Cyber Security — Facts, fiction and political agendas

Cybersecurity is part of my everyday work. As an advocate and consultant for Cybersecurity For All, I am in a rather unique position — helping people, corporations and organizations to understand their own responsibilities in cybersecurity and involved in cybersecurity research.

The ’game’ of cybersecurity used to be clear. There were the consumers who in most cases just focus on convenience of devices. There were the experts who focus on technical details of something they know everything about. And there were the bad guys who abuse the huge gap between them. My role was and is clear, too. I focus on building bridges between the average consumer and the experts. Making complex matters understandable so people can enjoy great technology in a safe way.

In the past 2 years the ‘game’ has changed. There is a new player called Political Agenda. This player is confusing consumers and experts, and that is exactly what it wants to do. A favorite slogan of that new player is ‘risk vendor’. Some experts surprisingly follow the narrative blindly, other experts demand evidence without getting it. And the consumer? The consumer is just confused!

Let’s have a closer look by diving into the campaign against the company that has been in crosshairs of the Political Agenda more than any other company has ever been — Huawei. Two messages keep surfacing. “Huawei has backdoors” and “Huawei’s devices have vulnerabilities and are unsecure”. Combined, these are a clear message. “Do not buy Huawei, they are a risk”. A ‘risk vendor’ is born.

I prefer to make up my own mind based on facts rather than opinions.

The alleged vulnerabilities are very easy to track. There are online databases of vulnerabilities (CVEs) by Mitre Corporation and NIST in which researchers and vendors report vulnerabilities and solutions. Publicly available information! If Huawei would have malicious vulnerabilities to be able to spy on their customers, would they be listed in a publicly available database? That doesn’t make much sense, does it?!

Searching for Huawei in the publicly available databases shows about 800 CVE entries at the beginning of April 2020. Although that might seem like a lot, it isn’t that much for a supplier with a huge market share. Android for example shows almost 6,000 entries, and a part of those impact the Android devices by Huawei, by the way. iOS for iPhones and iPads shows close to 3,000 entries. Cisco shows more than 4,000 entries.

There isn’t an update of iOS for my iPhone and iPad which doesn’t solve a bundle of vulnerabilities, and that is great. I have deep respect for Microsoft and the way they handle their patch management for the wide variation of products running on devices they didn’t make themselves. Solving vulnerabilities is the result of being a responsible vendor. Microsoft reports and solves their vulnerabilities and so do Apple, Cisco and Google. None of them are labeled as ‘risk vendor’. None of these vulnerabilities are hyped in the media. That ‘honor’ is reserved for Huawei.

So, it is true that Huawei has vulnerabilities in their products, and nobody is denying that. And it is also true that Huawei is solving and reporting those vulnerabilities, like all other vendors do. The claims that Huawei is a ‘risk vendor’ because of vulnerabilities is just a fabricated fable.

The famous backdoors in Huawei devices and equipment

There are many claims by U.S. officials that there are malicious backdoors in Huawei’s devices and equipment which would allow the company to secretly gain access to communication networks, devices, and anything connected to it. And those claims are carried by the media and blindly repeated by some of the experts. Even the CTO of Nokia claimed to have evidence of such backdoors, a statement which was quickly downplayed by Nokia itself.

There was actually a case to which all still refer. The mother of all evidence to prove that Huawei has backdoors in all equipment. Not hundreds of cases. Not even a handful of cases. Just one case! Vodafone discovered a vulnerability which could be exploited as backdoor to gain access to devices and networks. Vodafone also confirmed it has been resolved by Huawei. Yesterday? Last month? Last year, maybe? No, back in 2011!

But when ‘backdoors’ are the reason to label Huawei as a ‘risk vendor’, there has to be more evidence, right? The British National Security Secretariat’s HUAWEI CYBER SECURITY EVALUATION CENTRE (HCSEC) didn’t find them, although they have full access. Check the HCSEC Annual Report yourself. They even confirmed that Huawei continues to solve flaws and vulnerabilities and provide patches to installed devices.

Wouldn’t you expect that a governmental organization which has access to the source code would publish all the backdoors they found if there would be any? Addressing this with a Senior Executive for Network Security at a European Mobile Service Provider, I got a very interesting response:

Nobody can access our core network infrastructure without our permission. We monitor all traffic and take every possible security measure to avoid unwanted access. When someone claims that a vendor has access to our core infrastructure, that person obviously has no clue about mobile network infrastructure. It is interesting that the countries which campaign against Huawei are also the countries which have the highest number of requests for access to our core infrastructure. Just like with us, they can’t enforce that access on Huawei through local legislations.

Mobile network providers deny that there are backdoors in Huawei equipment and so does the British government agency HCSEC. Researchers who rip apart every piece of software to find security issues have reported no backdoors. The confirmed vulnerabilities show that Huawei isn’t any worse or better than the other vendors in the market. And we also see that Huawei is resolving those issues, just like all the others. Facts, no opinions, just the way I like it.

No malicious backdoors, no secret entry points to spy on all of us. Yet Huawei is labeled as ‘risk vendor’ and we should ask ourselves why. The answer is sobering — money and power!

A dangerous strategy that starts to backfire

This isn’t about cybersecurity. This is about slowing down Huawei to allow U.S. based vendors to catch up and become the main suppliers of 5G technology. Vendors which coincidentally happen to be under the legislative power of the U.S. That isn’t the way the so-called free market is supposed to work, is it? Besides Huawei, the consumers are the ones who lose the most. We, the consumers, are stripped of our rights to select the best products and services for our money. A right which is part of the free market we all celebrate.

Huawei’s 2019 Annual Report shows that these campaigns against Huawei are causing some damages to the growth of the company. Although Huawei is still profitable and growing, the growth is under pressure by the restrictions on the U.S. market and the pressure applied by the U.S. Government on its allies and suppliers of Huawei. So, we could think that the strategy of misinformation and manipulating the free market is paying off but that is not the case.

Those measures are already starting to backfire, as Huawei’s Deputy Chairman Eric Xu made clear in an interview wth CNBC. The Boston Consulting Group predicts in their report How Restrictions to Trade with China Could End US Leadership in Semiconductors that such restrictions and sanctions could cost the U.S. up to 40,000 highly skilled jobs and cause severe cuts in R&D and CAPEX in the U.S. semiconductor industry. SEMI, the association representing the semiconductor and electronics manufacturing supply chain in the U.S. expressed similar concerns about the negative impact on the U.S. semiconductor industry.

A thriving semiconductor industry is key to R&D and investments that will drive the new technology which vendors need to stay ahead of the game, or in the case of U.S. based 5G vendors, catch up with the game. Throttling the semiconductor industry by cutting off China as one of its main customers is counterproductive and the U.S. industry is very aware of that. Don’t take my word for it, read for yourself.

Network service providers are waiting, not knowing what the next steps against Huawei will be. Consumers are cautious, believing some of the claims without really understanding what it is all about. Propaganda in its finest form, the way we haven’t seen it since end of the Cold War.

Is there a way forward?

How can we get out of this? How can we create a level playing field on which all vendors, service providers and consumers are enabled to decide based on facts? One way would be to create a security framework which applies to all vendors, and not just to Huawei. Consumers and network providers would really benefit from separating facts from fiction.

The only ones who are not pleased by this proposal, which by the way was coined by Huawei itself, are the architects behind the propaganda campaign against Huawei. That should make you think!