Huawei Professes Transparency

Article By : Junko Yoshida

Huawei held a grand opening of its Cyber Security Transparency Center in Brussels this week. Regardless of whispers that the event was a high-profile dog and pony show, it also gave Huawei a lot of ammunition against its detractors.

BRUSSELS — Huawei’s official opening Tuesday of a brand-new Cyber Security Transparency Center in Brussels — at the nerve center of the EU — might be cynically construed as a desperate effort to save Huawei’s reputation among European network operators and customers after the waves of bad press that have recently swept over the Chinese company.

Indeed, this is how many reporters construed their invitations to the grand opening. However, in this case, Huawei was innocent. It had announced plans to inaugurate this center almost a year ago in May.

Nonetheless, the timing was both suspicious and fortuitous. As Ken Hu, Huawei’s Deputy Chairman, aptly noted in his opening remarks, “Now, it looks like this facility [in Brussels] is more critical than ever before.”

Regardless of whispers that the event was a high-profile dog and pony show, it also gave Huawei a lot of ammunition against its detractors.

The event — with more than 200 representatives from regulators, telecom operators, enterprises, and the media — served Huawei not only as an opportunity to generate a lot of free ink but also a very public platform for Huawei to turn the tables and go on the offense against its accusers. Huawei has been charged with IP theft and also accused of installing secret “back doors” for espionage purposes in its network equipment. On Tuesday, Huawei attacked such allegations as speculation, baseless rumor, and non-facts “that could not be verified.”

Furthermore, the opening of the Transparency Center gave Hu a chance to lecture the world that “the lack of consensus on cybersecurity, technical standards, verification systems, and legislative support exacerbates the unprecedented challenges to the cybersecurity of ICT infrastructure.” Calling for “collaborations,” Hu stressed, “Together, we can improve security across the entire value chain and help build mutual, verifiable trust.”

Reporters gather around in a lobby at Huawei’s new Cyber Security Transparency Center in Brussels before the tour starts. (Photo: EE Times)

What does a “Transparency Center” do?

The Transparency Center serves three purposes, according to John Suffolk, president, global cybersecurity & privacy at Huawei Technologies Co., Ltd. “It’s a collaboration center, an evaluation center, and a meeting center.”

Notice on the door to “secure rooms” (Photo: EE Times)

During a tour, Huawei showed off a “secure area” where customers (and independent security experts chosen by the customers) are allowed to look at Huawei’s source code for verification.

Suffolk, however, made it clear that Huawei can’t peek at what their customers, operators, and partners are doing in its secure rooms while accessing Huawei’s code.

“We think that’s right,” said Suffolk. “We give them total flexibility, they are free to use whatever tools and do whatever they need to do until they satisfy themselves.”

Who uses these secure rooms? Huawei gave no names, noting that it would not identify customers without their permission.

The Transparency Center is funded by Huawei, with no government oversight. The purpose of the evaluation functions available at the facility is customer care. It’s not about publicly disclosing what customers might discover — good, bad, or questionable — or how they evaluate Huawei’s source code.

Huawei representative Cheng Feng explains the setup of “secure rooms” where customers come to evaluate Huawei’s source code. (Photo: EE Times)

Suffolk made clear that the Transparency Center is more than happy to work with anyone, including government officials. No license is required for access to the evaluation rooms. Huawei hopes to collaborate with a variety of parties, including developers of new tools or verification models. “They can come here and try to hack our code.”

While Huawei offers physical secure rooms, its guests can bring their own teams and experts of their choice. “We have no problems with that,” said Suffolk.

Security theater

Software experts, however, wonder if much of what Huawei is offering at its Transparency Center is “security theater.” Just like TSA makes travelers feel safer by making them take off belts and shoes, Huawei’s Cyber Security Transparency Center can foster a false sense of assurance about Huawei’s openness.

Michael Barr, CTO of the Barr Group, who served as an expert witness in Toyota’s sudden unintended acceleration cases and spent many months examining Toyota’s source code, cautioned that seeing the source code does not guarantee unfettered insight into Huawei’s hardware. “They could put all the software source code they have in there, and they could still run everything in insecure hardware,” he said. “Unless you have a way to actually build every version and compare binaries to ROMs, you don’t know if you have all the files and the right ones.”

In other words, even if you test source code, something else could end up in the equipment installed in a network. Huawei’s Suffolk acknowledged that this is a valid question. However, he pointed out an industry-standard model called Hash, which allows comparison of two files by generating a matching key. There is also a method called “binary equivalent,” which reveals whether a perfect image of the original was created.

Suffolk, however, admitted that this remains a huge issue for the industry, because once equipment starts loading other software, obtaining a “perfect match” with the original gets harder.

Global supply chain

With all that said and done, though, once Huawei’s network equipment is installed with database, software, chips, and components sourced from the global supply chain, “Typically only about 30% of what’s inside Huawei’s box is Huawei’s technology,” said Suffolk.

“But we don’t just look at Huawei’s 30%,” he noted. “We have to prove to you that all known vulnerabilities are removed.” Huawei has a mechanism to scan the database and identify and remove known vulnerabilities. Problematic, though, is that although 30,000 software vulnerabilities were reported by the industry between 2017 and 2018, Suffolk noted, “There are others that are not known.” It’s impossible to assert that any equipment has no vulnerabilities. “There is no perfect answer.”

Huawei as China’s agent?

The fear lingers that Huawei might be serving as China’s agent. Suspicion was triggered by new laws issued under President Xi Jinping. Now, any Chinese company — particularly in telecom — must participate in intelligence operations if so instructed. The company is required to turn over all data sought by the government.

During the press conference, one reporter asked if Huawei has requested Beijing to change the law or asked for more clarity.

Suffolk, who worked in the U.K. government for seven years and was Her Majesty’s Government CIO, suggested that it takes time for laws in any countries to sink in and clarify their intentions.

John Suffolk (on left) and Vincent Pang at the podium during the Q&A (Photo: EE Times)

Vincent Pang, president, Western European Region at Huawei, who shared the podium with Suffolk, went combative. He insisted: “In the last 30 years, we have never received an order from the Chinese government for taking back data to China. It’s a fact and there is no evidence of it.”

Pang also quoted a spokesman of China’s Foreign Ministry, who repeatedly said that the Chinese government has never instructed installation of a back door or taken data back to China.

As the strongest proof of Huawei’s innocence, Pang cited a statement by Huawei’s founder and CEO, Ren Zhengfei, in a round of the media interviews in January. Ren, at that time, said that Beijing had never asked him or Huawei to share “improper information” about its partners. Ren pledged, “I personally would never harm the interest of my customers and me, and my company would not answer to such requests [from Beijing].”

Pang, paraphrasing Ren, said that if the government pressed Ren to break Huawei’s trust with customers, Ren would not only refuse but would close his company. In Pang’s mind, there is no stronger, no clearer proof that any such shenanigans are off-limits — even though current Chinese law makes them literally obligatory.

Other Huawei security facilities

Originally, when Huawei first approached different national governments about building cybersecurity facilities in their regions, they refused, according to Suffolk.

However, since 2010, Huawei has built security centers around the world including in the U.K., Canada, and Germany and in China many years before that.

Identifying Brussels as “an important window on Europe,” Huawei began to prepare the security center more than a year ago.

Huawei explained that each center has a focused approach so that none looks or operates the same way.

The U.K. facility, for example, is an extension of Huawei R&D, according to Suffolk. It provides technical advice and suggestions to Huawei’s development teams while undertaking evaluations on behalf of U.K. customers. The German center is focused on specific validation based on certain standards, like common criteria.

Asked before the Transparency Center in Brussels, opened where Huawei’s customers would go to evaluate Huawei’s code, Suffolk said, “We’ve always offered secure rooms at our headquarters in China. Operators, enterprises, and third-party testing companies could book the room and then stay there as long as they wanted.” He added, “Although we don’t provide room services, we have 40,000 engineers at our headquarters who are willing to sit down with them and take them through architecture and protocols.”

Now, those customers don’t have to travel all the way to China but can come to Brussels, he said.

Press briefing on the Cyber Security Transparency Center (Photo: EE Times)