This week at Mobile World Congress (MWC) in Barcelona Spain, Huawei's chairman Guo Ping deflected recent criticism his firm has received over security flaws and backdoors in its products. Guo immediately turned his ire to America and the National Security Agency (NSA) and its program called PRISM. This NSA program allowed the agency to access highly sensitive stored documents, emails, photographs, and data from major companies. Further, it was discovered that leading social media platforms like Google , Facebook , Yahoo, YouTube, Skype, PalTalk, etc. all provided the NSA with direct access to their users’ information in exchange for immunity from future prosecution. Ping rightfully denied that Huawei ever had backdoors in its products. He suggested these allegations were due to the company’s tremendous investment in 5G R&D, arguing that Huawei should get a pass. When it comes to security, though, nobody gets a pass. Further, recent arrests of key employees, including Huawei's founder’s daughter (and CFO), has increased scrutiny and speculation about the company’s nefarious intentions.
For countries, proactive incident response helps mitigate overall risk
All countries have spy agencies and those organizations rely on data and intelligence to be effective. Reverse/social engineering, malware/viruses, phishing schemes are all useful tools for agencies to target specific users and gain access to sensitive data or critical infrastructure. Exploiting backdoors and packet sniffing is much more difficult and tends to produce random results. That said, from a cyberwarfare perspective, a top goal for most nation-states is to have a "killswitch" to stop security incidents and Internet traffic from hostile nations they conflict with. Ukraine is an excellent example of what happens when a country is ill-equipped to stop cyber-aggression. It is virtually impossible to build a hack-proof network; however, organizations can employ practices to mitigate damage caused by hackers during a breach. Case-in-point, network equipment vendors have a responsibility to deploy solutions that are secure and uphold industry standards for data protection and integrity—such as the Network Equipment Security Scheme (NESA) spearheaded by the GSMA and 3GPP. Carriers and service providers have even more responsibility to deploy proactive security measures to safeguard the flow of traffic through their networks. Even if there are security vulnerabilities in the networking equipment, a proactive incident response program can reduce the threat and attack-plane.
Is there such a thing as "manageable risk" in cybersecurity?
Claims and subsequent action by the United States and other countries have put Huawei, Supermicro, and ZTE under a negative spotlight and the effects have been damaging from a revenue, brand, and loyalty perspective. Although the UK's National Cyber Security Centre (NCSC) deemed Huawei as a "manageable risk," these companies will be challenged to regain their credibility and reputations in the security industry. Although it is nearly impossible to prove the claims against each company, it does force every equipment vendor to determine which side of the fence they are on and perhaps incentivize the industry to make meaningful long-term changes and safeguards—especially as 5G becomes a reality. While these companies are on their heels, rivals like Cisco, Ericsson , Nokia , etc. have a healthy competitive opportunity to grow market share. However, as a wise person once said, “what comes around, goes around” it will be easier for the industry to take care of itself before clueless bureaucrats and politicians do it for them. Since Huawei has established itself from a 5G perspective, it could also take a market leadership role in de-stigmatizing the security of Chinese-made equipment. Additionally, it could work with the industry to set meaningful standards for security before someone does it for them. This will not only help Huawei, but its Chinese counterparts and the industry as a whole.