The arrest of Sabrina Meng, CFO of Huawei, has thrust a global Chinese technology company into the public spotlight. In addition to smartphones and laptops, Huawei sells the switches and routers used to run many of the world’s telecommunications networks. It is poised to become the leader in 5G, the fifth-generation wireless technology that will underpin many sectors of tomorrow’s digital economy.
America worries that China’s technological ambitions will thwart U.S. plans for continued global dominance. It has long accused Huawei of having ties to the Chinese government, and is pressing its allies to ban the company’s equipment from their networks. Some have done so; others are weighing their options.
Although U.S. pressure to block Huawei is based more on geopolitical and commercial considerations than on any actual threat, the United States stokes fear by waving the red flag of cyber security.
To alleviate this concern in the United Kingdom, in 2010 Huawei established a Cyber Security Evaluation Centre in Banbury, England, to scan the company’s equipment and software code for vulnerabilities. The center is run by Huawei along with some of its customers and is supervised by GCHQ, the British signals intelligence agency.
This sensible approach to managing risk reflects a fundamental truth about cyber security: that the only way to make sure a piece of software does not contain back doors is for independent experts to audit the code. This is a far more effective strategy than banning individual companies in an attempt to achieve “cyber security by logo.”
The CSEC model is not perfect. In July, the fourth annual CSEC report to the U.K.’s National Security Adviser identified two “shortcomings in Huawei’s engineering processes.” First, the software code built by Huawei’s engineers sometimes produces different outcomes in the tests run by CSEC than it does when it’s installed in actual U.K. telecom networks. Second, GCHQ found that some software used by Huawei’s third-party suppliers is not updated often enough to be secure.
Yet exposing such shortcomings is exactly what the CSEC is designed to do. Huawei has responded by pledging to spend $2 billion over the next five years to improve the way it develops and maintains software.
For its part, Ireland seems quite happy with Huawei. No warnings have been issued by Ireland’s Department of Communications or its telecom regulator. Its largest mobile provider, Eir, is using Huawei equipment to link the country’s mobile network with equipment provided by Ericsson. Eir says it has no concerns and “would not have selected Huawei if we believed there was any risk for our customers.”
In the United Kingdom, Huawei has been supplying access gear to fixed and mobile networks for more than 15 years. For the last four, the Banbury facility has subjected Huawei’s gear to rigorous testing by experts. If there was a smoking gun, someone should have found it by now.
Perhaps that’s why Ireland hasn’t imposed any restrictions on Huawei. One hopes that other countries will follow suit and resist the fear-mongering that might otherwise push them to make irrational decisions that protect no one and impose unwanted costs on businesses and individuals.