David Sutton FBCS CITP discusses the ongoing debate surrounding the telecommunications networking company Huawei and possible espionage by the Chinese government.

Recent media articles have placed Huawei at the centre of a controversy regarding potential espionage using 5th generation (5G) mobile internet networks currently being deployed around the world. Some countries have expressed the view that the Chinese government would be making use of so-called ‘backdoors’ built into Huawei’s equipment in order to eavesdrop on the network traffic of any country whose communications service providers (CSPs) are proposing to deploy it.

Various commentators have expressed the opinion that although there is no ‘smoking gun’ providing any evidence whatsoever to corroborate this view, there nevertheless remains a great deal of distrust regarding Huawei and its links with the Chinese government.

Chinese whispers

If you take the view that, like any other telecoms equipment manufacturer, Huawei certainly has the capability to incorporate backdoors into its products - and that the Chinese government might have applied pressure on them - you could be forgiven for thinking that this fear is well-founded. However, once you realise that everything Huawei wants to sell in the 5G arena will necessarily be subjected to the closest scrutiny, you might be of a different opinion.

Huawei has stated publicly that they do not modify their equipment to incorporate covert interception - but then, even if they did, you would hardly expect them to admit it. They have even provided facilities at the Huawei cyber security evaluation centre (HCSEC) in Cambridge so that the UK’s national cyber security centre (NCSC) can evaluate the equipment to decide whether or not it presents a security risk.

It is of course quite possible that Huawei is being entirely truthful, but there still remains a lack of trust in China, especially since it was publicly accused of stealing designs for the Lockheed F-35 fighter jet some years ago - and with lawsuits currently pending in the USA.

Several countries have stated that they would not trust Huawei’s equipment, whilst others are considering their position; and some (the USA included) have absolutely refused to allow its inclusion in their critical infrastructure networks. As of March 2019, it appears that Huawei is planning to take the US government to court over this.

Covert interception

The UK has always been at the forefront of interception and cryptanalysis in order to try to keep at least one step ahead of its enemies; probably the most famous example being that of the decryption of Enigma and other even more complex cryptographic systems during World War 2.

However, in 2013, it was revealed by one of Edward Snowden’s leaks that eavesdropping had taken place on the computers and communications of diplomats visiting London for the 2009 G20 conference. Whilst some might consider it rather unsporting to spy on friendly nations as well as hostile ones, it’s actually what the intelligence services are equipped to do, so why wouldn’t they?

Lawful interception

In most countries, CSPs are required, by law, to enable the police and security services to have access to public networks as a means of undertaking surveillance. This is to assist in criminal investigations - a practice known as lawful interception - albeit under (theoretically) strict controls. The reasoning is, that this permits the identification of criminals and terrorists and helps to keep us safe and secure. Although many people take the view that this ability comes into direct conflict with the individual’s right to privacy - but that’s another debate entirely.

However, if the Chinese government wanted to conduct covert interception of the traffic from another country, it would seem perfectly logical that someone would have a ‘quiet word’ with Huawei, offering some form of incentive to include backdoors. After all, getting one’s electronic spies into another country has to be much easier when that country actually buys them in the first place.

But what if such a capability also enabled the Chinese government to filter selected information from a data stream, to alter it or to insert information of their own choosing, or even to turn the network off using a so-called ‘kill switch’? Now that would be a very powerful political and economic weapon indeed.

Managing the risk

In July 2018, the NCSC reported that it could give only limited assurances that Huawei’s UK operations posed no threat to national security. However, just eight months later, they stated that the risk was ‘manageable’. It’s therefore entirely possible that if there was a high risk, the NCSC may have identified the vulnerabilities and developed controls that they believe can either terminate the risk, or can reduce it to levels they consider to be acceptable. Alternatively, they might even have developed a means of using those vulnerabilities to their own advantage.

Sharing and caring

Three of the ‘five eyes’ - the USA, Australia and New Zealand have already decided not to permit the use of untrusted equipment in their critical infrastructure networks, and at the time of writing, Canada is reviewing its position; but the UK appears now to be cautiously in favour. If the NCSC has indeed found a way to manage the risk, one can’t help wondering whether this has been shared with the other four and if not, why not? We shall probably never know the answer to this, but it does seem odd.

Mike Pompeo, the US secretary of state was recently quoted as saying, ‘If a country adopts this [Huawei technology] and puts it in some of their critical information systems, we won’t be able to share information with them’. This potentially puts the five eyes and the UK / US ‘special relationship’ in jeopardy.

So, what’s the answer?

We seem to be left with three possibilities. The first is that this is genuinely a security issue, and that there are clear risks associated with Huawei’s equipment. The second is that this is a political issue and that the US and other governments wish to be seen to be acting with a firm hand against China. The third is that it’s an economic issue, and that the predominantly American high-end networking industry has persuaded its government to act in their favour, citing security issues as the rationale.

Your guess is probably as good as mine, but if you were to say ‘all of the above’, you might not be too far off the mark.

However, consider this: Huawei currently has less than a quarter of the market in high-end internet routers. The remainder is divided among predominantly American companies such as Cisco, Alcatel-Lucent and Avaya, so should we be concerned whether the NSA might already be doing the same as we believe the Chinese government may be planning? After all, why wouldn’t they?