Feeds

Huawei denies spying, calls for global security standards

'We're not the ones throwing malware around'

3 Big data security analytics techniques

Even as execs of the Chinese telecom giant Huawei prepare to testify before Congress over concerns that the company's networking equipment may pose a security threat to US infrastructure, the company issued a public statement claiming that it has never participated in cyber espionage or any other illegal act, and that it would never do so.

That claim comes in a new report written by John Suffolk – a former UK government CIO who now serves as Huawei's global cyber security officer – with the rather tongue-tying title of "Cyber Security Perspectives: 21st century technology and security – a difficult marriage."

Huawei, like its Chinese competitor ZTE, has been under investigation by the House of Representatives Permanent Select Committee on Intelligence for nearly a year, after multiple US government and military officials raised concerns about both companies' ties to the Chinese government.

In the report, which Suffolk describes as "an open and frank perspective" on Huawei's views regarding cyber security and its impacts, the company asserts that the negative attention it has received is unfair and that espionage would be against its business interests:

For our survival, we have never damaged any nation or had the intent to steal any national intelligence, enterprise secrets or breach personal privacy and we will never support or tolerate such activities, nor will we support any entity from any country who may wish us to undertake an activity that would be deemed illegal in any country.

That's a line Huawei will no doubt repeat when it appears before the House Intelligence Committee in hearings that are expected to commence as early as this week. But critics in the US and elsewhere maintain that "Chinese actors" are among the most active perpetrators of cyber espionage, and that Huawei's equipment could be rigged to make such attacks easier.

That's just politics, Suffolk says.

In his paper he describes Huawei as "a global organisation doing business in over 140 countries." Furthermore, he questions whether, in the era of the global supply chain, it is valid or even helpful to label a company's products as "foreign developed":

Alcatel-Lucent has one third of its global manufacturing done by Shanghai Bell; Ericsson's joint-venture Nanjing Ericsson Panda Communications Co. has become the largest supply centre of Ericsson in the world; at the end of 2011, Nokia Siemens Networks had 10 manufacturing facilities worldwide: 5 in China (Beijing, Shanghai, Tianjin, Hanghzou and Suzhou), and 2 in India – is what they do "foreign developed"?

Suffolk goes on to criticize the lack of laws, norms, standards, and protocols with regard to cyber security, and says the current environment allows nearly anyone to use malware and other internet-based attacks with impunity.

"If we accept this route, then we must stop complaining and accept the consequences of the cyber race to the bottom of the pit and the return of the Wild West," he writes.

In an apparent jab against the US and its allies, which have all but admitted using state-sponsored malware in recent attacks on Iran and other targets, Suffolk warns that the lack of international law governing cyber security may soon have severe consequences.

"If governments are indeed involved in the acquisition of zero-day exploits or are developing or 'weaponising' attack software, such as Flame and Stuxnet," Suffolk writes, "the phrase 'what we sow we reap' springs to mind."

Suffolk says the correct approach would be for governments and companies to collaborate on international standards of data protection on a global basis. In the current regulatory environment, he says, Huawei and other companies must comply with different standards for each jurisdiction, which can be prohibitively difficult.

As to the issue of cyber espionage, Suffolk points out that no amount of international regulation or actions by vendors are likely to prevent governments from conducting intelligence activities over the internet, now that it has become central to so much of daily life.

"It is important to keep in mind that throughout history, spying and espionage have continually played a role in diplomacy, for better or for worse," Suffolk writes.

How much weight such arguments will carry in Congress is questionable, however, and for Huawei the stakes are high. In a statement issued last November, House Intelligence Committee chair Mike Rogers cautioned American businesses not to buy more Huawei kit "until we can fully determine their motives." ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.