6 Jun 2013

Chinese hardware and the UK’s cybersecurity

The Intelligence and Security Committee’s assessment of how Chinese hardware ended up at the heart of the UK’s communications network makes for worrying reading. But like so many cybersecurity reports, it lacks hard evidence that anything’s actually gone wrong.

In 2003 when BT wanted to upgrade its network, it chose Huawei among others. Ministers were only told about this after the contract had been signed, and for three years it seems Huawei’s kit was handling chunks of our critical infrastructure with no-one really asking any questions.

As today’s ISC report states: “Its equipment permeates the UK’s fixed and mobile telecommunications infrastructure.”

And now it turns out the body tasked with keeping an eye on Huawei is paid for by…  Huawei.

Why the concern about the company? It doesn’t help that it was set up by a former People’s Liberation Army officer, and that the US has said the risks of involving the company in American critical systems “could undermine core US national security interests”.

Huawei vehemently denies any connection with the Chinese state. It says it is a highly reputable international company which supplies many governments in many countries, and that it receives no financial support from the Chinese Government.

During the years Huawei’s routers have been humming away in the background in the UK, the security of communications has risen in importance. More and more of our critical stuff – from food logistics to the energy network – relies on lightning-fast communication. The extreme scenario is that in a conflict any access to these critical aspects of life could be exploited as part of a “cyberwar”. But at the more realistic end of the debate is the worry that everyday information is gradually leaking away to our competitors, draining our national economic ability.

As government got up to speed on these risks, its solution was to set up the Cyber Security Evaluation Centre, or “The Cell” (someone’s watched too many episodes of Spooks). This group of technical and security staff is run by a former deputy director from the government’s surveillance agency GCHQ, and oversees software updates on Huawei’s UK equipment.

The problems are: the cell is funded by Huawei; it’s currently operating at “reduced capacity”; and as GCHQ points out, there are more than a million lines of computer code in BT’s network and “it is just impossible to go through that much code and be absolutely confident you have found everything”.

The ISC report states: “The Security Service had already told us in early 2008 that, theoretically, the Chinese State may be able to exploit any vulnerabilities in Huawei’s equipment in order to gain some access to the BT network, which would provide them with an attractive espionage opportunity.”

 The key word there is “theoretically”, and it cuts to the heart of the problem with today’s report. If the intelligence services are so worried about Huawei, they have had six years to analyse the kit and code for the hard evidence to substantiate their concerns. If they’d found something solid, would they really be leaving it to the ISC to issue a circumspect report warning of theoretical risks?

Surely if there is hard evidence that Huawei’s equipment is spiriting vital data abroad, BT can terminate the contract, pull Huawei’s routers out and replace them?

Perhaps the intelligence services have no hard evidence against Huawei, in which case today’s report starts to look like innuendo. In the long run that will actually make action on Huawei less likely. Many information security people I speak to are adamant China is leading the way on “state sponsored hacking”, but the more unsubstantiated reports there are, the more China will be able to argue it is the target of a baseless whispering campaign.

There is a deeper issue here, of which the government’s struggle with Huawei is only one symptom – the growth of the internet has accelerated privatisation and globalisation; this has taken control over key aspects of our lives out of the hands of our Government. If it wants to wrest control back, it’s going to have to come up with better stuff than today’s report.

Follow @GeoffWhite247 on Twitter