Cybersecurity firm Finite State issued a recent report concluding that telecommunications equipment made by Chinese firm Huawei present a higher percentage of security vulnerabilities than equipment produced by other firms.
A story in The Wall Street Journal citied numerous sources inside the Administration who pointed to the report as further evidence that the company’s firmware can’t be trusted.
Finite State says it analyzed more than one and a half million files that were embedded in close to 10,000 firmware images that support hundreds of Huawei products and found that more than half of the images contained at least one security vulnerability.
In a statement posted to their website, Huawei said the Finite State report doesn’t tell the whole story.
The Cipher Brief spoke with Finite State CEO and co-founder Matt Wyckhouse about the report and why he thinks supply chain security when it comes to 5G is within reach. The conversation has been slightly edited for length and clarity.
The Cipher Brief: You’ve said in the past, that you believe 5G can be secure. In the interest of full disclosure, your company produces cybersecurity products that address supply chain issues. Let’s talk about your company’s recent report, but also, about why you believe it’s so important that we get 5G right?
Wyckhouse: The big difference between 5G and previous cellular technologies like 3G and 4G is that, with this incredible amount of bandwidth and low-latency communications, more critical services are going to start relying on it over the next several years. So, with that kind of infrastructure in place, things like autonomous vehicles can offload some of the processing from the vehicle into the cloud or you can have a lot of more intelligent systems that are constantly connected and can count on that connectivity all the time, which means they are going to become reliant on the network. And it's not just things like VR and cell phones or communications, it's all of these things that are keeping us safe, keeping businesses operating, everything from remote factories and energy, to hospitals to transportation. When all of that is riding on top of a network, that network needs to continue to function all the time, and so the concern is more about the threat of a denial of service of that network than it is the traditional surveillance threat that everyone's been concerned about before.
The Cipher Brief: Your recent report identified a number of vulnerabilities that it said your researchers found specifically in Huawei equipment. Put this in perspective for us, are the flaws that your team identified indicative in general of the Asia tech industry or is this far more narrowly focused on just one company?
Wyckhouse: I would say that the Asia tech industry, like most regional industries, has some people who are very good at security and people who are not, some organizations that are good and organizations that are not. In particular, we know that this has been focused on Huawei, and despite the fact that they're committing to publicly improving their security, we're not seeing that commitment reflected in their devices. Compared to any of the other devices out there, some of which come from the Asian region, compared to all of those, we're still seeing that Huawei is faring much worse than what's normal from a security standpoint.
The Cipher Brief: In your description of 5G, you talked about the risk of a denial-of-service attack. Let's say in the future, the imbalance is corrected through competition in the market, we've got more providers, but Huawei is still going to be a player. Are we still at risk if we have a Huawei there that's operating like they do now?
Wyckhouse: I think we are. The important thing is to recognize that there's always risk with equipment and devices like this. That's why firmware updates come out all the time, and regardless of whether it's Huawei or any of the other providers of that equipment, there are always vulnerabilities, and risk. What's important is that we know what they are, and that people build security programs around them. The UK, for example, is considering allowing Huawei into portions of their 5G network. Every organization, every country needs to make their own decisions about how to manage this risk, and if the UK feels that they can do that by isolating them to certain segments of the network, as long as they're building out a security program around that, then maybe they have some strategies that will work. We're not going to make a judgment call on that. What we're saying in our report is that we need to have a robust screening process. We need to be doing the types of things that we did in this report for any equipment that's going into critical networks. Why not just screen everything and understand the risks and work with the vendors to make those products better regardless of whether it's Huawei or anyone else?
The Cipher Brief: One of your recommendations is for organizations to create a security framework where they can ‘verify everything’. I thought that was an interesting phrase because I can't even imagine the complexity that would come into play with that. Can you unpack it a bit for us in practical terms and explain what it means for the average organization out there? How practical is it to verify-everything?
Wyckhouse: That's a great question. To give you sense on our philosophy on security, if you look at the cybersecurity industry over time, there's a pattern that anytime something that was opaque becomes transparent, security gets better. The problem with the Internet of Things and network infrastructure equipment is that it's a completely opaque relationship between the buyers and sellers today. It's very hard for someone to know what's happening inside of those devices and how secure they are. When it comes to security, we're basing those buying decisions on a brand's reputation, and we're suggesting that you should base them on the actual risks in the devices and that you should be looking at these firmware updates. You should be looking at the devices, running robust tests and using technology to verify what's in those devices. Supply chain security has always been thought of as an almost unachievable goal, like you said. One of the purposes of this report was to show it is achievable. We processed all of this firmware, 10,000 images across more than 500 different products. The processing was done in about 36 hours, and so it's very achievable to verify everything with the right technology.
The Cipher Brief: What about the gap that exists in this area between the U.S.' definition of acceptable risk and that of other countries? The UK doesn't necessarily view the world as trying to dominate the 5G market in the same way that the U.S. and China do, and there are a whole host of countries around the world that, frankly, that aren't going to have a lot of choice when it comes to Huawei and 5G, all things considered. What does that gap look like?
Wyckhouse: It is such a complex issue right now because it involves both national and economic security for a lot of different countries. There really are only five suppliers of the core infrastructure that goes into 5G. It's Huawei and ZTE, Nokia and Ericsson, and Samsung. And Huawei has taken a very significant lead on this. China has invested a massive amount into 5G technology, and they see it as a massive future economic security position for them. They see a lot of revenue coming from 5G and the associated technologies. Obviously, the U.S. government recognizes that, too. Nokia and Ericsson have made investments into 5G and have somewhat comparable equipment in different areas. If countries are shying away from the Chinese technology, they certainly stand to benefit. The U.S. doesn't have native 5G technology companies that are building infrastructure right now. The one upside of 5G is that more commodity hardware will be involved. More things that you would typically see in a data center can be applied to 5G because of the push of some of the computing technologies up to the edge, so players like Cisco might have more business in those parts of it, but, overall, it's a very limited market and, due to the way China has been investing in this over the last several years, there's just not a lot of competition, and Huawei continues to come in much cheaper than the competition.
The Cipher Brief: Any closing thoughts on this?
Wyckhouse: Supply chain security is really important. It is a very hard problem, but it is manageable if we start putting verification programs in place. Also, the technology is catching up to the problem. There are ways of dealing with this and verifying things and understanding the risks and, most importantly, if you do that, it doesn't have to be adversarial with the vendors. Creating those transparent relationships between the users of the technology and the sellers of the technology winds up improving everybody's experience and everyone's security, and so I really believe that increasing transparency is going to make us all safer.
What do you think? Share your perspective at the POV link below.
Read also How Do Allies Tackle 5G When They Don’t See Eye to Eye, by Conrad Prince, former Dep Director of GCHQ and Nick Fishwick, former Senior Officer with the British Foreign Office.
Would you like to be a part of leading conversations on cyber among the best in the business? Check out the new Cyber Initiatives Group, powered by The Cipher Brief and featuring a team of principals including General Michael Hayden, General Keith Alexander and former Deputy Director of the NSA, Mr. Rick Ledgett.
And be sure not to miss The Cipher Brief’s 2020 Threat Conference, March 22-24 in Sea Island, GA, where public and private experts on security come together.
