Monday, 01 April 2019 11:29

Huawei report: errors of omission, not commission

By
Huawei report: errors of omission, not commission Image by Andrew Martin from Pixabay

ANALYSIS That the British report into Huawei's operations in the UK used strong language to point out the engineering deficiencies in the company's approach, and then did not recommend a ban on using its equipment in telecommunications is indeed puzzling.

The only logical conclusion that can be drawn is that the Huawei Cyber Security Evaluation Centre Oversight Board considered the shortcomings to be errors of omission, not commission.

In other words, there was no malicious intention behind the sloppiness uncovered, just plain incompetence. This is not surprising given that a majority of coders the world over have very little idea about security.

Unlike the Americans, who have been throwing mud at Huawei for years in the hope that some will stick, the British report took an evidence-based approach.

Some of the issues identified were because of software choices: for example, Huawei's use of version 5.5 of Wind River’s VxWorks real-time operating system, which has reached its end-of-life, in much of its network equipment. The company has obtained an extended support contract from VxWorks, but that runs out in 2020.

Though the Shenzhen-based company has developed a new operating system based on Linux, the report said that the security of this new OS could not be guaranteed due to existing deficiencies in engineering processes.

In some cases, the HCSEC report found that processes which were set out in Huawei's own operations manual were not being followed by its staff.

While four products had been provided to test binary equivalence - that is to verify that the binary contained the same source code which had been viewed - there were issues in the underlying build process, the report said.

Similarly, build-related issues made it difficult to be sure that different deployments of similar equipment had broadly the same level of security.

"For example, it is difficult to be confident that vulnerabilities discovered in one build are remediated in another build through the normal operation of a sustained engineering process," the report said.

"The ability to do so, and the end-to-end assurance that a particular source code set is precisely that used to build a particular binary would normally be satisfied as a side effect of a modern software engineering process."

Additionally, configuration management improvements, which had been driven by the UK community since 2010, had not been applied across product and platform development groups or across configuration item types (source code, build tools, build scripts etc).

There were other engineering issues identified as well but the point made was the same: Huawei needs to get its act in order, else the next time the comments would be harsher.

Britain's Department for Digital, Culture, Media and Sport is carrying out a review of telecommunications supply arrangements and that would be the final say on what kind of role Huawei plays in the UK's 5G rollout.

LEARN HOW TO BE A SUCCESSFUL MVNO

Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments