One of the things I enjoy most about academia is the emphasis on intellectual freedom even when expressing such freedom might be seen as problematic for the University’s commercial interests. Case in point: I was quoted in an article raising concerns that some universities’ contractual agreements to automatically transfer certain 5G telecommunications patents to foreign companies (based on research funded by the same companies) could be disadvantageous to domestic national security. One of the universities that is caught up in the issue is the one employing me. Despite my statements potentially being disadvantageous to my own university’s interests there are no rebukes but, instead, praise for being involved with national issues. If only all employers could be so similarly open-minded!
While not exactly news that home and small enterprise routers tend to be insecure, the magnitude of the problems with Huawei’s devices was revealed at DefCon this year. Given the failure of the company’s engineers to recognize and navigate around longstanding security issues it seems particularly prudent for a public accounting of Huawei’s enterprise and ISP-focused routing products.
We recently learned that the Australian government had blocked Huawei from tendering contracts for Australia’s National Broadband Network. The government defended their position, stating that:
As such, and as a strategic and significant government investment, we have a responsibility to do our utmost to protect its integrity and that of the information carried on it.
Of note, internally Huawei had been a preferred choice but the company was ostensibly blocked for political/security, rather than economic, reasons. This decision isn’t terribly surprising given that American, Australian, and United Kingdom national intelligence and security agencies have all come out against using Huawei equipment in key government-used networks. The rationale is that, even were a forensic code audit possible (and likely wouldn’t be, on grounds that we’re talking millions of lines of code) it wouldn’t be possible to perform such an audit on each and every update. In effect, knowing that a product is secure now isn’t a guarantee that the product will remain secure tomorrow after receiving a routine service update. The concern is that Huawei could, as a Chinese company, be compelled by the Chinese government to include such a vulnerability in an update. Many in the security community suspect that such vulnerabilities have already been seeded.
Does this mean that security is necessarily the real reason for the ‘national security card’ being played in Australia? No, of course not. It’s equally possible that calling national security:
- let’s the government work with a company that it already has ties with and wants to support;
- is the result of the government being enticed – either domestically or from foreign sources – to prefer a non-Huawei alternative;
- permits purchases of a non-Huawei equipment from vendors that are preferred for political reasons; perhaps buying Chinese goods just wouldn’t be seen as a popular move for the government of the day.
Moreover, simply because Australia isn’t tendering contracts from Huawei doesn’t suggest that whatever equipment is purchased will be any more secure. In theory, were Cisco equipment used to power the National Broadband Network then the American government could similarly compel Cisco to add vulnerabilities into routers.
In part, what this comes down to is who do you trust to spy on you? If you see the Americans as more friendly and/or less likely to involve themselves closely in your matters of state, then perhaps American companies are preferred over your economic and geographical next-door neighbours.
I should note, just in closing, that Huawei has contracts with most (though not quite all) of Canada’s largest mobile and wireline Internet companies. Having spoken with high-level governmental officials about security concerns surrounding Huawei’s equipment there seems to be a total lack of concern: just because GCHQ, NSA, and ASIO have publicly raised concerns about the company’s equipment doesn’t seem to raise any alarm bells or worries with our highest government officials.