Despite the sophisticated nature of Europeโs telecom networks, security has only recently become the centerpiece of the conversation, Paul Scanlan, chief technology officer of Huaweiโs Carrier Group, told TechNode at the Fortune Tech Forum in Guangzhou. When asked about Huaweiโs past cybersecurity mistakes, he said the companyโs focus on innovation and speed contributed significantly.
In the past, Huawei was focused on โinnovation and getting products out fast,โ and was unaware of how it should strive to uphold certain security-related architectural features in their code, Scanlan said in response to a report by the UKโs Huawei Oversight Board (HCSEC) that found โunderlying defectsโ in its software development.
โIf a customer wants to add a feature, we canโt re-engineer the whole product,โ because that would be too slow, he said. Instead, Huawei would put a module on top of the existing code, he continued.
Over time, these development practices led to some โarchitectural peculiarities,โ which the HCSEC found undesirable, especially given that hackers were getting more sophisticated, he said. โNow we [Huawei] understand that these sorts of things are important,โ he added.
Last March, the HCSEC reviewed Huawei product software and found โextensive non-adherence to basic secure coding practices, including Huaweiโs own internal standards. โThese included suppressing alerts from static analysis tools and using an outdated third-party operating system.
HCSEC is a UK subsidiary of Huawei that works under the watchful eyes of British authorities.
No backdoors
The important thing is that โit found no backdoors,โ Scanlan said, echoing Huaweiโs statement when the report first came out. Huawei has invested $2 billion to โdevelop better testing, processes and KPIs focused on developing trustworthy software,โ he said.
This so-called โtransformational programโ was announced by Huawei in November 2018. Three months later, the HCSEC report said that it remained โa proposed initial budget for as yet unspecified activities,โ giving the watchdog no confidence in Huaweiโs ability to follow it through.
Scanlan also said that the company is the only equipment vendor that faces so much scrutiny and that it has a history of handing their code over for review in the UK, and to a lesser extent, Germany. According to him, it is the only company to be under so much scrutiny.
But in a network, โyouโre only as insecure as your weakest link. If you have multiple vendors and you are only scrutinizing Huawei, that doesnโt make sense,โ he said.
โThe real issue is that this is the first time security is being talked about on a global, government level,โ Scanlan said. During the rollout of 3G and 4G, similar discussions on the security of networks were lacking, he said.
โWeโre having these discussions globally now, and everyone is part of them, vendors, operators, governments. Excluding the US, we are having a lot of these discussions,โ he said.
European regulators have been working together with industry players to come up with a common security framework that all member-states can agree on. All equipment vendors are consulted in these discussions, Scanlan said.
Note: This article has been updated to reflect better Paul Scanlanโs words following an inquiry from Huawei.
