Huawei Admits To Needing 5 Years, $2 Billion To Fix Security Issues (theguardian.com) 58
Bruce66423 writes: In a remarkable piece of honest self assessment, Huawei has produced a letter to a House of Commons committee member in response to security concerns raised by the UK Huawei Cyber Security Evaluation Centre (HCSEC) in its annual report, a body that includes Huawei, UK operators and UK government officials. The firm pledged to spend about $2 billion over five years to resolve these issues. However they also claim that: "Huawei has never and will never use UK-based hardware, software or information gathered in the UK or anywhere else globally, to assist other countries in gathering intelligence. We would not do this in any country" -- a claim in sharp contrast to the ability of the Communist Party of China to suborn anyone into doing so. Good to see that Chinese firms still have a sense of humor. As The Economist puts it: "And China's leaders are tightening their grip on business, including firms such as Huawei in which the state has no stake. This influence has been formalized in the National Intelligence Law of 2017, which requires firms to work with China's one-party state."
Sounds like oz (Score:5, Interesting)
Re:Sounds like oz (Score:5, Insightful)
Or the US with the National Security Letters.
And the UK has never had any problems either of locking people up to coerce them into compliance with their "security laws"
The joke is on whoever thought that this was Chinese humor.
A letter can not overcome the technology (Score:5, Insightful)
Or the US with the National Security Letters.
Its not quite the same. In the US a company currently can't be compelled to install a backdoor into their hardware, or otherwise degrade the security of their hardware. They can design a secure boot system, a secure encrypted communications channel, a system with no company based key escrows, etc. Then when they get a National Security Letter they can tell the judge we would love to comply with this order but it is technologically impossible, or we do not have the key requested, etc.
For example Apple is quite free to increase the security of the phones at each iteration no matter how pissed off the FBI gets.
Re: (Score:1)
Ah that infamous spy chip that no one has ever see so far....
Well, curently this is about theability of a gouvernment getting sensitive information (if they have it) from a company. This is possible in lots of countries.
China may have the power to also force a company to weaken security, but that is not supported by (at least) this article. So yes, we need to be carefull, but it could happen with vendors based anywhere. FBI and NSA are working on make it happening in the US and not every company dares to fi
Re: (Score:3)
Its not quite the same. In the US a company currently can't be compelled to install a backdoor into their hardware, or otherwise degrade the security of their hardware.
Never Forget [wikipedia.org]
Re: (Score:2)
... It's not just China which requires companies to comply ...
<sarcasm>
Sure, not difference here whatsoever, we also have a giant firewall, limited and sorted news, removed Internet content from blogs and posts, prison time for using VPN, public shaming on giant billboards, denied transport tickets for low credit score - definitely it's all the same.
</sarcasm>
Like this old joke: you know, here in Russia we have all the same freedoms, you can criticize your president as much as you want, we also can criticize your president as much as we want.
Five years may as well be forever (Score:5, Insightful)
Fascinating strategy. Acknowledge that there are security concerns, promise to fix them but not for years.
In the mean time they continue to aggressively sell their infrastructure into countries, countries which are now reassured on the security front, or at least have a story they can tell to deflect the criticism.
And in five years it doesn't matter what happens. All the 5G infrastructure will already have rolled out or be committed to. If Huawei doesn't come through nobody is going to tear all the infrastructure out, the cost would be staggering.
I don't think concerned countries will fall for it. It does show that the security concerns are seriously impacting their business though.
Re:Five years may as well be forever (Score:4, Informative)
The headline is deliberately misleading.
They didn't say they needed to spend $2bn and five year to fix problems they know about. They said that they have a five year plan and are investing $2bn in security, which will include things like code audits and hiring additional people to work on it.
Huawei isn't particularly bad on security. Compare them with Cisco, who have had multiple cases of hard-coded accounts and passwords for support techs over the past few years. At least Huawei takes security seriously and is investing in it.
The headline should be "Huawei invests more than anyone else in security, actually has a plan for it".
Re: (Score:1)
End of the day the Chinese government wants a backdoor - they will have one, The company opposes it will end up with a lot of CEOs and CTOs in jail.
Pretty hard to evict nation-states from your database user list.
Re: (Score:3, Insightful)
We have hard proof that the US has backdoors into hardware designed and made in the US. That's a fact, we know it with absolute certainty.
So far we have no evidence that Huawei puts government backdoors in anything. Zero. None have been found.
Of course that's not a reason to assume that there are none, but if you are concerned about such things whose hardware are you going to buy?
Re: (Score:1)
Unlike a toothpaste tube, software and routers do not come with protection seals. Makes you wonder.
That's a good point. But there's a problem with protection seals. They don't actually protect anything, they are a tool to leave evidence of tampering. Interestingly they are so common, they are overlooked. If somebody replaced the seal with another, a normal person wouldn't notice.
I'm almost certain a light controlled by software, could ultimately be beaten anyways. But in principal, its a cool idea.
Re: (Score:1)
So far we have no evidence that Huawei puts government backdoors in anything
That depends on the definition of "we". The US government apparently does know more than has been made public, but of course it would be kept classified because releasing it would reveal too much about what exactly they do or don't know and how it became known.
Re: (Score:1)
It could also be a pretext to put pressure on the EU to dump Huawei. Without public evidence, the USA's public accusations of Huawei being a security risk may just be fake news.
But as I posted elsewhere, I don't trust hardware from either country to be free of back doors. The Chinese government probably can force Chinese manufacturers to cooperate. In Cisco hardware (US), hardcoded passwords have already been found.
So there is a reasonable suspicion that Chinese hardware may have back doors. There is clear
Re: (Score:1)
We have hard proof that the US has backdoors into hardware designed and made in the US. That's a fact, we know it with absolute certainty.
Citation needed.
Re: (Score:3, Informative)
We have hard proof that the US has backdoors into hardware designed and made in the US. That's a fact, we know it with absolute certainty.
Citation needed.
Unlike you, I actually wanted such a citation, so I googled for "the US has backdoors into hardware designed and made in the US". I got back a pretty good hit but without citations, but it was from a story in 2013 so I appended 2013 to my search terms and found several [theguardian.com] good [wired.com] references [ieee.org]. Also, let me take this opportunity to remind you to Never forget Qwest [wikipedia.org].
Maybe you're just terrible at googling, and need to work on that, but it seems more likely that your request for citations was disingenuous. If not, thoug
Re: (Score:2, Interesting)
Those examples are completely different.
Using exploits to install malware or modify equipment after it's been manufactured is not the same as the manufacturer itself building in the spyware, which is what Huawei is suspected of doing.
Re: (Score:2)
The proof you found is that certain three letter organizations have software that can exploit certain hardware platforms and the ability to intercept shipped hardware to install this software that exploits the commodity hardware.
There is no proof whatsoever that any of the companies participated or assisted these 3 letter groups with the software that compromises their hardware. In addition there is no law or requirement that these companies would have to render assistance. On top of that all the companies
Re: (Score:2)
Of course that's not a reason to assume that there are none, but if you are concerned about such things whose hardware are you going to buy?
Obviously I would avoid buying from the country with which I am more likely to engage in a military war in the future.
Many of the concerns on slashdot concern civil liberties. It's entirely reasonable for people in the West to concern themselves exclusively with their own civil liberties to the exclusion of civil liberty injustices perpetrated on others. However, in contrast to individual citizens, Western governments also need to plan for future military defense and wars. And these Western governments n
Whose security? (Score:3)
Huawei isn't particularly bad on security.
If they are actually cooperating actively with the Chinese government as is alleged then they are extremely bad at security. Bad does not necessarily equal incompetent depending on the perspective of the end user. It seems rather unlikely that Huawei hasn't been compromised in some significant manner.
The headline should be "Huawei invests more than anyone else in security, actually has a plan for it".
Whose security are they investing in is the question. Mine or China's?
Re: (Score:2)
Where to start, story from last year in 8th December. Also yeah it takes years because they have already installed stuff and what you expect them to pull it all out and redo it, oh I get it, it;s the bankruptcy clause, do what we say and we know it will bankrupt you but that is the whole idea. So they will wait for gear to fail and replace it, or replace it at it's expected life, when it has paid for itself. To replace tomorrow what you installed yesterday, when what you installed yesterday cost billions, w
Re: (Score:2)
china sounds fishy, i would not trust them
Re: (Score:2)
And the US have the PATRIOT Act (Score:2, Informative)
And their National Security Letters. Overall, that gives them a legal loophole comparable to what the Chinese Government probably has.
As someone from the EU, I don't trust either. Perhaps we could buy at least some of our stuff from Nokia (Finnish). Seems the politically and legally safest option.
Re: (Score:2)
Finnish
But not Finlandized, I hope?
Re: (Score:2)
Re: (Score:2)
Exactly.
Besides:
1. the "security issues" are mostly relating to the auditability of Huawei's 3rd party components (which Huawei would not have access to the source codes; well otherwise the US would use that as an attack point instead.) It is like saying that I don't know how to disassemble my car's engine for inspection, therefore my car is about lose control and hit a wall.
2. and this HCSEC, set up by the UK spy agency in 2010, haven't had any complains for 8 years and are now suddenly raising the flags d
Re: (Score:2)
NSL's require access to information, not assistance by the company is compromising their own hardware. I don't like NSL's either but they have very strict restrictions on their use and installing malware in someones product isn't one of them.
what do they want 2 billion for? (Score:2)
Re: (Score:3)
Perhaps one made of fire, yes.
Re: (Score:2)
Singularity (Score:2)
Eventually, we will all be Chinese.
Five years? (Score:2)
More like 5 years to up their spycraft game (Score:2)
It takes a while to make sure NSA can't find it (Score:2)
The data holes go in before the counter-spies find the spy holes.
It's a feature, not a bug.
P.S. Yes, he looks like Charlie Brown.