x
Security

Huawei's big role in open source threatens new security backlash

Kubernetes, an open-source platform popular in the telecom industry, counts some of America's best-known technology companies among its biggest contributors.

Google, the progenitor of the project, unsurprisingly heads a community dashboard list partly shown below (and fully available here).

But Red Hat (owned by IBM), VMware, Microsoft, Intel, and IBM itself all feature in the top ten. Scanning that list, any US politician nervous about the security implications of open source can rest assured that Kubernetes is in safe hands.

Frosty reception: Chinese companies are among the biggest contributors to Kubernetes, and not everyone buys the arguments about open-source security.  (Source: zhang kaiyv on Unsplash)
Frosty reception: Chinese companies are among the biggest contributors to Kubernetes, and not everyone buys the arguments about open-source security.
(Source: zhang kaiyv on Unsplash)

Until they stumble upon the name of the seventh-biggest contributor, that is. Huawei, a Chinese equipment vendor banned on security grounds from numerous Western markets, is identified in that spot.

Further down, in seventeenth position, our increasingly jittery public servant encounters ZTE, a kind of miniaturized Huawei backed by China's government. Alibaba and Tencent, China's answers to US Big Tech, make it into the top 50 as well. And several other Chinese names feature in the top 100.

Detractors have long argued that open source is risky business because it exposes organizations to code written by naughty characters. But its use in critical infrastructure looks set to grow.

The clampdown on Chinese vendors has buoyed a technology alternative called open RAN, designed to standardize the interfaces between different parts of the radio access network. This, supporters argue, would afford more specialist vendors a role.

Yet open RAN, as envisaged by Europe's biggest operators, would also be heavily reliant on open-source code.

Table 1: Contributions to Kubernetes in last decade

Rank Contributor Number of contributions
1 Google 1,007,294
2 Red Hat 387,789
3 VMware 259,276
4 Independent 109,765
5 Microsoft 101,464
6 IBM 96,887
7 Huawei 48,080
8 The Scale Factory 28,044
9 Intel 26,912
10 CNCF 21,886
11 Kubermatic 21,603
12 Amazon 21,414
13 NEC 21,250
14 Fujitsu 18,749
15 SUSE 17,003
16 WeaveWorks 16,775
17 ZTE 16,110
18 DaoCloud Network Technology 15,943
19 Hyper.sh 13,125
20 Samsung SDS 13,116
(Source: Community dashboard for the Kubernetes project)

This much was made clear in a list of open RAN technical priorities, issued last year by Deutsche Telekom, Orange, Telefónica, TIM (Telecom Italia) and Vodafone.

Kubernetes, they said, should be the "mainstream implementation" of the cloud platform that hosts open RAN functions and applications. A follow-up document published earlier this year shows they have not changed their minds.

Western authorities are uneasy. In May, a report commissioned by EU member states about the cybersecurity implications of open RAN pointed out that "open-source software can provide attackers with a target-rich environment due to its widespread use."

Earlier in the same report they had noted that "the possible use of open-source components could mean that the vulnerabilities are publicly known and could therefore be more easily exploited by malicious actors."

Safety in numbers

The people who trade in open source dismiss these fears as nonsense. Code exposed to the world's scrutiny cannot logically be less secure than proprietary software hidden from view in development stage, they argue.

The safety-in-numbers rationale assumes that criminals stand little chance of breaking in and causing damage when there are so many sentries stationed around the building.

"The advantage of an open model is that many people review the code that goes into open-source projects," said Chris Wright, the chief technology officer of Red Hat.

"A lot of intellectual power goes into not just creating the code but also reviewing the code to make sure it meets the community's standards for what should be produced."

For a company like Huawei, already on the watchlist, slipping malicious code into Kubernetes would be like spiking a drink in public while forced to wear a "this barman is dodgy" T-shirt.

"Other members of the open-source community will always review any code submission," said James Crawshaw, a principal analyst at Omdia (a Light Reading sister company).

"If something is buried and comes to light, it would kill that company's reputation."


Want to know more about 5G? Check out our dedicated 5G content channel here on Light Reading.


No doubt, fears about open source stem partly from its relative immaturity compared with its proprietary cousin. Big corporations have grown used to buying software products developed entirely by other big corporations. A cultural change may be hard for some to contemplate or effect.

Yet Kubernetes has also "gone mainstream," its Linux backers were insisting in February, with adoption by large organizations on the rise. Last year, some 5.6 million developers, representing 31% of all backend developers worldwide, were using Kubernetes, according to analyst firm SlashData.

"That Kubernetes has security gaps is absolute nonsense," said Tareq Amin, the CEO of Rakuten Mobile, which is building a new mobile network in Japan.

"Kubernetes as an environment has evolved because of the community, not because of Google. The community made it better and hardened it. We need to get over these fears and start embracing the new world."

The China syndrome

Yet fear could prevail over logic. The open-source community likes to argue "there is no security in obscurity" when attacking proprietary software, and incidences of bugs and security gaps in software developed this way have been widely reported.

Given today's geopolitics, however, it may still look a more savory dish when served up by a trustworthy supplier rather than something laced with Chinese ingredients.

US hawks are already worried about China's influence over telecom standards like 5G. It is hard to believe they would not similarly worry about a Chinese infiltration of important open-source groups.

Security per se might not even be the real issue. That Huawei sees opportunity in open source would alarm Western opponents who accuse it of dumping products, stealing intellectual property and committing financial fraud.

China clearly views open-source research collaboration as a way to make up for US export controls, according to the Mercator Institute for China Studies (MERICS), a German thinktank that focuses on China.

In a blog published in 2020, Caroline Meinhardt, then a MERICS analyst, wrote about the likelihood that "international open-source collaborations with strong participation from Chinese entities will encounter more and more political resistance from the US."

Nor does everyone in the software community buy unquestioningly into the security argument that other coders will be able to fish out the iffy parts and clean them up.

"You assume the community will protect but it's a bit of a hope and a prayer," said Danielle Royston, the acting CEO of Totogi, a startup that develops telecom IT software based entirely on proprietary code.

Danielle Royston, acting CEO of Totogi, has her doubts developers can always be trusted to clean up the 'iffy' bits.  (Source: Reuters/Alamy Stock Photo)
Danielle Royston, acting CEO of Totogi, has her doubts developers can always be trusted to clean up the 'iffy' bits.
(Source: Reuters/Alamy Stock Photo)

John Strand, CEO of an advisory company called Strand Consult and an outspoken critic of China, is also unconvinced, writing in a new report that "many developers in the open-source community have a reputation for deprioritizing security."

In 2020, the Linux Foundation, the group ultimately behind Kubernetes, said contributors spend only 2.27% of their time on security issues and "do not desire to increase this significantly."

Intellectual property is an additional concern for companies incorporating open-source code into their products. The risks were outlined by VMware, a major contributor to Kubernetes, in a recent filing with the US Securities and Exchange Commission.

The licenses that come with open-source software do not typically include "warranties or assurance of title or controls on origin of the software," said the US company. That means VMware is subject to potential liability if something goes wrong.

If there is government concern, there is also indecision. Europe's report on open RAN highlights the attractions as well as the dangers of open-source code.

Among other things, it could "help reduce the risks related to dependency on a single supplier," wrote the authors. But there would be a touch of irony if European governments suppress Huawei in the mainstream 5G market only to see it pop up like a mole evading a mallet as one of open source's key players.

Vendors who spoke with Light Reading at Informa's recent Big 5G Event in Austin believe the next mobile standard could fracture along geopolitical fault lines.

As relations between China and the West grow frostier, the 3GPP – an umbrella group of regional standards bodies – may struggle to survive. For international open-source groups to prosper in this environment would be a remarkable feat.

Related posts:

— Iain Morris, International Editor, Light Reading

Be the first to post a comment regarding this story.
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE