Conflicting messages surround the push for Huawei bans, as the Czech Republic issued a warning despite a German...
investigation finding no evidence of malicious activity.
The Czech National Cyber and Information Security Agency (NCISA) warned against using the software or hardware of either Huawei or ZTE -- China's top two telecom equipment manufacturers. The agency concluded that Huawei presents a security threat and urged "that system administrators in the critical information infrastructure, important information systems or essential service providers are obliged to acknowledge the threat and issue adequate measures."
"The main issue is a legal and political environment of the People's Republic of China, where aforementioned companies primarily operate. China's laws, among other things, require private companies residing in China to cooperate with intelligence services, therefore introducing them into the key state systems might present a threat," Dušan Navrátil, director of NCISA, said in a statement. "We do not differentiate between state-owned or privately owned systems. Our criterion is whether or not the intrusion of a specific system would have an impact on the functioning of the Czech Republic as a sovereign state."
The warning issued by the Czech Republic on Monday contradicted statements from Germany's Federal Office for Information Security (BSI) from Friday. The BSI told Spiegel there was no evidence Huawei bans were needed after the agency examined Huawei products and source code in a testing lab in Bonn over the past month.
Jake Williams, founder and president of Rendition Infosec, based in Augusta, Ga., said German investigators may have been "addressing the 'would they' question, not the 'can they' question that others seem focused on."
"The wording of the German investigation is very cautious. I read it as, 'Huawei equipment is no more a threat than that of any other vendor.' That's a far cry from 'couldn't be used to spy for China,'" Williams said. "I would definitely take issue with the claim that Huawei equipment can't be used to spy for China."
A brief history of Huawei bans and fear
Although concerns about Huawei's ties to the Chinese government have persisted for years, the shift in mobile networks to 5G technology seems to have escalated the push to ban the company's products and services.
The state of Huawei bans is a little murky, because even the U.S. -- a leading voice in the effort to block the company's products -- doesn't have an official ban in place. U.S. concern about Huawei can be traced back as far as 2012, when a congressional report noted that "Huawei did not fully cooperate with the investigation and was unwilling to explain its relationship with the Chinese government or Chinese Communist Party, while credible evidence exists that it fails to comply with U.S. laws."
The Federal Communications Commission has proposed a rule that would effectively ban Huawei from selling equipment to smaller regional telecom providers. The U.S. has been attempting to influence companies like AT&T and ally countries around the world to take action, with senators sending letters urging Huawei bans to allies such as Canada.
Currently, the only countries to implement Huawei bans have been Australia, New Zealand and Japan, but none specifically named Huawei in rules that would bar the company from purchasing part of the 5G infrastructure. The U.S., U.K., Canada, Italy and India have all had discussions about potential Huawei bans, but no official actions have been taken.
Williams said the trade wars between the U.S. and China are likely fueling part of the push for Huawei bans, but the architecture of 5G networks also "makes trust in the ISP [internet service provider] backbone devices much more important" and is leading to more scrutiny over the companies allowed to provide those devices.
"I think the biggest part is that we're just now looking at how to build the 5G network. It's much easier to architect the new network with 100% trusted equipment than it is to remove untrusted equipment from an existing 4G network," Williams said. "5G offers better protection against rogue consumer devices through more decentralized identity and access management. But the decentralization cuts both ways. Today, that rogue device in a 4G network would only be involved in connecting an end-user device to the network core. In a 5G decentralized model, much more functionality is provided at the edge device itself, making the damage a rogue device can do much greater."
Tim Erlin, vice president of product management and strategy at Tripwire, based in Portland, Ore., said it shouldn't be a surprise that various governments are "taking a hard look at who has access to sensitive communications infrastructure."
"In modeling the threat posed by a specific vendor in the supply chain, each organization has to consider not only the potential threat that vendor might pose today, but the impact and likelihood of that vendor being compromised in the future," Erlin said. "Anytime there's a tight relationship between a company and a government, someone is going to question how influence might flow and what impacts that influence might have. Cybersecurity and economics are inextricably linked today, and we shouldn't expect that connection to weaken."