Huawei Admits To Needing 5 Years, $2 Billion To Fix Security Issues

Bruce66423 writes: In a remarkable piece of honest self assessment, Huawei has produced a letter to a House of Commons committee member in response to security concerns raised by the UK Huawei Cyber Security Evaluation Centre (HCSEC) in its annual report, a body that includes Huawei, UK operators and UK government officials. The firm pledged to spend about $2 billion over five years to resolve these issues. However they also claim that: "Huawei has never and will never use UK-based hardware, software or information gathered in the UK or anywhere else globally, to assist other countries in gathering intelligence. We would not do this in any country" -- a claim in sharp contrast to the ability of the Communist Party of China to suborn anyone into doing so. Good to see that Chinese firms still have a sense of humor. As The Economist puts it: "And China's leaders are tightening their grip on business, including firms such as Huawei in which the state has no stake. This influence has been formalized in the National Intelligence Law of 2017, which requires firms to work with China's one-party state."

Sounds like oz

[felixrising]

Just like Australia does... It's not just China which requires companies to comply with requests to forego and break security (without judicial oversight no less).

Re:Sounds like oz

[bickerdyke]

Or the US with the National Security Letters.

And the UK has never had any problems either of locking people up to coerce them into compliance with their "security laws"

The joke is on whoever thought that this was Chinese humor.

Five years may as well be forever

[lordlod]

Fascinating strategy. Acknowledge that there are security concerns, promise to fix them but not for years.

In the mean time they continue to aggressively sell their infrastructure into countries, countries which are now reassured on the security front, or at least have a story they can tell to deflect the criticism.

And in five years it doesn't matter what happens. All the 5G infrastructure will already have rolled out or be committed to. If Huawei doesn't come through nobody is going to tear all the infrastructure out, the cost would be staggering.

I don't think concerned countries will fall for it. It does show that the security concerns are seriously impacting their business though.

Re:Five years may as well be forever

[AmiMoJo]

The headline is deliberately misleading.

They didn't say they needed to spend $2bn and five year to fix problems they know about. They said that they have a five year plan and are investing $2bn in security, which will include things like code audits and hiring additional people to work on it.

Huawei isn't particularly bad on security. Compare them with Cisco, who have had multiple cases of hard-coded accounts and passwords for support techs over the past few years. At least Huawei takes security seriously and is investing in it.

The headline should be "Huawei invests more than anyone else in security, actually has a plan for it".

A letter can not overcome the technology

[drnb]

Or the US with the National Security Letters.

Its not quite the same. In the US a company currently can't be compelled to install a backdoor into their hardware, or otherwise degrade the security of their hardware. They can design a secure boot system, a secure encrypted communications channel, a system with no company based key escrows, etc. Then when they get a National Security Letter they can tell the judge we would love to comply with this order but it is technologically impossible, or we do not have the key requested, etc.

For example Apple is quite free to increase the security of the phones at each iteration no matter how pissed off the FBI gets.