Top Scoops

Book Reviews | Gordon Campbell | Scoop News | Wellington Scoop | Community Scoop | Search

 

Huawei's embarrassing HCSEC security report card

At the New Zealand Herald Juha Saarinen writes about the HCSEC report in The real reason Huawei shouldn’t be in 5G networks:

“The report from oversight board for Britain’s Huawei Cyber Security Evaluation Centre (HCSEC) makes it clear that clever, secret backdoors in the Chinese company’s equipment is the least of anyone’s worries.

“Instead, it’s old, unsafe and bug-infested software, bad coding practices, and little or no effort by Huawei to sort out some seriously deficient processes and practices.”

Overnight, Huawei’s status went from clever enough spy on networks undetected to bungling clowns.

The report is damning. It’s not about a few weak points here and there. Bad code run through Huawei’s software like the word Blackpool in a stick of seaside rock.

The UK has known this for seven years.

Bad software is everywhere

On one level it’s not a surprise. Poorly-written software is common. It runs the world.

Some of the best-known software names have or had dodgy code including Microsoft and IBM. Enterprise software often holds together with digital chewing gum and paper clips.

Shoddy software lies behind most computer security problems. Attackers find and exploit holes in poor code.

Critical infrastructure

That’s the problem with Huawei. Its network products are part of critical infrastructure. Criminal or hostile-state-controlled coders could find their way into those networks.

Huawei network kit has always looked advanced compared with rival brands.



The NATO Cooperative Cyber Defence Centre of Excellence underlines this:

“It is currently the only company that can produce ‘at scale and cost‘ all the elements of a 5G network, with its closest competitors Nokia and Ericsson not yet able to offer a viable alternative.”

Now it looks like Huawei cut too many corners to get out in front.
The HCSEC report is a wake up call.

Hopefully everyone watching is getting their own house in order. Experience suggests otherwise.

Fixing the mess

In theory, Huawei can fix this mess. It has acknowledge the report and says it will spend $2 billion in a programme to fix the problems.

The UK’s National Cyber Security Centre isn’t confident that will happen. It also fears any fixes that Huawei makes may not make their way into products used in networks.

Huawei has had seven years to fix problems. It’s done nothing.

Last year the National Cyber Security Centre warned the company. According to the report, Huawei made “no material progress” on identified problems.

The HCSEC oversight board say it wants to see “sustained evidence” of better software engineering and cyber security “quality” before it gives Huawei a tick.

HCSEC report not about spies

None of the flaws found in Huawei’s offering is to do with Chinese state intelligence.

That was the reason for setting up HCSEC in the first place. It’s why Huawei faces more scrutiny than other equipment suppliers.

That poses an interesting thought: How would Huawei’s rivals look if they were subject to similar investigation? Until then, there’s no logical reason to assume they are any better.

Huawei’s embarrassing HCSEC security report card was first posted at billbennett.co.nz.

© Scoop Media

 
 
 
Top Scoops Headlines

 

Resignation Of Metiria Turei: Were Journalists 'just Doing Their Job'?

In our research we examined the role of journalism in animating the Turei controversy and the different perceptions of professional journalists and online commentators sympathetic to Turei’s left politics. ... More>>

Gordon Campbell: On The Extradition Of Julian Assange

It isn’t necessary to like Julian Assange to think that his extradition to the US (on the charge of aiding and abetting Chelsea Manning) would be a major injustice... More>>

ALSO:

Gordon Campbell: Islamic State Meets The Searchers

The histories of the European children forcibly recruited into Native American tribal life during the 19th century do remind us of just how difficult the social re-integration of the children of ISIS is likely to be. More>>

Joseph Cederwall: CJR Analysis Of Post-Christchurch Media Coverage

After the Christchurch massacre, Columbia Journalism Review analysed news sources to see how outlets complied with guidelines from groups that seek to limit the amplification of terrorist acts through media. More>>

News Deserts: The Death March Of Local Journalism

Joseph Cederwall: The corporate media sector seems unable to do anything to halt the raging dumpster fire of consolidation, layoffs and centralisation of content production. All this means we are increasingly seeing ‘news deserts’ appearing in local communities. Illustration by Paul Sahre. More>>

ALSO: