Huawei's big role in open source threatens new security backlash

Chinese companies are among the biggest contributors to Kubernetes, and not everyone buys the arguments about open-source security.

Iain Morris, International Editor

June 9, 2022

9 Min Read
Huawei's big role in open source threatens new security backlash

Kubernetes, an open-source platform popular in the telecom industry, counts some of America's best-known technology companies among its biggest contributors.

Google, the progenitor of the project, unsurprisingly heads a community dashboard list partly shown below (and fully available here).

But Red Hat (owned by IBM), VMware, Microsoft, Intel, and IBM itself all feature in the top ten. Scanning that list, any US politician nervous about the security implications of open source can rest assured that Kubernetes is in safe hands.

Figure 1: Frosty reception: Chinese companies are among the biggest contributors to Kubernetes, and not everyone buys the arguments about open-source security. (Source: zhang kaiyv on Unsplash) Frosty reception: Chinese companies are among the biggest contributors to Kubernetes, and not everyone buys the arguments about open-source security.
(Source: zhang kaiyv on Unsplash)

Until they stumble upon the name of the seventh-biggest contributor, that is. Huawei, a Chinese equipment vendor banned on security grounds from numerous Western markets, is identified in that spot.

Further down, in seventeenth position, our increasingly jittery public servant encounters ZTE, a kind of miniaturized Huawei backed by China's government. Alibaba and Tencent, China's answers to US Big Tech, make it into the top 50 as well. And several other Chinese names feature in the top 100.

Detractors have long argued that open source is risky business because it exposes organizations to code written by naughty characters. But its use in critical infrastructure looks set to grow.

The clampdown on Chinese vendors has buoyed a technology alternative called open RAN, designed to standardize the interfaces between different parts of the radio access network. This, supporters argue, would afford more specialist vendors a role.

Yet open RAN, as envisaged by Europe's biggest operators, would also be heavily reliant on open-source code.

Rank

Contributor

Number of contributions

1

Google

1,007,294

2

Red Hat

387,789

3

VMware

259,276

4

Independent

109,765

5

Microsoft

101,464

6

IBM

96,887

7

Huawei

48,080

8

The Scale Factory

28,044

9

Intel

26,912

10

CNCF

21,886

11

Kubermatic

21,603

12

Amazon

21,414

13

NEC

21,250

14

Fujitsu

18,749

15

SUSE

17,003

16

WeaveWorks

16,775

17

ZTE

16,110

18

DaoCloud Network Technology

15,943

19

Hyper.sh

13,125

20

Samsung SDS

13,116

This much was made clear in a list of open RAN technical priorities, issued last year by Deutsche Telekom, Orange, Telefónica, TIM (Telecom Italia) and Vodafone.

Kubernetes, they said, should be the "mainstream implementation" of the cloud platform that hosts open RAN functions and applications. A follow-up document published earlier this year shows they have not changed their minds.

Western authorities are uneasy. In May, a report commissioned by EU member states about the cybersecurity implications of open RAN pointed out that "open-source software can provide attackers with a target-rich environment due to its widespread use."

Earlier in the same report they had noted that "the possible use of open-source components could mean that the vulnerabilities are publicly known and could therefore be more easily exploited by malicious actors."

Safety in numbers

The people who trade in open source dismiss these fears as nonsense. Code exposed to the world's scrutiny cannot logically be less secure than proprietary software hidden from view in development stage, they argue.

The safety-in-numbers rationale assumes that criminals stand little chance of breaking in and causing damage when there are so many sentries stationed around the building.

"The advantage of an open model is that many people review the code that goes into open-source projects," said Chris Wright, the chief technology officer of Red Hat.

"A lot of intellectual power goes into not just creating the code but also reviewing the code to make sure it meets the community's standards for what should be produced."

For a company like Huawei, already on the watchlist, slipping malicious code into Kubernetes would be like spiking a drink in public while forced to wear a "this barman is dodgy" T-shirt.

"Other members of the open-source community will always review any code submission," said James Crawshaw, a principal analyst at Omdia (a Light Reading sister company).

"If something is buried and comes to light, it would kill that company's reputation."

Want to know more about 5G? Check out our dedicated 5G content channel here on Light Reading.

No doubt, fears about open source stem partly from its relative immaturity compared with its proprietary cousin. Big corporations have grown used to buying software products developed entirely by other big corporations. A cultural change may be hard for some to contemplate or effect.

Yet Kubernetes has also "gone mainstream," its Linux backers were insisting in February, with adoption by large organizations on the rise. Last year, some 5.6 million developers, representing 31% of all backend developers worldwide, were using Kubernetes, according to analyst firm SlashData.

"That Kubernetes has security gaps is absolute nonsense," said Tareq Amin, the CEO of Rakuten Mobile, which is building a new mobile network in Japan.

"Kubernetes as an environment has evolved because of the community, not because of Google. The community made it better and hardened it. We need to get over these fears and start embracing the new world."

The China syndrome

Yet fear could prevail over logic. The open-source community likes to argue "there is no security in obscurity" when attacking proprietary software, and incidences of bugs and security gaps in software developed this way have been widely reported.

Given today's geopolitics, however, it may still look a more savory dish when served up by a trustworthy supplier rather than something laced with Chinese ingredients.

US hawks are already worried about China's influence over telecom standards like 5G. It is hard to believe they would not similarly worry about a Chinese infiltration of important open-source groups.

Security per se might not even be the real issue. That Huawei sees opportunity in open source would alarm Western opponents who accuse it of dumping products, stealing intellectual property and committing financial fraud.

China clearly views open-source research collaboration as a way to make up for US export controls, according to the Mercator Institute for China Studies (MERICS), a German thinktank that focuses on China.

In a blog published in 2020, Caroline Meinhardt, then a MERICS analyst, wrote about the likelihood that "international open-source collaborations with strong participation from Chinese entities will encounter more and more political resistance from the US."

Nor does everyone in the software community buy unquestioningly into the security argument that other coders will be able to fish out the iffy parts and clean them up.

"You assume the community will protect but it's a bit of a hope and a prayer," said Danielle Royston, the acting CEO of Totogi, a startup that develops telecom IT software based entirely on proprietary code.

Figure 2: Danielle Royston, acting CEO of Totogi, has her doubts developers can always be trusted to clean up the 'iffy' bits. (Source: Reuters/Alamy Stock Photo) Danielle Royston, acting CEO of Totogi, has her doubts developers can always be trusted to clean up the 'iffy' bits.
(Source: Reuters/Alamy Stock Photo)

John Strand, CEO of an advisory company called Strand Consult and an outspoken critic of China, is also unconvinced, writing in a new report that "many developers in the open-source community have a reputation for deprioritizing security."

In 2020, the Linux Foundation, the group ultimately behind Kubernetes, said contributors spend only 2.27% of their time on security issues and "do not desire to increase this significantly."

Intellectual property is an additional concern for companies incorporating open-source code into their products. The risks were outlined by VMware, a major contributor to Kubernetes, in a recent filing with the US Securities and Exchange Commission.

The licenses that come with open-source software do not typically include "warranties or assurance of title or controls on origin of the software," said the US company. That means VMware is subject to potential liability if something goes wrong.

If there is government concern, there is also indecision. Europe's report on open RAN highlights the attractions as well as the dangers of open-source code.

Among other things, it could "help reduce the risks related to dependency on a single supplier," wrote the authors. But there would be a touch of irony if European governments suppress Huawei in the mainstream 5G market only to see it pop up like a mole evading a mallet as one of open source's key players.

Vendors who spoke with Light Reading at Informa's recent Big 5G Event in Austin believe the next mobile standard could fracture along geopolitical fault lines.

As relations between China and the West grow frostier, the 3GPP – an umbrella group of regional standards bodies – may struggle to survive. For international open-source groups to prosper in this environment would be a remarkable feat.

Related posts:

— Iain Morris, International Editor, Light Reading

Read more about:

AsiaEurope

About the Author

Iain Morris

International Editor, Light Reading

Iain Morris joined Light Reading as News Editor at the start of 2015 -- and we mean, right at the start. His friends and family were still singing Auld Lang Syne as Iain started sourcing New Year's Eve UK mobile network congestion statistics. Prior to boosting Light Reading's UK-based editorial team numbers (he is based in London, south of the river), Iain was a successful freelance writer and editor who had been covering the telecoms sector for the past 15 years. His work has appeared in publications including The Economist (classy!) and The Observer, besides a variety of trade and business journals. He was previously the lead telecoms analyst for the Economist Intelligence Unit, and before that worked as a features editor at Telecommunications magazine. Iain started out in telecoms as an editor at consulting and market-research company Analysys (now Analysys Mason).

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like