Monday, 01 April 2019 11:29

Huawei report: errors of omission, not commission

By
Huawei report: errors of omission, not commission Image by Andrew Martin from Pixabay

ANALYSIS That the British report into Huawei's operations in the UK used strong language to point out the engineering deficiencies in the company's approach, and then did not recommend a ban on using its equipment in telecommunications is indeed puzzling.

The only logical conclusion that can be drawn is that the Huawei Cyber Security Evaluation Centre Oversight Board considered the shortcomings to be errors of omission, not commission.

In other words, there was no malicious intention behind the sloppiness uncovered, just plain incompetence. This is not surprising given that a majority of coders the world over have very little idea about security.

Unlike the Americans, who have been throwing mud at Huawei for years in the hope that some will stick, the British report took an evidence-based approach.

Some of the issues identified were because of software choices: for example, Huawei's use of version 5.5 of Wind River’s VxWorks real-time operating system, which has reached its end-of-life, in much of its network equipment. The company has obtained an extended support contract from VxWorks, but that runs out in 2020.

Though the Shenzhen-based company has developed a new operating system based on Linux, the report said that the security of this new OS could not be guaranteed due to existing deficiencies in engineering processes.

In some cases, the HCSEC report found that processes which were set out in Huawei's own operations manual were not being followed by its staff.

While four products had been provided to test binary equivalence - that is to verify that the binary contained the same source code which had been viewed - there were issues in the underlying build process, the report said.

Similarly, build-related issues made it difficult to be sure that different deployments of similar equipment had broadly the same level of security.

"For example, it is difficult to be confident that vulnerabilities discovered in one build are remediated in another build through the normal operation of a sustained engineering process," the report said.

"The ability to do so, and the end-to-end assurance that a particular source code set is precisely that used to build a particular binary would normally be satisfied as a side effect of a modern software engineering process."

Additionally, configuration management improvements, which had been driven by the UK community since 2010, had not been applied across product and platform development groups or across configuration item types (source code, build tools, build scripts etc).

There were other engineering issues identified as well but the point made was the same: Huawei needs to get its act in order, else the next time the comments would be harsher.

Britain's Department for Digital, Culture, Media and Sport is carrying out a review of telecommunications supply arrangements and that would be the final say on what kind of role Huawei plays in the UK's 5G rollout.

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments