Can you trust Huawei... or any other networks supplier for that matter?

Price, bug-patching, security, control ... so many factors to consider


Chinese telecoms giant Huawei may well be the world's most controversial technology company. It's also probably one of the most well-known names on the US government's "entity list", where it was placed in May this year.

A placement on the effective trade blacklist – although it has since been given a reprieve until August – means American companies have to obtain licences to work with it, with those licence exceptions limited.

It had already been locked out of supplying equipment to America's high-speed 5G networks over spying fears some time before.

merkel

Germany tells America to verpissen off over Huawei 5G cyber-Sicherheitsbedenken

READ MORE

Australia has imposed a similar 5G ban, and the US has been pressuring other members of the "Five Eyes" intelligence-sharing club to follow suit. In late June, the US ambassador to Britain, Woody Johnson, described allowing Huawei to help build such networks as being akin to "letting a kleptomaniac into your house".

Huawei denies all such charges. In June, its global cybersecurity and privacy officer – and former UK government chief information officer – John Suffolk told a British Parliamentary committee that the company would rather close than buckle under wrongful pressure from governments. And at least some of the US opposition to the company appears mixed up with US president Donald Trump's theatrical method of conducting trade negotiations.

I'm buying and selling tech, I'm no politico or diplomat: what do I do?

For those buying telecoms equipment professionally, this causes a problem. Huawei has 28 per cent of the global telecoms equipment market, according to US analyst Dell'Oro, ahead of rivals such as Cisco of the US, Sweden's Ericsson and Finland's Nokia, and in normal circumstances, it would be perverse not to consider it. So – assuming buying from the company is not ruled out by your government – what should you do?

Probably the most rigorous public testing of Huawei's equipment is carried out by the UK's Huawei Cyber Security Evaluation Centre, a Banbury-based operation known as "the Cell" run by signals intelligence agency GCHQ. As the name suggests, it only tests Huawei kit, not that of its rivals, so it's not possible to draw comparisons.

Defeated-looking young man puts his head against table in front of laptop and pile of papers in conference room. Pic via Shutterstock

Huawei savaged by Brit code review board over pisspoor dev practices

READ MORE

But its latest annual report was far from complimentary, reporting "serious and systematic defects in Huawei's software engineering and cyber security competence". It did not believe the defects resulted from interference by the Chinese state, but added it had reported "several hundred vulnerabilities and issues" to UK communications operators, and that some still existed.

Underlining this, Ian Levy – technical director of the National Cyber Security Centre (NCSC), a division of GCHQ – described Huawei's security as "objectively worse" than that of Western equipment makers, adding recently: "Certainly nothing is perfect, certainly Huawei is shoddy, the others are less shoddy."

"Personally I would be wary about using equipment whose vendor had copied a whole lot of software that they had no clue how to maintain," commented Ross Anderson, professor of security engineering at the University of Cambridge's computer laboratory, adding that he trusts Levy's assessment. Some companies in the sector take a similar view, with researcher Finite State reckoning Huawei has "a weaker security posture" than its rivals.

trump

Banhammer Republic: Trump declares national emergency, starts ball rolling to boot Huawei out of ALL US networks

READ MORE

Mike O'Malley, vice president of carrier services at security service provider Radware, said that Cisco and Nokia have integrated security services from third parties – including Radware – into what they offer: "They are viewing security as a differentiator," he added. Ericsson can offer Radware's services as add-ons but Huawei has developed its own, which O'Malley described as "a fairly rudimentary, low-level type of security".

Tod Beardsley, director of research at cybersecurity company Rapid7, said that the big equipment suppliers have specific strengths and weaknesses, although he doesn't think it is possible to rank them. Cisco and Huawei participate in the US-run Common Vulnerabilities and Exposures system for reporting problems, although Nokia and Ericsson also have good alternative methods for this, and he reckoned Nokia has a reputation for being very security-aware and fixing problems quickly.

Cisco discloses a lot of vulnerabilities, but Beardsley said: "That does not mean it is less secure. It ships more patches, which is ultimately positive." It has been criticised for using the same default usernames and passwords for some lines of equipment, rather than using different ones for each device, however.

Similar topics


Other stories you might like

  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading
  • To multicloud, or not: Former PayPal head engineer weighs in
    Not everyone needs it, but those who do need to consider 3 things, says Asim Razzaq

    The push is on to get every enterprise thinking they're missing out on the next big thing if they don't adopt a multicloud strategy.

    That shove in the multicloud direction appears to be working. More than 75 percent of businesses are now using multiple cloud providers, according to Gartner. That includes some big companies, like Boeing, which recently chose to spread its bets across AWS, Google Cloud and Azure as it continues to eliminate old legacy systems. 

    There are plenty of reasons to choose to go with multiple cloud providers, but Asim Razzaq, CEO and founder at cloud cost management company Yotascale, told The Register that choosing whether or not to invest in a multicloud architecture all comes down to three things: How many different compute needs a business has, budget, and the need for redundancy. 

    Continue reading

Biting the hand that feeds IT © 1998–2022