Huawei’s focus on speed led to security flaws: carrier CTO

2 min read
Image credit: Shawn Koh/Fortune

Despite the sophisticated nature of Europe’s telecom networks, security has only recently become the centerpiece of the conversation, Paul Scanlan, chief technology officer of Huawei’s Carrier Group, told TechNode at the Fortune Tech Forum in Guangzhou. When asked about Huawei’s past cybersecurity mistakes, he said the company’s focus on innovation and speed contributed significantly.

In the past, Huawei was focused on “innovation and getting products out fast,” and was unaware of how it should strive to uphold certain security-related architectural features in their code, Scanlan said in response to a report by the UK’s Huawei Oversight Board (HCSEC) that found “underlying defects” in its software development.

 “If a customer wants to add a feature, we can’t re-engineer the whole product,” because that would be too slow, he said. Instead, Huawei would put a module on top of the existing code, he continued.

Over time, these development practices led to some “architectural peculiarities,” which the HCSEC found undesirable, especially given that hackers were getting more sophisticated, he said. “Now we [Huawei] understand that these sorts of things are important,” he added.

Last March, the HCSEC reviewed Huawei product software and found “extensive non-adherence to basic secure coding practices, including Huawei’s own internal standards. “These included suppressing alerts from static analysis tools and using an outdated third-party operating system.

HCSEC is a UK subsidiary of Huawei that works under the watchful eyes of British authorities.

No backdoors

The important thing is that “it found no backdoors,” Scanlan said, echoing Huawei’s statement when the report first came out. Huawei has invested $2 billion to “develop better testing, processes and KPIs focused on developing trustworthy software,” he said.

This so-called “transformational program” was announced by Huawei in November 2018. Three months later, the HCSEC report said that it remained “a proposed initial budget for as yet unspecified activities,” giving the watchdog no confidence in Huawei’s ability to follow it through.

Scanlan also said that the company is the only equipment vendor that faces so much scrutiny and that it has a history of handing their code over for review in the UK, and to a lesser extent, Germany. According to him, it is the only company to be under so much scrutiny.

But in a network, “you’re only as insecure as your weakest link. If you have multiple vendors and you are only scrutinizing Huawei, that doesn’t make sense,” he said.

“The real issue is that this is the first time security is being talked about on a global, government level,” Scanlan said. During the rollout of 3G and 4G, similar discussions on the security of networks were lacking, he said.

“We’re having these discussions globally now, and everyone is part of them, vendors, operators, governments. Excluding the US, we are having a lot of these discussions,” he said.

European regulators have been working together with industry players to come up with a common security framework that all member-states can agree on. All equipment vendors are consulted in these discussions, Scanlan said.

Note: This article has been updated to reflect better Paul Scanlan’s words following an inquiry from Huawei.