Feeds

Huawei denies spying, calls for global security standards

'We're not the ones throwing malware around'

Using blade systems to cut costs and sharpen efficiencies

Even as execs of the Chinese telecom giant Huawei prepare to testify before Congress over concerns that the company's networking equipment may pose a security threat to US infrastructure, the company issued a public statement claiming that it has never participated in cyber espionage or any other illegal act, and that it would never do so.

That claim comes in a new report written by John Suffolk – a former UK government CIO who now serves as Huawei's global cyber security officer – with the rather tongue-tying title of "Cyber Security Perspectives: 21st century technology and security – a difficult marriage."

Huawei, like its Chinese competitor ZTE, has been under investigation by the House of Representatives Permanent Select Committee on Intelligence for nearly a year, after multiple US government and military officials raised concerns about both companies' ties to the Chinese government.

In the report, which Suffolk describes as "an open and frank perspective" on Huawei's views regarding cyber security and its impacts, the company asserts that the negative attention it has received is unfair and that espionage would be against its business interests:

For our survival, we have never damaged any nation or had the intent to steal any national intelligence, enterprise secrets or breach personal privacy and we will never support or tolerate such activities, nor will we support any entity from any country who may wish us to undertake an activity that would be deemed illegal in any country.

That's a line Huawei will no doubt repeat when it appears before the House Intelligence Committee in hearings that are expected to commence as early as this week. But critics in the US and elsewhere maintain that "Chinese actors" are among the most active perpetrators of cyber espionage, and that Huawei's equipment could be rigged to make such attacks easier.

That's just politics, Suffolk says.

In his paper he describes Huawei as "a global organisation doing business in over 140 countries." Furthermore, he questions whether, in the era of the global supply chain, it is valid or even helpful to label a company's products as "foreign developed":

Alcatel-Lucent has one third of its global manufacturing done by Shanghai Bell; Ericsson's joint-venture Nanjing Ericsson Panda Communications Co. has become the largest supply centre of Ericsson in the world; at the end of 2011, Nokia Siemens Networks had 10 manufacturing facilities worldwide: 5 in China (Beijing, Shanghai, Tianjin, Hanghzou and Suzhou), and 2 in India – is what they do "foreign developed"?

Suffolk goes on to criticize the lack of laws, norms, standards, and protocols with regard to cyber security, and says the current environment allows nearly anyone to use malware and other internet-based attacks with impunity.

"If we accept this route, then we must stop complaining and accept the consequences of the cyber race to the bottom of the pit and the return of the Wild West," he writes.

In an apparent jab against the US and its allies, which have all but admitted using state-sponsored malware in recent attacks on Iran and other targets, Suffolk warns that the lack of international law governing cyber security may soon have severe consequences.

"If governments are indeed involved in the acquisition of zero-day exploits or are developing or 'weaponising' attack software, such as Flame and Stuxnet," Suffolk writes, "the phrase 'what we sow we reap' springs to mind."

Suffolk says the correct approach would be for governments and companies to collaborate on international standards of data protection on a global basis. In the current regulatory environment, he says, Huawei and other companies must comply with different standards for each jurisdiction, which can be prohibitively difficult.

As to the issue of cyber espionage, Suffolk points out that no amount of international regulation or actions by vendors are likely to prevent governments from conducting intelligence activities over the internet, now that it has become central to so much of daily life.

"It is important to keep in mind that throughout history, spying and espionage have continually played a role in diplomacy, for better or for worse," Suffolk writes.

How much weight such arguments will carry in Congress is questionable, however, and for Huawei the stakes are high. In a statement issued last November, House Intelligence Committee chair Mike Rogers cautioned American businesses not to buy more Huawei kit "until we can fully determine their motives." ®

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.