensitivity of the data that any given system handles.
Many companies, however, haven't matured their security practices far enough to put such elements into place, experts said, although the current news should be pushing more CISOs to mature their security programs.
"As it relates to Huawei, this is good in terms of really putting a spotlight on potential security risks within any telecommunications equipment and showing that any additional scrutiny is good," Hung said.
However, CISOs face significant challenges with this approach, said Balakrishnan Dasarathy, a professor and program chair for information assurance at The Graduate School at the University of Maryland University College.
The security teams at any given organization don't have the resources to do rigorous vetting with every bit of software and hardware they deploy; they can't go through all the code to confirm there's no back door installed, Dasarathy said.
Plus, he said, vendors would have to be open to their code being examined for such vetting to even be possible.
Given all that, Dasarathy said, "CISOs would have to depend on some central agency doing this for them, because it's too much for even a bigger company to start examining vendor software."
Dasarathy said such efforts are underway, pointing to the Common Criteria international set of guidelines and specifications developed for evaluating security products as an example.
Frank Downs, director of cybersecurity practices at ISACA, an international professional association focused on IT governance, said CISOs could simply decide to ban all Huawei products. But he said that approach doesn't address the broader need to have policies that ensure all technologies coming into the organization are appropriately vetted.
"It comes down to making sure you have good policies and procedures, because anyone could put in a back door; that is a concern no matter who you buy it from," Downs said. "So the best thing you can do is take your own security steps. CISOs need to implement their own security controls and clearly and effectively communicate to all the other executives that they're doing all they can and, while nothing is perfect, that they're implementing every security control they think is appropriate."