striver44
BANNED
- Joined
- Jul 25, 2016
- Messages
- 4,832
- Reaction score
- -16
- Country
- Location
Further significant technical issues have been identified in Huawei’s engineering processes, leading to new risks in the UK telecommunications networks. No material progress has been made by Huawei in the remediation of the issues reported last year. – UK Oversight Board, 2019 Annual Report
Huawei Chief Financial Officer, Meng Wanzhou, leaves her Vancouver home to appear in British ... [+]
AFP VIA GETTY IMAGES
The press headlines about Huawei over the past couple years have focused on what the non-technical media find most titillating, the easiest to comprehend, the most sell-able angles: national security risks, espionage, racketeering, stolen American technology, secret deals with Iran and North Korea, etc. In short, they proffer a narrative of criminality and geopolitics. The image of Huawei’s Chief Financial Officer Meng Wanzhou, showing up in court in Jimmy Choo silver stiletto heels and an ankle bracelet, makes for great copy. Rich, foreign, wicked, sexy.
But these sensational particulars distract us from another story, which is emerging from the reports by the UK’s Huawei Cyber Security Evaluation Centre Oversight Board. The Board was created in 2014 for the sole and express purpose of assessing and mitigating “any perceived risks arising from the involvement of Huawei in parts of the United Kingdom’s (UK) critical national infrastructure.” Its work is rigorous and narrowly technical. Five annual reports have been issued to date, dealing with engineering issues that could possibly compromise the performance of Huawei’s equipment and/or create risks for UK telecommunications operators and end users, and with Huawei’s responses to these issues.
Most of what the UK’s Oversight Board reports on has little to do with cyber-security. They focus on breakdowns in basic engineering discipline at Huawei. Highlights of the 46-page Report (which includes considerable technical detail) include the following (the bullet points below are verbatim quotes).
“Process Deficiencies”
Inadequate Configuration Control
[Configuration control is something any computer user can understand. Upgrades, or fixes, to operating systems or applications software all require keeping careful track of which version is installed, which changes can be applied, in what sequence. Strong configuration control is essential for any software-based system. It should be routine. Not for Huawei.]
“Vulnerabilities” (i.e., the technical bottom line)
Huawei’s Inadequate Response
Deployment Risk (the business bottom line)
The Board’s Report notes that its remit does not extend to advising operators directly on equipment choices. But they make the point plainly enough.
The real question is: How is Huawei still in business at all?
I have some experience with the wireless industry, as a suppler of technology to the major operators. One or two major technical flaws, if not resolved promptly, would have killed any deal I was ever involved in. Poor documentation was unacceptable. Sophisticated customers audited our configuration control throughout the development and manufacturing process.
In the case of Huawei, the British experts have flagged “several hundred” deficiencies. (Actually, in the technical paragraphs of the Report, identified software problems number in the thousands.)
To put this in perspective, Boeing’s now-grounded 737 Max aircraft is said to have suffered perhaps 3 important defects.
A stuck warning light. A “glitch.” A mild word for a problem that may have caused the deaths of several hundred people, and certainly cost Boeing $100 Bn+ in market value. (It is true of course that defective cellphones don’t kill anyone. The products are different in nature. But from a purely technical perspective, Huawei’s shortcomings are arguably just as alarming.)
The ability of Huawei to do any business at all in this industry — given the scope of the deficiencies documented by the British experts – is frankly inconceivable. One would hope that the findings laid out in this Report will be digested and understood by the relevant governments and potential customers. The Germans, for example, are said to be “sitting on the fence” with respect to Huawei. It is hard to imagine a German systems engineer reading the UK Report and reaching any but a negative conclusion on the deployability of Huawei equipment.
The sexy headlines today about Huawei have to do with the U.S./China dispute, but the real problems are so much more basic, prosaic, operational, and unforgiving. American and Chinese leaders could decide tomorrow to settle their differences, “drop the charges,” and eliminate the geopolitical aspects of the controversy. But you can’t wave away “several hundred vulnerabilities” and “poor and sometimes non-existent” processes of basic technology management. No tech company I know would survive this damning report card. The outcome here is predictable.
https://www.forbes.com/sites/george...crappy--why-are-their-customers/#bb9da4136c3b
Huawei Chief Financial Officer, Meng Wanzhou, leaves her Vancouver home to appear in British ... [+]
AFP VIA GETTY IMAGES
The press headlines about Huawei over the past couple years have focused on what the non-technical media find most titillating, the easiest to comprehend, the most sell-able angles: national security risks, espionage, racketeering, stolen American technology, secret deals with Iran and North Korea, etc. In short, they proffer a narrative of criminality and geopolitics. The image of Huawei’s Chief Financial Officer Meng Wanzhou, showing up in court in Jimmy Choo silver stiletto heels and an ankle bracelet, makes for great copy. Rich, foreign, wicked, sexy.
But these sensational particulars distract us from another story, which is emerging from the reports by the UK’s Huawei Cyber Security Evaluation Centre Oversight Board. The Board was created in 2014 for the sole and express purpose of assessing and mitigating “any perceived risks arising from the involvement of Huawei in parts of the United Kingdom’s (UK) critical national infrastructure.” Its work is rigorous and narrowly technical. Five annual reports have been issued to date, dealing with engineering issues that could possibly compromise the performance of Huawei’s equipment and/or create risks for UK telecommunications operators and end users, and with Huawei’s responses to these issues.
Most of what the UK’s Oversight Board reports on has little to do with cyber-security. They focus on breakdowns in basic engineering discipline at Huawei. Highlights of the 46-page Report (which includes considerable technical detail) include the following (the bullet points below are verbatim quotes).
“Process Deficiencies”
- [Huawei exhibits] an exceptionally complex and poorly controlled development and build process… [with] serious and systematic defects in Huawei’s software engineering.
- Huawei’s underlying build process which provides no end-to-end integrity, no good configuration management, no lifecycle management of software components across versions… poor hygiene in the build environments.
- It is difficult to be confident that vulnerabilities discovered in one build are remediated in another build through the normal operation of a sustained engineering process.
Inadequate Configuration Control
[Configuration control is something any computer user can understand. Upgrades, or fixes, to operating systems or applications software all require keeping careful track of which version is installed, which changes can be applied, in what sequence. Strong configuration control is essential for any software-based system. It should be routine. Not for Huawei.]
- Huawei’s configuration management [processes]… have not been universally applied across product and platform development groups or across configuration item types (source code, build tools, build scripts etc). Without good configuration management, there can be no end-to-end integrity in the products as delivered by Huawei, and limited confidence in Huawei’s ability to understand the content of any given build or in their ability to perform true root cause analysis of identified issues
- Configuration management of the build environment is poor and sometimes non-existent.
- Configuration management of virtual machines used during the build process is poor. Specifically, virtual machines were not clean at build start, with many containing (sometimes irrelevant) source code, artefacts of previous builds and other detritus.
- Configuration management of source code is poor.
- [We] first demanded proper configuration management from Huawei in 2010.
“Vulnerabilities” (i.e., the technical bottom line)
- The number and severity of vulnerabilities discovered…is a particular concern.
- Serious vulnerabilities reported in previous evaluations continue to persist in newer versions… many vulnerabilities being of high impact…risky code…little improvement in software engineering… no end-to-end integrity in the products
- HCSEC has continued to find serious vulnerabilities in the Huawei products examined. Several hundred vulnerabilities and issues were reported.
Huawei’s Inadequate Response
- Huawei’s software engineering and cyber security competence are failing to improve sufficiently.
- The Oversight Board tasked Huawei with providing a plan to remediate the software engineering and cyber security issues… [The Board] currently is not confident that Huawei is able to remediate the significant problems it faces.
- [We] remain concerned about the time elapsed since discovery of this issue without a credible plan being presented.
- Unless and until a detailed plan has been provided and reviewed, it is not possible to offer any degree of confidence that the identified problems can be addressed by Huawei.
- Commitments from Huawei in the past have not brought about any discernible improvements. The Oversight Board note in particular the commitments first made in 2012…
- [We have] limited confidence in Huawei’s ability to understand…or to perform true root cause analysis of identified issues.
Deployment Risk (the business bottom line)
The Board’s Report notes that its remit does not extend to advising operators directly on equipment choices. But they make the point plainly enough.
- It is impossible to provide end-to-end assurance in the security and integrity of the [Huawei] products in use.
- [There is] significant risk in the UK telecommunications infrastructure brought about by Huawei’s equipment.
The real question is: How is Huawei still in business at all?
I have some experience with the wireless industry, as a suppler of technology to the major operators. One or two major technical flaws, if not resolved promptly, would have killed any deal I was ever involved in. Poor documentation was unacceptable. Sophisticated customers audited our configuration control throughout the development and manufacturing process.
In the case of Huawei, the British experts have flagged “several hundred” deficiencies. (Actually, in the technical paragraphs of the Report, identified software problems number in the thousands.)
To put this in perspective, Boeing’s now-grounded 737 Max aircraft is said to have suffered perhaps 3 important defects.
- Boeing has discovered another software problem..the third different software problem that has been discovered since the plane was grounded in March. ... The new issue apparently has to do with a warning light that was “staying on for longer than a desired period,” according to Bloomberg. ... Boeing and the FAA have previously disclosed two other glitches…
A stuck warning light. A “glitch.” A mild word for a problem that may have caused the deaths of several hundred people, and certainly cost Boeing $100 Bn+ in market value. (It is true of course that defective cellphones don’t kill anyone. The products are different in nature. But from a purely technical perspective, Huawei’s shortcomings are arguably just as alarming.)
The ability of Huawei to do any business at all in this industry — given the scope of the deficiencies documented by the British experts – is frankly inconceivable. One would hope that the findings laid out in this Report will be digested and understood by the relevant governments and potential customers. The Germans, for example, are said to be “sitting on the fence” with respect to Huawei. It is hard to imagine a German systems engineer reading the UK Report and reaching any but a negative conclusion on the deployability of Huawei equipment.
The sexy headlines today about Huawei have to do with the U.S./China dispute, but the real problems are so much more basic, prosaic, operational, and unforgiving. American and Chinese leaders could decide tomorrow to settle their differences, “drop the charges,” and eliminate the geopolitical aspects of the controversy. But you can’t wave away “several hundred vulnerabilities” and “poor and sometimes non-existent” processes of basic technology management. No tech company I know would survive this damning report card. The outcome here is predictable.
https://www.forbes.com/sites/george...crappy--why-are-their-customers/#bb9da4136c3b