Huawei doesn't see open source as the fix for spying accusations (but it should)

The closed-source, opaque operation of network equipment makes spying accusations difficult to disprove. This could be solved by opening the software stack, but Huawei CSO Andy Purdy disagrees.

Huawei's "plan B" smartphone OS: What it needs to succeed Component manufacturers around the world are cutting off Huawei following an executive order signed by President Trump. As a result, Huawei's contingency plan may see the light of day.

Networking equipment is one of the last bastions of technology where opaque, proprietary, closed-source hardware continues to thrive. This opacity—combined with networking equipment functioning as the backbone of enterprise computing—creates a fertile breeding ground for fear, uncertainty, and doubt to proliferate. As a result of this, Huawei has spent nearly a decade embattled by accusations of spying for the Chinese government, and since May, a blacklisting.

As a quick historical review, in April, a Bloomberg report claimed evidence of a "backdoor" in Huawei networking equipment, which turned out to be an exposed Telnet interface—a problem found in networking equipment from a variety of vendors, including Cisco, over the last five years. Despite this being a common problem, Bloomberg's Tim Culpan breathlessly declared it a "smoking gun" in a companion editorial.

SEE: 20 quick tips to make Linux networking easier (free PDF) (TechRepublic)

For comparison, Cisco's reputation for security is abysmal, though to their credit, Cisco is upfront about disclosures. ZDNet's Catalin Cimpanu called the most recent Cisco vulnerabilities "as bad as it gets in terms of security flaws," and Cisco paid a $8.6 million settlement last month for selling vulnerable software to the US government. In May and June, critical flaws earning 9.8 / 10 CVSS scores were found in Cisco equipment, and a separate flaw in the company's Trust Anchor module, published in May, allows anyone to plant persistent backdoors in Cisco equipment, over the internet, without requiring physical access.

Yet, Huawei garners more attention for… being Chinese, apparently. Despite pressure from the Trump administration to telecoms to not sell Huawei phones or use Huawei equipment for mobile networks, concerns over Huawei date back to at least 2012, following the release of a House Intelligence Committee report claiming "the risks associated with Huawei's and ZTE's provision of equipment to U.S. critical infrastructure could undermine core U.S. national-security interests," accusing the pair of being complicit in Chinese government espionage activities.

Aside from political claims, Huawei's security reputation is at least as bad as Cisco's, with the UK Huawei Cyber Security Evaluation Centre (HCSEC) oversight board finding in March that "no material progress" had been made in remediating issues reported the prior year. Though these issues are related to basic engineering competence and cybersecurity competence, the board "does not believe that the defects identified are a result of Chinese state interference." 

Finite State issued a report in June noting that Huawei "does not keep their components up-to-date," adding that "When just looking at the most recent version of each firmware image, the average age of third-party components is 5.36 years," with "thousands of instances of components" over 10 years old. The oldest in-service components are from 1999. These are open-source components, such as OpenSSL, OpenSSH, BusyBox, and the Linux kernel. 

Why open source is a viable solution to Huawei's problem

There's an aphorism named "Linus's Law" which states "Given enough eyeballs, all bugs are shallow." This plausibly applies to Huawei's circumstances: Publishing the full source code to Huawei products is a simplistic—and maximalist—way of dealing with security vulnerabilities and undercut accusations of spying that have plagued Huawei for years. 

Opening Huawei products to third-party scrutiny would—at a minimum—surface situations where third-party open-source libraries are not being properly updated, if not allow security researchers the ability to identify vulnerabilities in Huawei-developed code. Such an initiative could also be used to create a shared build platform, making security updates easier to deploy across different device models. 

The Free Software Foundation Europe previously called on Huawei to open source their products, stating that "The discussion of the Huawei security concerns showcases a general trust issue when it comes to critical infrastructure. A first step to solve this problem is to publish the code under a Free and Open Source Software licence and take measures to facilitate its independently-verifiable distribution," and "It is not just about the Chinese company but about a general lack of transparency within this sector."

Andy Purdy, chief security officer for Huawei America, is not convinced. 

"I don't think it's just spying, it's more than that. It's basically around security and what we would do at the behest of the Chinese government, if they forced us to," Purdy told TechRepublic. 

"Other than the software and firmware that are officially part of the products, there's the ability to implant code in hardware, seperate from all of that, that can provide hidden functionality," Purdy said, raising the example of the widely-condemned Bloomberg report on Supermicro, for which Apple CEO Tim Cook demanded a retraction. "Having open source would not solve that problem. Whether it makes sense for other reasons… I'm not entirely sure," Purdy added.

"We spent $15 billion in R&D last year—a reasonable amount of which was in 5G—and open source can't do that, I don't think. Maybe, eventually, over time it could do it. But, open source can't give you that innovative functionality you're looking for, I don't think. I don't see how it could," Purdy said. "Otherwise we're spending money on R&D for nothing. I don't know that we would spend money for R&D—that we would create our own software—that we would immediately make it open source to allow others to use it for free?"

Of note, the OpenDaylight software defined networking (SDN) project counts Huawei as a contributor (which, incidentally, is how Huawei X.509 certificates wound up on Cisco switches). 

It's time for independently-verifiable third party firmware for enterprise networking

There is precedent for this type of proposal, on other networked devices. Custom Android ROMs, like LineageOS (formerly Cyanogenmod) have rehabilitated smartphones abandoned by their original manufacturer—providing security updates and improving performance beyond what was achievable using vendor-provided software. Likewise, OpenWrt is a popular aftermarket router firmware project, adding features, improving security, and giving more control to device owners.

The prospect of a third-party firmware for commercial-grade networking equipment is overdue, and is one Huawei should embrace. By being the first networking equipment vendor to relinquish control of the software stack, Huawei could differentiate itself in security in a meaningful way, and undercut accusations of spying.

For more, check out "Newly released Sailfish 3.1 isn't ready to be Huawei's 'plan B' OS" and "Alibaba releases its first RISC-V CPU as open source solution for 5G and AI" on TechRepublic.

Also see

Huawei Research & Development Centre in Canada

Image: Paul McKinnon / Getty Images