Slashdot Mirror

← Back to Stories (view on slashdot.org)

Huawei Admits To Needing 5 Years, $2 Billion To Fix Security Issues (theguardian.com)

Posted by BeauHD on from the time-is-money dept.

Bruce66423 writes: In a remarkable piece of honest self assessment, Huawei has produced a letter to a House of Commons committee member in response to security concerns raised by the UK Huawei Cyber Security Evaluation Centre (HCSEC) in its annual report, a body that includes Huawei, UK operators and UK government officials. The firm pledged to spend about $2 billion over five years to resolve these issues. However they also claim that: "Huawei has never and will never use UK-based hardware, software or information gathered in the UK or anywhere else globally, to assist other countries in gathering intelligence. We would not do this in any country" -- a claim in sharp contrast to the ability of the Communist Party of China to suborn anyone into doing so. Good to see that Chinese firms still have a sense of humor. As The Economist puts it: "And China's leaders are tightening their grip on business, including firms such as Huawei in which the state has no stake. This influence has been formalized in the National Intelligence Law of 2017, which requires firms to work with China's one-party state."

58 comments

  1. Sounds like oz by felixrising · · Score: 4, Interesting

    Just like Australia does... It's not just China which requires companies to comply with requests to forego and break security (without judicial oversight no less).

    1. Re:Sounds like oz by bickerdyke · · Score: 4, Insightful

      Or the US with the National Security Letters.

      And the UK has never had any problems either of locking people up to coerce them into compliance with their "security laws"

      The joke is on whoever thought that this was Chinese humor.

      --
      bickerdyke
    2. Re:Sounds like oz by Anonymous Coward · · Score: 0

      The two are quite different things

    3. Re:Sounds like oz by AlwinBarni · · Score: 1

      ... It's not just China which requires companies to comply ...

      <sarcasm>
      Sure, not difference here whatsoever, we also have a giant firewall, limited and sorted news, removed Internet content from blogs and posts, prison time for using VPN, public shaming on giant billboards, denied transport tickets for low credit score - definitely it's all the same.
      </sarcasm>

      Like this old joke: you know, here in Russia we have all the same freedoms, you can criticize your president as much as you want, we also can criticize your president as much as we want.

  2. Five years may as well be forever by lordlod · · Score: 4, Insightful

    Fascinating strategy. Acknowledge that there are security concerns, promise to fix them but not for years.

    In the mean time they continue to aggressively sell their infrastructure into countries, countries which are now reassured on the security front, or at least have a story they can tell to deflect the criticism.

    And in five years it doesn't matter what happens. All the 5G infrastructure will already have rolled out or be committed to. If Huawei doesn't come through nobody is going to tear all the infrastructure out, the cost would be staggering.

    I don't think concerned countries will fall for it. It does show that the security concerns are seriously impacting their business though.

    1. Re:Five years may as well be forever by AmiMoJo · · Score: 4, Informative

      The headline is deliberately misleading.

      They didn't say they needed to spend $2bn and five year to fix problems they know about. They said that they have a five year plan and are investing $2bn in security, which will include things like code audits and hiring additional people to work on it.

      Huawei isn't particularly bad on security. Compare them with Cisco, who have had multiple cases of hard-coded accounts and passwords for support techs over the past few years. At least Huawei takes security seriously and is investing in it.

      The headline should be "Huawei invests more than anyone else in security, actually has a plan for it".

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Five years may as well be forever by rtb61 · · Score: 1

      Where to start, story from last year in 8th December. Also yeah it takes years because they have already installed stuff and what you expect them to pull it all out and redo it, oh I get it, it;s the bankruptcy clause, do what we say and we know it will bankrupt you but that is the whole idea. So they will wait for gear to fail and replace it, or replace it at it's expected life, when it has paid for itself. To replace tomorrow what you installed yesterday, when what you installed yesterday cost billions, well yeah, we can see what is really going on and it will all come back to haunt you. The country to be least trusted in this regard is the US, who has been repeatedly caught breaking into allied countries networks.

      Of course to be clear, I think all essential infrastructure should be made in country. All made in country and subject to random security audits, not made in country, then not used in essential infrastructure and especially not American, the most suspect equipment of all.

      --
      Chaos - everything, everywhere, everywhen
    3. Re:Five years may as well be forever by Anonymous Coward · · Score: 1

      End of the day the Chinese government wants a backdoor - they will have one, The company opposes it will end up with a lot of CEOs and CTOs in jail.

      Pretty hard to evict nation-states from your database user list.

    4. Re:Five years may as well be forever by Anonymous Coward · · Score: 0

      How about open hardware?

      *Laugh*

      They can barely make a PCB, let alone a complete machine. This is exactly the way the national superpowers want it - companies and corporations are much easier to control than your average Joe. Which is odd...because we always assumed corporations didn't need to respond to these things. Now we know they're just puppets to their state masters.

      Your XXX is spying on you (for all values of XXX that has a CPU in it, routers included).

    5. Re:Five years may as well be forever by FudRucker · · Score: 1

      in 5 years people are going to want to upgrade to 6g or 7g superduperhyperspeed internet

      china sounds fishy, i would not trust them

      --
      Politics is Treachery, Religion is Brainwashing
    6. Re:Five years may as well be forever by Anonymous Coward · · Score: 0

      In 5 years they'll probably be working on 6G

    7. Re:Five years may as well be forever by AmiMoJo · · Score: 3, Insightful

      We have hard proof that the US has backdoors into hardware designed and made in the US. That's a fact, we know it with absolute certainty.

      So far we have no evidence that Huawei puts government backdoors in anything. Zero. None have been found.

      Of course that's not a reason to assume that there are none, but if you are concerned about such things whose hardware are you going to buy?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Five years may as well be forever by Anonymous Coward · · Score: 0

      Huawei can build a self check function into their hardware that reports so many numbers with full checksums and BASELINE numbers. Thus any subsequent tampering can trigger a tamper light like a flashing red led. Oh, and a hard physical jumper that prevents reflashing.

      Unlike a toothpaste tube, software and routers do not come with protection seals. Makes you wonder.

    9. Re:Five years may as well be forever by Quakeulf · · Score: 1

      2 billion dollars to change a few lines of code? Where do I sign up?

    10. Re:Five years may as well be forever by Anonymous Coward · · Score: 1

      So far we have no evidence that Huawei puts government backdoors in anything

      That depends on the definition of "we". The US government apparently does know more than has been made public, but of course it would be kept classified because releasing it would reveal too much about what exactly they do or don't know and how it became known.

    11. Re:Five years may as well be forever by Anonymous Coward · · Score: 1

      Unlike a toothpaste tube, software and routers do not come with protection seals. Makes you wonder.

      That's a good point. But there's a problem with protection seals. They don't actually protect anything, they are a tool to leave evidence of tampering. Interestingly they are so common, they are overlooked. If somebody replaced the seal with another, a normal person wouldn't notice.

      I'm almost certain a light controlled by software, could ultimately be beaten anyways. But in principal, its a cool idea.

    12. Re:Five years may as well be forever by Lonewolf666 · · Score: 1

      It could also be a pretext to put pressure on the EU to dump Huawei. Without public evidence, the USA's public accusations of Huawei being a security risk may just be fake news.

      But as I posted elsewhere, I don't trust hardware from either country to be free of back doors. The Chinese government probably can force Chinese manufacturers to cooperate. In Cisco hardware (US), hardcoded passwords have already been found.
      So there is a reasonable suspicion that Chinese hardware may have back doors. There is clear evidence for back doors in US hardware. Best case, it was just sloppiness by the devs. But it could have been at the behest of the NSA too.

      --
      C - the footgun of programming languages
    13. Re:Five years may as well be forever by Anonymous Coward · · Score: 1

      We have hard proof that the US has backdoors into hardware designed and made in the US. That's a fact, we know it with absolute certainty.

      Citation needed.

    14. Re:Five years may as well be forever by Anonymous Coward · · Score: 0

      That's easy. A Huawei device with a Cisco firewall protecting it. The Chinese and US governments will have to work together to get into my system.

    15. Re:Five years may as well be forever by drinkypoo · · Score: 2, Informative

      We have hard proof that the US has backdoors into hardware designed and made in the US. That's a fact, we know it with absolute certainty.

      Citation needed.

      Unlike you, I actually wanted such a citation, so I googled for "the US has backdoors into hardware designed and made in the US". I got back a pretty good hit but without citations, but it was from a story in 2013 so I appended 2013 to my search terms and found several good references. Also, let me take this opportunity to remind you to Never forget Qwest.

      Maybe you're just terrible at googling, and need to work on that, but it seems more likely that your request for citations was disingenuous. If not, though, don't be so goddamned lazy.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    16. Re:Five years may as well be forever by Anonymous Coward · · Score: 0

      don't be so goddamned lazy

      [citation needed] by the other AC was essentially saying the same thing to the GP, which is why I assume you've been modded higher than the GP (as of this post).

    17. Re:Five years may as well be forever by Anonymous Coward · · Score: 2, Interesting

      Those examples are completely different.

      Using exploits to install malware or modify equipment after it's been manufactured is not the same as the manufacturer itself building in the spyware, which is what Huawei is suspected of doing.

    18. Re:Five years may as well be forever by Anonymous Coward · · Score: 0

      I don't trust hardware from either country to be free of back doors.

      You shouldn't trust hardware or software from *any* country to be free of back doors. Criminals and spy agencies from all over the world use remote exploits to install malware in pretty much anything connected to the internet. Installing hardware back doors only requires having physical access to the device after it's been built.

      Designing a back door into the device before it's been manufactured is an entirely different issue.

    19. Re:Five years may as well be forever by Anonymous Coward · · Score: 0

      I think you could make the light solution quite strong. Unbeatable likely not, but possibly to the point where the system manufacturer itself cannot beat it.

      I find it surprising that deterministic builds are not common in this market. Security critical organizations often can get the source, and sometimes even the toolchain to compile it, but then you get an image that does not match what the vendor installs (due to things such as date strings, optimization settings, ...)

      Being able to self-compile a bit-exact image for at least the components that manage the secure boot process would give a lot of piece of mind and does not seem so difficult.

    20. Re:Five years may as well be forever by Anonymous Coward · · Score: 0

      But Cisco has a legimitate support reason (aka lots of stupid office worker level people use their gear and need support. Being told that you're locked out of the router and the only resolution is to buy another one is not good for business).

      Huawei is snooping at the request of the CCP, and no one with a brain is ever going to believe that they are not.

    21. Re:Five years may as well be forever by larryjoe · · Score: 1

      Of course that's not a reason to assume that there are none, but if you are concerned about such things whose hardware are you going to buy?

      Obviously I would avoid buying from the country with which I am more likely to engage in a military war in the future.

      Many of the concerns on slashdot concern civil liberties. It's entirely reasonable for people in the West to concern themselves exclusively with their own civil liberties to the exclusion of civil liberty injustices perpetrated on others. However, in contrast to individual citizens, Western governments also need to plan for future military defense and wars. And these Western governments need to be wary of China and Russia.

    22. Re:Five years may as well be forever by rahvin112 · · Score: 1

      The proof you found is that certain three letter organizations have software that can exploit certain hardware platforms and the ability to intercept shipped hardware to install this software that exploits the commodity hardware.

      There is no proof whatsoever that any of the companies participated or assisted these 3 letter groups with the software that compromises their hardware. In addition there is no law or requirement that these companies would have to render assistance. On top of that all the companies involved have publicly denied they have ever assisted these 3 letter groups. This is unlike China or Russia where these foreign service companies are required by law to assist the government including if that government wants, assisting in the deployment of spying or malware on company produced equipment.

      It may be a fine difference but the point is Cisco has never publicly assisted the US government nor has any provided any proof that they have unofficially assisted the government, nor are they required by law to assist the government. Huawei on the other hand is required by Chinese law to assist the Chinese communist party in any endeavor the PRC deems necessary.

  3. And the US have the PATRIOT Act by Lonewolf666 · · Score: 2, Informative

    And their National Security Letters. Overall, that gives them a legal loophole comparable to what the Chinese Government probably has.

    As someone from the EU, I don't trust either. Perhaps we could buy at least some of our stuff from Nokia (Finnish). Seems the politically and legally safest option.

    --
    C - the footgun of programming languages
    1. Re:And the US have the PATRIOT Act by K.+S.+Kyosuke · · Score: 1

      Finnish

      But not Finlandized, I hope?

      --
      Ezekiel 23:20
    2. Re:And the US have the PATRIOT Act by idji · · Score: 1

      Until Russia "acquires" Finland...

    3. Re:And the US have the PATRIOT Act by hackingbear · · Score: 1

      Exactly.

      Besides:

      1. the "security issues" are mostly relating to the auditability of Huawei's 3rd party components (which Huawei would not have access to the source codes; well otherwise the US would use that as an attack point instead.) It is like saying that I don't know how to disassemble my car's engine for inspection, therefore my car is about lose control and hit a wall.
      2. and this HCSEC, set up by the UK spy agency in 2010, haven't had any complains for 8 years and are now suddenly raising the flags during the Sino-US trade war. This is just a made-up accusations by a puppet of the USA.
      3. all of these cooperation with Chinese government for spying is just speculation. But given Huawei is a major hi-tech symbol of China, under millions of watchful eyes around the world, why would the government ask them to compromising.

      In the other news, Iraq has large amount of WMDs...

    4. Re:And the US have the PATRIOT Act by rahvin112 · · Score: 1

      NSL's require access to information, not assistance by the company is compromising their own hardware. I don't like NSL's either but they have very strict restrictions on their use and installing malware in someones product isn't one of them.

  4. what do they want 2 billion for? by FudRucker · · Score: 1

    are they going to build another wall?

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:what do they want 2 billion for? by mentil · · Score: 2

      Perhaps one made of fire, yes.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    2. Re:what do they want 2 billion for? by Anonymous Coward · · Score: 0

      Naw. It should be stones from China. The wall will be great.

    3. Re:what do they want 2 billion for? by freeze128 · · Score: 1

      Firewalls aren't made of fire. They protect AGAINST fire.

  5. A letter can not overcome the technology by drnb · · Score: 4, Insightful

    Or the US with the National Security Letters.

    Its not quite the same. In the US a company currently can't be compelled to install a backdoor into their hardware, or otherwise degrade the security of their hardware. They can design a secure boot system, a secure encrypted communications channel, a system with no company based key escrows, etc. Then when they get a National Security Letter they can tell the judge we would love to comply with this order but it is technologically impossible, or we do not have the key requested, etc.

    For example Apple is quite free to increase the security of the phones at each iteration no matter how pissed off the FBI gets.

    1. Re:A letter can not overcome the technology by Anonymous Coward · · Score: 0, Troll

      Can't be "compelled"... is that a joke? Being "compelled", or "coerced" if it comes to that, it's the norm... as long as it doesn't reach public opinion you won't have a white knight coming out of those companies (and trust me, the companies don't want it reaching the public because they much prefer being able to be in bed with the State and the common Joe at the same time).

      The only joke here is thinking that only China does that... this article was written either by a shill or a moron (actually they aren't even mutually exclusive).

    2. Re:A letter can not overcome the technology by bickerdyke · · Score: 0

      Ah that infamous spy chip that no one has ever see so far....

      Well, curently this is about theability of a gouvernment getting sensitive information (if they have it) from a company. This is possible in lots of countries.

      China may have the power to also force a company to weaken security, but that is not supported by (at least) this article. So yes, we need to be carefull, but it could happen with vendors based anywhere. FBI and NSA are working on make it happening in the US and not every company dares to fight them.

      --
      bickerdyke
    3. Re:A letter can not overcome the technology by Anonymous Coward · · Score: 0

      The Americans can now just ask the Australians to use their backdoors to obtain any data they need.

    4. Re:A letter can not overcome the technology by drinkypoo · · Score: 2

      Its not quite the same. In the US a company currently can't be compelled to install a backdoor into their hardware, or otherwise degrade the security of their hardware.

      Never Forget

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re: A letter can not overcome the technology by Anonymous Coward · · Score: 0

      You are a moron. Anything compelling a US company to work for a US intel agency (or British as the history is closer with British intel agencies due to past US laws forbidding spying by US agencies on US citizens) will come out eventually. Either by a leak to a news agency or through a FOI request (or both).

      In China there is no freedom of information. If the Chinese government wants it hidden, it doesn't get reported on. That's why there is a Great Firewall of China, VPNs are banned, and citizens are encouraged to both spy on and report fellow citizens for any suspicious behavior.

      If you think the US, or any western country, is like that, you are comically mistaken.

  6. Singularity by Bob_Who · · Score: 1

    Eventually, we will all be Chinese.

  7. I think they misspelled "To Build In NSA Backdoors by Anonymous Coward · · Score: 0

    I assume they're gonna leave the Chinese ones in. Maybe just hide them better.

    But yeah... if you want to operate in a state, you have to obey those who actually own the state. Which, in the USA, is the NSA and the corporations around it. (I mean they have dirt on every single other person in power. From government to military to other corporations. And the ability to use it against them. That's literally their job. [OK, in theory they're not supposed to spy at home. But in practice, that's just unrealistic, when you want to spy on foreigners that are in contact with US people, use US services etc. Especially if you often don't know what side somebody is on.])

  8. Nokia Networks you mean. by Anonymous Coward · · Score: 0

    Nokia mobile phones are made in China too, like every other piece of electronics, including “American” Apple.

    1. Re: Nokia Networks you mean. by Anonymous Coward · · Score: 0

      The Nokia mobile phone business is not related to Nokia anymore.

  9. Whose security? by sjbe · · Score: 2

    Huawei isn't particularly bad on security.

    If they are actually cooperating actively with the Chinese government as is alleged then they are extremely bad at security. Bad does not necessarily equal incompetent depending on the perspective of the end user. It seems rather unlikely that Huawei hasn't been compromised in some significant manner.

    The headline should be "Huawei invests more than anyone else in security, actually has a plan for it".

    Whose security are they investing in is the question. Mine or China's?

    1. Re:Whose security? by Anonymous Coward · · Score: 0

      > Whose security are they investing in is the question. Mine or China's?

      Both? This is money for code audits etc, it will benefit all users, in China or not.

  10. Five years? by OneHundredAndTen · · Score: 1

    In five years they can develop their own OS from scratch, and a layer to make sure that Android apps work on it.

  11. More like 5 years to up their spycraft game by Rick+Schumann · · Score: 1

    Come on, who do you people think you're fooling?

  12. Windbourne is a cocksucking faggot by Anonymous Coward · · Score: 0

    is Elon circumcised?

  13. Huawei is committed to the best hidden backdoors by Anonymous Coward · · Score: 0

    And will spend billions of dollars and years of work to keep them in place.

  14. It takes a while to make sure NSA can't find it by WillAffleckUW · · Score: 1

    The data holes go in before the counter-spies find the spy holes.

    It's a feature, not a bug.

    P.S. Yes, he looks like Charlie Brown.

    --
    -- Tigger warning: This post may contain tiggers! --