The Cybersecurity discussion we should be having over the Huawei backdoor scandal

Antonio "pelle" Pellegrino

Antonio "pelle" Pellegrino

Exterior of the Leeum Samsung Museum of Art — by Andrew RowatExterior of the Leeum Samsung Museum of Art — by Andrew Rowat

In a not-so-distant past, Huawei had visions of building the backbone for the world’s 5G networks. The Chinese manufacturers’ 5G kit — touted as a high-performance solution with an affordable price tag — was set to be installed everywhere from India to Canada. Yet, as concern within the global intelligence community over the hardware’s potential cybersecurity flaws intensified into full-blown dread, the promise of affordable, reliable 5G began to fade.

The ongoing COVID-19 pandemic has reawakened the Huawei 5G debate in the West in an unlikely manner. Unnerved by the threat of “security back doors” embedded deep within vital national communications networks, a succession of governments have announced plans to scale back cooperation with Huawei, or reconsider partnerships to build advanced 5G networks. Yet the United Kingdom’s previous, if unexpected, refusal to ban Huawei tech from its 5G infrastructure had bucked the trend of Western democracies shunning Chinese hardware — while still taking precautions to isolate them from critical core parts of their network. Now, Britain seems set on revisiting this earlier compromise.

The pushback against telecom equipment manufacturers Huawei and ZTE has been spearheaded by the United States — backed by allies Canada, Australia, New Zealand, as well as some NATO-member states. They argue that the incorporation of Chinese manufactured components in vital telecommunications infrastructure poses an imminent and dangerous cybersecurity threat to liberal democracies. The private information of millions of citizens and other sensitive strategic assets could potentially be placed at the mercy of a hostile authoritarian government.

Though the privacy concerns over Huawei hardware is obviously justified, it is much more likely, as some have argued, that the United States’ uncompromising stance on Chinese 5G tech is motivated by geopolitical — rather than cybersecurity — considerations. For strategists in Washington, the real security threat to liberal democracy would materialize if and when the autocrats in Beijing find themselves with unobstructed control over too large a share of the world’s data traffic infrastructure, placing the future of the free internet in jeopardy.

Great Power dynamics aside, anxiety over the vulnerabilities of network hardware (to Chinese hackers or anyone else) is not only misplaced but distracts from the real data security discussion that we should be having. In fact, hardware back doors aren’t even a requirement for conducting cyberwarfare, as countries like Russia, Iran and North Korea (none of which have installed extensive 5G networks abroad) regularly demonstrate. But that doesn’t matter. From an information security point of view, tech with intentionally fitted ‘back doors’ leading to Xi Jinping’s smartphone is substantively indistinguishable from hardware containing innocuous manufacturing flaws for the purposes of building secure networks.

Thus, by operating on the assumption that any hardware component may as well be flawed by default, a data-centric security architecture would instead rely on the depth of a government or corporate network’s software overlay to protect traffic regardless of the physical infrastructure’s vulnerabilities. Ironically, some of the most vocal warnings against overreliance on physical network infrastructure for security come from Huawei itself — sort of. Answering a question about the alleged use of Huawei products for espionage at a press event late last year, company founder Ren Zhengfei compared his firm’s hardware manufacturing to the automotive industry. “We just sell the bare frame, the clients [telcos] decide what goes in the trunk”. In other words, data traffic is only as secure as the encryption layer is strong.

Indeed, endpoint-based encryption presents numerous tangible benefits and clearly, the industry is picking up on that. End-to-end encryption is very cost-effective, easy to deploy, upgrade and update across all devices on a network. While encryption between various endpoints is one viable option for securely running networks on potentially compromised hardware, it still relies entirely on trusting the endpoints and not the gears in between. The catch is that in order to work effectively, they need to be properly configured.

For governments and enterprise customers, endpoint-focused cybersecurity solutions remain popular because they offer numerous benefits. For starters, network segmentation allows them to decentralize the way their data is contained, while also segmenting traffic types between subnetworks through firewalls. Isolated data is much less vulnerable to the threat of system-wide compromise — and in the off case that it is, the tiny fraction of exposed data is easily contained. Additionally, data can be readily shifted to other containers depending on the cyberattack vectors. However, the effectiveness of network segmentation may be limited by costly memory management algorithms or difficulties in swapping data between unevenly sized segments.

One solution would be forgoing segmentation all together as a primary mechanism for protecting sensitive resources. Still reeling from a sophisticated APT attack in 2009, Google reassessed its internal security architecture from the bottom up, eventually implementing a zero-trust network security concept which did away with traditional perimeter security models in favor of simply deploying applications directly onto the public internet. Google’s internal security architecture has since moved away from perimeter security and towards endpoint security. This open-source implementation makes it possible for users to connect to a network remotely without the need for a VPN. Sensitive data can still be accessed through a user and device-centric authentication and authorization workflow. The resulting security framework, BeyondCorp, has since been adopted by large data center operations including AWS, Azure, and SAP.

Accepting the inherent untrustworthiness of hardware-specific network security predicates approaching trust not as a constant, but as a function over time.

In other words, a piece of hardware running a particular hardware doesn’t remain secure indefinitely with a single verification. Truly impenetrable security requires continuous authentication on an ongoing basis.

At the opposite end of the spectrum, well architectured cybersecurity networks on the Edge also provide an extra layer of protection without ever connecting to the public internet. Micro data centers allow data to be processed and stored entirely within a local network that is not connected to the public cloud. Therefore requests can be terminated within the closed chain between the user and the micro data centre without ever reaching the public internet.

Of course, the most fail-safe way to protect user data from vulnerable hardware is to not store it at all. How many embarrassing private data leaks do we need to suffer before accepting that, the threat of ‘backdoors’ to China notwithstanding, data breaches are the new normal? The writing is on the wall. The age of automated networked devices powered by Huawei-manufactured 5G infrastructure is already here. Governments and corporate players have a heightened responsibility to protect the right to privacy of customers, citizens and private individuals alike.

The cybersecurity discussion we should be having is how to decouple bulk data collection from our core business practices.