Huawei CSO: Secure Networks Do Not Trust Anyone

Some U.S. lawmakers are concerned that a Chinese enterprise has become a major supplier of the world’s 5G wireless networks. Despite Washington’s year-long campaign branding Huawei a national security threat, the company has shipped more than 600,000 5G base stations since last year, the most recent shipments containing no American-made components. Huawei has also signed about 90 commercial 5G contracts with telecom operators, including more than 40 in Europe.

Even without Huawei, equipment from Chinese sources will end up in large segments of the world’s telecommunications backbone because every large maker of telecom equipment, irrespective of nationality, has operations in China including manufacturing, assembly, and R&D.

Making the problem even more intractable, sophisticated and malicious attackers, including a small number of nation-states, can virtually implant malware and hidden functionality in the software or hardware of any telecom equipment supplier – again, regardless of where their headquarters are located. 

Given the sophistication of cyber threats and the ubiquity of Chinese-sourced technology, how can the U.S. and its allies create trusted networks, while using “untrusted” suppliers (or components from countries whose governments are deemed untrustworthy)? One possibility is to follow the advice of security experts who argue: Don’t trust anyone. 

Zero-Trust Networks (ZTNs) provide a model for what that might look like, and a way to safeguard America’s critical national infrastructure in the absence of a trusted supplier.  

As the name indicates, ZTNs do not acknowledge the concept of trust. No operator is trusted, nor is any equipment vendor. The working assumption is that at some point, the network will be compromised.

Given the offensive cyber capabilities of the most sophisticated attackers, keeping the bad guys out completely is an unrealistic goal. This reality has long been acknowledged by members of the U.S. military and intelligence communities, including former CIA and NSA director, Gen. Michael Hayden, who said, “If somebody wants to get in, they're getting in.”   

Once the inevitable intrusion occurs, networks must be resilient enough to withstand it. Resilient networks minimize harm through rapid detection, isolation of intruders, and other means. A blueprint for network resilience, published last November by the U.S. National Institute of Standards and Technology (NIST), states that systems are resilient if they “can withstand cyber-attacks, faults, and failures and can continue to operate even in a degraded or debilitated state.”

So while a traditional engineering analysis might consider whether a car driver could fail to notice a low fuel gauge, a cyber-resiliency analysis would look at what might happen if malware gave the driver false information about the fuel level.

If the U.S. government wants to forgo a comprehensive approach to risk management and simply seek alternatives to Huawei, it has several options. It can try to acquire a controlling stake in Ericsson or Nokia, Huawei’s main competitors in the network equipment business not headquartered in China. It can also continue on its present course of pressuring U.S. allies to ban Huawei equipment and restricting U.S. companies from selling Huawei their technology. Given America’s strategic rivalry with China, these actions might have some appeal. 

Most security experts know that bans or blacklists aimed at a single company do not actually make networks more secure. Instead, driving Huawei away from the U.S. supply chain will make the company less dependent on U.S. technology – and therefore less vulnerable to such moves in the future – while hurting American tech jobs in the process. 

Instead of piecemeal attempts to block “untrusted” companies headquartered in China, a better solution is to distrust everyone equally. This means creating a comprehensive assurance framework that transparently manages the risks associated with all telecom and mobile operators, and with the equipment and services of all vendors. The NIST documents provide a framework for doing that.

It is too late for an American company to be a leading supplier of 5G technology, but the U.S. can still take advantage of the many economic and social benefits 5G will deliver to industry, government, and individual citizens. The U.S. government should consider implementing the proven risk-mitigation protocols that will enable the country to realize 5G’s benefits, while appropriately managing network risk.   

What’s Hot on Infosecurity Magazine?