Huawei Calls for GDPR-Like Security Regime, Denies Spying (Again)

BRUSSELS -- Huawei has urged European authorities to take the lead in developing standardized security rules that would test network equipment from all vendors as it tries to overcome doubts about the safety of its kit.

Ken Hu, one of the Chinese equipment giant's rotating chairmen, said the European Union had already proven its ability to drive "unified standards" with the General Data Protection Regulation (GDPR) around online privacy.

"It sets clear standards, defines responsibilities for all parties and applies equally to all companies operating in Europe," he said during a press event in Brussels earlier today. "As a result, GDPR has become the golden standard for privacy protection around the world. We believe that European regulators can also lead the way on similar mechanisms for cybersecurity."

The Huawei executive has this week been in discussions with Andrus Ansip, the European Commission's digital head, about the development of a GDPR-like scheme for cybersecurity in Europe. "We hope that will lay fair ground for all technology providers and service providers to contribute to digital development in Europe."

The initiative comes while the US ratchets up pressure on European governments to ban Huawei on grounds of national security. Claiming it has close links to the Chinese government, critics say Huawei's products may include "backdoors" allowing Chinese authorities to spy on other countries.

Regulators in Australia, Japan, Taiwan, New Zealand and the US have already imposed some form of restriction on Huawei, and other countries are still weighing their options.

Figure 1: Huawei's Cyber Security Transparency Center in Brussels: Now open for business.

Huawei has been on a charm offensive to persuade regional authorities of its transparency and trustworthiness, but it was today forced in Brussels to repeat its denials of any collusion with Chinese authorities. "We have never received any order from the Chinese government," said Vincent Pang, the head of Huawei's business in western Europe. "Mr Ren [Zhengfei, Huawei's founder] said clearly that if we receive this kind of thing he will refuse. If he cannot he will close the company. That is a clear statement."

The Chinese kit supplier is increasingly desperate to show its gear is rigorously tested after UK authorities flagged vulnerabilities in its source code during a review last year. The Huawei Cyber Security Evaluation Centre (HCSED), where UK security agencies have access to Huawei's technology, said last July that shortcomings in Huawei's engineering processes had exposed new security risks.

Among other things, Huawei was criticized for using third-party software that was "not subject to sufficient control."

Huawei has promised to spend another $2 billion over the next five years on improvements to its engineering capabilities while it awaits a UK government decision in coming weeks about possible restrictions on its involvement in the telecom market.

Brussels sprouts new transparency center
Earlier today, it opened a new cybersecurity center in Brussels where customers will be given access to Huawei's source code and the freedom to test and validate its network software.

However, the Brussels facility -- which Huawei is describing as a "transparency" center -- will not operate in the same way as the UK's HCSED. A Huawei spokesperson who showed reporters around the new facility told Light Reading that European security agencies would not have unfettered access.

Answering questions on the same topic, John Suffolk, Huawei's global cybersecurity and privacy officer, said: "There is no licensing or oversight required for this. There is no government oversight in terms of the center. If governments want to come and bring third parties, we are happy with that."

Suffolk told reporters that no security checks could provide absolute guarantees because of the complexity of the global supply chain. Only around 30% of the components in a "Huawei box" typically come from Huawei, he said.

"We don't just look at Huawei," he explained. "We have to prove for all the components we have embedded all known vulnerabilities are removed … But if the vulnerability is not known by your third party, there is no perfect answer, and therefore you can't say all software is vulnerability free."

You're invited to attend Light Reading’s Big 5G Event! Formerly the Big Communications Event and 5G North America, Big 5G is where telecom's brightest minds deliver the critical insight needed to piece together the 5G puzzle. We'll see you May 6-8 in Denver -- communications service providers get in free!

Suffolk also downplayed concerns triggered by the arrival of 5G, a next-generation mobile technology that could provide data connectivity for industrial equipment and other objects. While this would make the "attack surface" much bigger, the 5G standard is more secure than 4G technology because it tackles various flaws in mobile network technology, including signaling protocol errors, according to Suffolk.

Although it may help mitigate some of the concern about Huawei, the Brussels center is unlikely to be transparent enough for critics. Planned before the US campaign against Huawei had gathered momentum, it will not have a government oversight board or test products based on a common industry approach.

That may partly explain why Huawei is so keen on the idea of a GDPR-like security regime. Moves to adopt standardized security principles are also backed by the GSM Association, a lobby group for the mobile industry and the organizer of the Mobile World Congress (MWC) tradeshow.

"The only way to combat threats is by working together," said Alex Sinclair, the GSMA's chief technology officer, at Huawei's event. "It is too big and important for any individual or company or country. There is no silver bullet, but collaboration is key."

But the appearance of a security regime is unlikely to happen quickly enough for Huawei's opponents and its establishment would face numerous hurdles.

Ericsson CEO Börje Ekholm recently shot down a GSMA proposal for a post-development 5G testing regime as a "tax burden" and economic threat.

"There will be more features deployed in the network as we move into the enterprise segment and post-development testing will slow this down," he said during a press conference at this year's MWC last week. "Countries run the risk of being less competitive."

Related posts:

— Iain Morris, International Editor, Light Reading