Huawei has had a lot to deal with over the last few years.
Primarily, U.S. government officials have warned that the Chinese technology firm could be used as a tool for government surveillance or other intelligence operations, specifically via backdoors in its mobile networks. The Trump administration has banned Huawei technologies’ use in the federal government and made it difficult for the company to do business in the U.S. In recent months, the Department of Justice has alleged a Huawei subsidiary, has helped Iran run surveillance operations. Huawei technicians have also been accused of helping surveil targets in Africa.
In order to answer to each and every accusation, Huawei sent two of its top cybersecurity officials — Chief Security Officer Andy Purdy and Vice President of Risk Management and Partner Relations Tim Danks — to the RSA Conference in San Francisco last week. In an interview with CyberScoop, the company’s executives continued toeing the company line: that all the pressure exerted by the U.S. government is only going to hurt American businesses.
But a new wrinkle in their argument emerged when pressed on alleged surveillance operations: the executives indicated they don’t really have visibility into how their technology is used.
The interview comes at a tenuous time for both the U.S. government and Huawei. The U.K., one of America’s closest allies, recently announced it won’t ban Huawei gear from its 5G mobile networks, even after the U.S. allegedly shared information about Huawei having access to mobile network backdoors. In response, a bipartisan group of U.S. senators appealed to the members of the House of Commons, urging them to revisit their decision given the “significant security, privacy, and economic threats posed” by Huawei.
Additionally, the company’s challenge to the U.S. law barring federal agencies from doing business with it suffered a blow last month when a federal judge dismissed the suit.
‘We don’t know where this stuff is going to be used’
When asked about allegations that Skycom, the alleged Huawei subsidiary, has aided Iran in domestic surveillance, including in 2009, Purdy and Danks said they were unaware of specific activities.
“I can’t imagine that we knowingly did it,” Purdy told CyberScoop.
Purdy suggested Huawei is not keeping track of how its technologies are being used globally.
“Generally around the world, we sell our products,” Purdy said, adding “we don’t know where this stuff is going to be used … I just don’t know.”
The company has consistently claimed it does not aid in Chinese intelligence operations, even if required by a Chinese intelligence law passed in 2017 that requires Chinese companies and individuals to “support, assist, and cooperate with the state intelligence work.”
‘No company is perfect’
When asked whether Huawei ensures its employees refrain from participating in other countries’ surveillance programs, Purdy acknowledged “no company is perfect.”
“It’s a major challenge within companies,” Purdy said. “I think in the last years I’ve been there we’ve dramatically improved our ability to have strong ethics and compliance.”
Last year, when the Wall Street Journal reported that Huawei technicians helped the governments of Uganda and Zambia surveil political opponents or dissidents, the company said its internal investigation “shows clearly that Huawei and its employees have not been engaged in any of the activities alleged.”
Purdy acknowledged that “no company can guarantee that individual employees won’t do bad things,” stating again that Huawei may not have full visibility into how its technologies are used.
Danks and Purdy were unsure if the technicians alleged to have helped surveillance operations in Uganda and Zambia were identified, fired, or held accountable in any way. The executives told CyberScoop they were checking on the status of those employees, but failed to return comment by the time this article was published.
While many of the allegations against Huawei have been classified, one public report released in the last year assessing Huawei’s tech was pretty damning. The U.K.’s Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board assessed in 2019 that Huawei’s software engineering and development practices do not meet basic security expectations. The report takes issue with software development processes, the possibility of memory safety vulnerabilities in Huawei technology, and poor coding that could even give an attacker access to “user traffic” or the ability to take down an entire network. The public report also indicates that on multiple occasions, Huawei has failed to address the concerns that the U.K. board has raised.
When CyberScoop asked the company executives to address the report’s findings, Purdy and Danks indicated they they were unaware of the report, and would only say Huawei is working across the board to improve its engineering practices.
“We are comprehensively improving our software engineering processes so that we can address exploitable vulnerabilities,” Purdy told CyberScoop, declining to share details on what that work entailed or any progress made.
When CyberScoop pressed the executives to explain what Huawei is doing to address coding issues, Purdy and Danks defended the company’s software development processes, claiming that the company is still experiencing “growing pains.”
“If you look back [to] sometime in Microsoft’s history, we’re going through kind of a similar thing — [Microsoft] had quality issues,” Danks told CyberScoop. “We’re only a 30-year-old company. Considering where we started and where we are today it’s been an expansive exponential growth and development … with that comes a few growing pains.”
With regards to the notion that Huawei has created a backdoor in mobile networks for the Chinese government, Danks and Purdy said it’s nothing more than the U.S. government engaging in fearmongering. Purdy urged that if the U.S. government has evidence of any such backdoor, it should publicly release it.
“There’s a lot of sowing of FUD — fear, uncertainty and doubt — by putting something out like this,” Danks said.
Danks further suggested that the U.S. intelligence community should turn its attention to those responsible for running mobile networks, a thinly-veiled allusion to the National Security Agency’s controversial work with U.S. telecommunications companies in years past.
“This is not about just the vendors,” Danks said. “Network operators have a shared responsibility in managing these networks.”
Purdy, a former Department of Homeland Security official, told CyberScoop that despite his defense of Huawei, he understands the U.S. government’s position, given recent revelations on the U.S. government’s history with backdoors in equipment made by private companies.
A report in the Washington Post last month revealed a decades-long joint operation between the CIA and NSA to undermine encryption in machines produced by Crypto AG so intelligence officers could spy on adversaries and allies alike. And just as the U.S. injected cash into Crypto AG in order to maintain its spying operations, Huawei is heavily subsidized by the Chinese government.
“I have a pretty good idea where the U.S. government is coming from,” Purdy told CyberScoop. “The Crypto AG is a perfect example.”