Huawei brandishes cybersecurity credentials in a bid to ease concerns
Europe is an important market for Huawei's 5G ambitions, but the company's roots in China continue to be a sticking point
Entering Huawei Technologies’ cybersecurity transparency center in Brussels, visitors could be forgiven for thinking it is a large exhibition facility.
The ground floor of this two-story center is replete with wood laminate flooring and clean white walls rigged with multiple screens, flashing slogans from PowerPoint slides such as “5G is a shared responsibility” and “A strong ecosystem is our best protection.”
“The center is how we demonstrate openness, where we show our security approach strategy, research, Huawei’s software and hardware product development, and our supply chain,” said Marco Men, a senior security solution architect who regularly guides visitors through the exhibition. Visitors are also able to view flowcharts of Huawei’s product development and security testing processes.
The facility, which was opened in March last year, is one of six cybersecurity centers established by Huawei, the world’s largest telecommunications equipment supplier. These centers engage with the Shenzhen-based company’s client network operators, lawmakers, regulators and the media to show the security of its products.
That task has become increasingly important amid a deterioration in relations between the US and China. Since 2017, their ties have frayed amid heightened trade tensions, military showdowns and diplomatic rows. The US has also pursued an international campaign to discredit the integrity of Huawei gear, which Washington sees as a conduit for Chinese intelligence-gathering activities. Privately-held Huawei has repeatedly denied such accusations.
The stakes are high for Huawei to bolster its cybersecurity credentials amid the global roll-out of 5G mobile networks. With peak data rates up to 100 times faster than what current 4G networks provide, 5G has been held up as “the connective tissue” for the Internet of Things, autonomous cars, smart cities and other new applications, providing the backbone for the industrial internet.
Burnishing those credentials has become more crucial for Huawei in Europe, which represents the company’s biggest overseas market – accounting for about 30% of its annual revenue and where a large chunk of its 91 5G network projects as of February are located. Gaining support from major economies, like Germany and the UK, is vital for Huawei to further expand its business on the continent.
Ren Zhengfei, founder and chief executive of Huawei, pointed out Europe’s broader importance to the global technology industry in a recent interview with the South China Morning Post.
“Europe was the first to set cybersecurity standards, including the General Data Protection Regulation (GDPR)… When everyone abides by the GDPR, sooner or later cybersecurity won’t be an issue,” Ren said.
Much of the GDPR, which took effect on May 25, 2018, is lifted directly from the European Union’s legislation on Data Privacy: The Data Protection Directive – regulating the processing of personal data within its member countries – that was adopted in 1995, according to think tank the EUGDPR Institute.
“If we can completely meet Europe’s high standards… then our ability to serve humankind will increase significantly,” Ren said. “We believe the global community will reach a consensus on cybersecurity and privacy protection.”
China’s success in 5G is also expected to improve its tech industry’s bargaining power with foreign patent holders, which would help lower costs for domestic telecoms gear makers, chip companies and other enterprises in the supply chain. Huawei and crosstown rival ZTE Corp lead the country’s 5G research and development efforts.
The US government, however, has made those ambitions more difficult for China to achieve. In May last year, Washington added Huawei to a US trade blacklist, which restricts the company from buying hardware and software from American hi-tech suppliers, because of national security concerns.
Upping the ante, the Trump administration implemented a federal ban on the use of Chinese telecoms products. The US also stepped up efforts to convince US economic allies that deploying Huawei 5G gear could put their national security at risk. There was pressure put on its Five Eyes intelligence allies – the UK, Canada, Australia and New Zealand – to exclude Huawei from 5G roll-outs.
Those actions by the world’s largest economy opened up opportunities to Huawei’s main rivals. Still, Sweden’s Ericsson and Finland’s Nokia – with 86 and 69 5G network deals, respectively – remain behind Huawei in the 5G market.
Critics of Huawei and Beijing often point to China’s national security law, which obliges companies to support the central government’s intelligence activities. Huawei has categorically denied links with China’s intelligence agencies and having back door systems in its equipment for spying. Ren had earlier said he would rather shut down the company than put at risk the security of its clients.
“We don’t have any malicious intentions,” Ren told the Post last month. He said European network operators working with the company for more than 10 or 20 years “have gained a deep understanding of Huawei through years of cooperation, and know that we have no security issues.”
Huawei posted record revenue of 858.8 billion yuan (US$121 billion) last year, despite pressure from the US. The company, however, cautioned about its 2020 outlook amid the coronavirus pandemic.
Cybersecurity is currently a hot-button issue for Germany as it decides on equipment for its 5G networks. German Chancellor Angela Merkel – without naming Huawei – has publicly expressed a reluctance to exclude specific suppliers from the country’s 5G infrastructure.
By contrast, some lawmakers from Germany’s two largest political parties – the Christian Democratic Union and the Social Democratic Party (SDP) – believe that domestic network operators should exclude 5G gear suppliers who could be influenced by a “foreign state.”
5G is expected to be a crucial backbone for German industries, which means such infrastructure must be protected from espionage and sabotage, according to SPD lawmaker Falko Mohrs in an interview. He is a member of the Bundestag, the German federal parliament.
“One of the criteria that is important for us is that we do not want suppliers from countries that do not have the rule of law,” Mohrs told the Post. He said the Communist Party of China, the country’s sole governing party, runs an authoritarian regime.
“Based on that criteria, suppliers from China will have trouble [becoming trusted 5G equipment vendors] because they would need to abide by Chinese law and cooperate with national security institutions and so forth,” Mohrs said.
His concerns echo those made earlier by western intelligence authorities. Bruno Kahl, president of Germany’s Federal Intelligence Service, told lawmakers in October last year that Huawei could not be “fully trusted” because it had a “very high level of dependence on the Communist Party.”
Despite that harsh rhetoric, major European economies have let Huawei take part in their 5G networks.
“Many of these people speaking out against Huawei do not have much technical background, they cannot even identify the different components of a network,” said David Wang, chief representative of Huawei Germany. “But they still have the right to comment publicly – and sometimes very loudly.”
In January, the UK approved limited use of Huawei gear. Without naming Huawei or ZTE, the UK said “high-risk vendors” would be excluded from the sensitive “core” parts of the country’s 5G infrastructure.
The “noncore” area in which Huawei can take part covers radio access network (RAN) gear, which comprises the mobile base stations that connect smart devices to the broader telecoms network. RAN represents the largest segment of a mobile network roll-out, as multiple base stations must be installed for full coverage in every location.
The EU later in January released a “toolbox of measures” with commonly agreed guidelines to help member countries establish 5G equipment procurement policies. It does not suggest a ban on Chinese 5G gear. Member countries have until April 30 to implement their policies.
Hosuk Lee-Makiyama, director of Brussels-based think tank the European center for International Political Economy, said the issue over Chinese 5G gear is complicated by a disparity in relevant telecoms security assets in the EU.
“In my view, only France has the same resources and cyber capabilities as the UK among the EU countries,” Lee-Makiyama said. “Most countries will find it easier to just rip and replace Huawei equipment than uphold costly countermeasures.”
For years, Huawei has invited regulators and various telecoms industry players to review its products for security vulnerabilities. These are now mostly done at its cybersecurity centers.
In the UK, the Huawei cybersecurity evaluation center oversight board – a partnership between the company and the British government – jointly runs the cybersecurity center in Banbury, about 103km northwest of London. It provides the benchmark for evaluating gear from Huawei, which first set up offices in the UK in 2001.
This oversight group has annually released a report of its activities, including rigorous tests done on the company’s hardware and software. Its latest report, published in March 2019, said “further significant technical issues have been identified in Huawei’s engineering processes,” which could lead to new risks in the country’s telecoms networks.
The oversight board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK,” the report said. The board added, however, that it “does not believe that the defects identified are a result of Chinese state interference,” indicating that these cover basic engineering competence and cybersecurity hygiene.
At the cybersecurity centers, testing is done out of the public view by technical experts, including those from carriers and regulators, to check on Huawei’s software engineering and cybersecurity competence. The UK’s National Cyber Security center, the authority for information assurance, also visits Huawei offices in Shenzhen and Shanghai to discuss technical issues.
Walter Haas, chief technology officer at Huawei Germany, said the company’s track record shows that it has not lost any client because of cybersecurity issues. He said telecoms carriers thoroughly test and verify equipment for one to two years before committing to a supplier.
“They’re not giving us market share because we’re nice… or cheap,” said Haas in an interview at Huawei’s offices in the western city of Düsseldorf. “Do you really believe that network operators, in this very competitive environment, will put [middling] technology into their network, for an investment cycle of eight to 10 years, because it’s cheap?”
Huawei is adamant that its products – including smartphones under its consumer business – are safe, and that Washington prove its accusations about spying.
Security vulnerabilities are inevitable, largely because software code is written by humans who will make mistakes, according to Lu Chuanying, secretary general of the Cyberspace International Governance Research Center at the Shanghai Institute for International Studies.
“Therein lies the issue – are these issues and security flaws subjective or objective?” Lu said. “Here lies the biggest dilemma, because no matter which supplier – whether Huawei or others – no one can say with certainty that their products are definitely safe.”
Since there is no universal standard to measure the security of telecoms equipment, that makes it difficult for companies to absolutely guarantee the security of their products. As such, weaknesses are interpreted differently by various parties.
“It’s like this – if my friend is holding a knife, I might think he’s planning to chop up some vegetables,” said Lu. “But if it were my enemy holding a knife, I might assume he’s planning to stab me.”