Huawei, your way, whichever way. We're cool with being locked out, defiant biz insists
Plus: Reagan's model doesn't apply today, says US CSO
Huawei execs insisted today that they have no problem with being shut out of certain countries' networks, even as their US CSO gently scorned a famous Ronald Reagan saying that heralded the end of the Cold War.
Speaking to the world's press after the opening of Huawei's Brussels-based Cyber Security Transparency Centre earlier today, the firm's global head of cyber security, John Suffolk - a former UK government CIO - also attempted to explain why Huawei had said the speed of its response to last year's criticisms from spy agency GCHQ would take years instead of months.
"The reason we say three to five years is, if an operator – and some don't have a lot of money, they're not operating in rich countries," said Suffolk, breaking into a brief aside. "If they want us to upgrade their tech, which may be six or ten years old, we provide that ability, this backwards compatibility. I might have a list of excellent ideas from the UK but I need to apply all those ideas across the old technology. That's why it'll take some time."
It was not immediately clear whether UK mobile network operators are running Huawei equipment that is between six and ten years old. Regardless, after sustained pressure was put on Huawei through the British press, the company declared a couple of weeks ago that it would start tackling security problems with its equipment by June this year. Of interest is the snippet that Huawei assures the integrity of the testing process at HCSEC in Banbury, UK, by simply hashing tested firmware and comparing the hashes to firmware deployed on kit in production environments. In the past GCHQ/NCSC had obliquely floated the idea that they weren't certain if what was being tested was what was being deployed.
Don't trust – but verify anyway
Supporting rotating chairman Ken Hu's remarks earlier today, US CSO Andy Purdy said the company's public approach to cybersecurity is to trust nobody – something he contrasted with US President Ronald Reagan's famous mid-1980s motto, "Trust, but verify."
"The fact is, the old methods for trust don't work," said Purdy during a staged panel discussion. "When President Reagan talked about 'trust but verify' in the context of the nuclear arms race, that's not good enough. We have to check everything for everybody. We have to develop a new mechanism so we understand the risk and manage the risk objectively and transparently."
This rather ironically summarised the British approach to installing Huawei network equipment. The company is trusted by the British state for use on networks used by the general public and private industry – but not on the government's own networks, as UK NCSC chief exec Ciaran Martin said a few weeks ago.
Suffolk reiterated the morning's declaration of faith in the EU approach to infosec regulation. He highlighted what some see as the global success of the EU General Data Protection Regulation as a de facto global privacy law:
"The good old days of my country as an island – as you can tell, I'm British – we can't protect that order any more. It's gone by. So what are the legal frameworks, the standards, the certifications? We support the role the EU is playing on this and we passionately believe the GDPR is the right model on this."
China has never ordered us to spy – and we don't want to conquer the world
Vincent Pang, Huawei's president for Western Europe, said in reply to a question about the espionage claims that continue to dog the company: "We said, in the last 30 years we've never received any order from Chinese government to take data back to China. This is the fact. As Ken Hu mentioned in his speech, we served 1,500 networks in the last 30 years. There's no evidence."
Suffolk chipped in: "We don't expect, and I don't expect, there's any vendor in the world that expects to win every business in every country. It's about multiple vendors, different architectures, it's about thinking where your risk is going to come from. We don't see any decision a government typically takes as oh, it's just Huawei for Huawei's sake. It's a big complex world out there, different risk management approaches."
In other words, even though some western countries may impose legal or even de facto bans on Huawei, the company wants to be publicly seen as cool with that. With the evident warming of EU countries' attitudes towards the firm even as the US grows increasingly choleric, its market future seems assured in the short term, at least.
Pang concluded: "Huawei is never dominant and we never expect to dominate in this industry as well. As John mentioned, we cannot serve every single customer. We can only serve the customers who are still willing and trust to work with us. Sooner or later we will take the time to prove, this is a common challenge for the whole industry.
"For that reason you know we will work hard with the UK government to finalise what's going to be the mechanism and the systems to solve the challenges of sustainability. After that we'd expect the commercial decision will go to the people who can buy or use the network. Rather than limitation of certain numbers. This will damage the free trade, free competition and free choice of the end user. We don't think this is a smart idea." ®