Is Huawei really a threat to organisations’ mobile security?
Ever since the US government cited national security concerns for its decision to add Huawei to a list of banned entities, major US and international technology companies have publicly cut ties with the company. As a result, the million-dollar question that all organisations should be asking themselves is: if large companies with deep pockets like these are distancing themselves from Huawei, do the benefits of working with the Chinese company really outweigh the risks?
But let’s back up a bit. Some reports speculate that the US may be using Huawei as leverage in its ongoing trade talks with China, and that the ban may magically disappear if the two countries come to an agreement on concessions. In fact, if the ban goes into effect, it is not entirely clear how the US will penalise companies that defy the ban, but for US-based companies these penalties can range from civil fines and export limits, all the way to possible criminal action. And non-US companies aren’t exempt, either. Any company using technology licences that originated in the US faces the same restrictions.
As it currently stands, Huawei will no longer be able to get mobile chipsets from Qualcomm for its smartphones. Likewise, Google will no longer licence its popular Android operating system and Microsoft will cease licensing its Windows operating system. Although these vendors have promised to continue providing limited support in the form of security updates for existing users, there is no question that the ban will have a lasting impact on Huawei (while potentially giving rivals like Samsung a temporary boost).
The Huawei situation: the legal and intellectual property implications for businesses
The arguments for and against
The main argument against Huawei arises from fears that it has added software backdoors into all manner of its equipment, from smartphones to base stations. Proponents of the ban say that any sensitive data traversing these networks could potentially be intercepted and redirected to China, where it could be used by the Chinese government for surveillance and espionage purposes.
Huawei’s CEO has vehemently denied these claims, and in response the company hasn’t been sitting idle. It’s gone on something of a charm offensive over the past month as a way to allay fears that it would – or even could – comply with future requests from the Chinese government to provide what it calls “improper information.” The company recently invited international journalists to its sprawling headquarters in Shenzhen. It was there that the company’s chairman, Liang Hua, repeated Huawei’s willingness to sign a “no-spy agreement” as a way to reassure US leaders — although he admitted it was unlikely that the offer would be accepted. Similar and separate offers have already been made to Germany and the UK.
In the UK, however, things are more nuanced. Huawei already has a significant presence inside the country’s 4G network, and despite calls from the US and other nations for a ban on committing to the Chinese company’s 5G network equipment, new broke on April 24th that the UK government would allow Huawei to build out “non-core” parts of its next-generation network. The reasoning for this decision was that it would allow the UK government to maintain a limited commercial engagement with Huawei while also keeping its equipment under close supervision.
Likewise, but for different reasons, officials in remote or sparsely populated parts of the US are putting pressure on the government to grant exceptions to the ban. The motive is purely economic. Rural networks in the US rely on the cheapest telecom equipment they can find, and Huawei is significantly cheaper than equivalent products from Finland’s Nokia and Sweden’s Ericsson.
Huawei security UK problems demonstrate the need for secure coding
A recent report from the UK’s Huawei Cyber Security Evaluation Centre identified major security issues within Huawei’s software engineering processes. While much of the news about this critical report is focused on unaddressed issues from the previous year, the more dangerous and overlooked problem is the clear lack of secure coding guidelines and practices employed by Huawei. But it’s a problem that can be fixed. Pieter Danhieux of Secure Code Warrior explains further. Read here
No easy workaround
We should mention that exceptions may be possible. Companies wanting to work with Huawei and any of its roughly 70 banned affiliates have the option to seek a temporary BIS (Bureau of Industry and Security) licence, which is granted by the US Commerce Department on a case-by-case basis. Although several companies are expected to apply for a BIS licence, there’s no guarantee that one will be approved, or even when.
A new round of tariffs on Chinese goods is expected to take effect on June 25th, so it’s possible that some companies are taking a wait-and-see approach, hoping that the ban is removed at the last minute. As we draw closer to the deadline, however, the hopes of a reversal seem to be fading just as further retaliation from the Chinese government seems more likely.
In the near term, all of this turmoil is certainly bad for Huawei’s bottom line. The company has already cancelled or delayed several major smartphone and laptop product launches, and chief executive Ren Zhengfei recently stated that the US ban has caused sales of its smartphones to drop by 40% outside China. If the dispute continues, Huawei is expecting a $30 billion drop in sales over the next two years.
Mobile in the enterprise – why traditional security tactics such as firewalls, IPS and anti-malwares are no longer enough
The impact of mobile devices is often an afterthought, even though they have come to dominate both the personal and professional lives of everyone within the last decade. Neil Atkins, director at SCC discusses. Read here
If the ban were to remain in place for an extended period of time, it’s anticipated that Huawei will be forced to develop its own operating systems and double down on chip designs for its consumer and commercial products. In the long-term this may even strengthen the company’s prospects.
But ultimately, the security risk to the average enterprise or public sector body from Huawei is likely to be very small. There’s already no shortage of ‘friendly’ actors and government agencies much closer to home that are probably guilty of surreptitiously snooping on sensitive data. For that matter, as the Enterprise Mobility Exchange found earlier this year, there are far more likely threats to our mobile security than Huawei.
So, getting back to our initial question: should a company defy the ban and work with Huawei? The short answer is that the real problem is political, legal, commercial and reputational, rather than an overt or severe security risk. What happens if Huawei devices can no longer run Android software, or if serious legislation is created, banning the purchase of Huawei products altogether? What happens if applications are restricted on Huawei hardware, or if sales deals are lost because clients refuse to work with any organisations that use Huawei products? With plenty of alternatives on the market, defying a potentially costly ban to work with Huawei is a risk that very few companies can or should take – just not for the reasons the headlines would have you believe.