SPECIAL REPORT 168

SA network operators are reliant on Huawei 5G products that are deemed ‘critically vulnerable’

By Heidi Swart 7 December 2020

The 2020 HCSEC annual report (which covers the 2019 period) found critical vulnerabilities in certain Huawei products that were a result of particularly poor code quality and the use of an old operating system. (Photo: EPA-EFE / Alex Plavevski)

Huawei has been lauded by President Cyril Ramaphosa as the only telecommunications company that can lead South Africa into the 5G era. All major SA network operators depend on it. But it’s been a rough few months for the Chinese equipment maker.

First published in Daily Maverick 168

A historic bill has just been introduced in the British parliament, giving the government powers to remove Huawei’s 5G components from networks in that country. Huawei also received another scathing cybersecurity review from UK government analysts, and this time its 5G products also came up short. Then there’s the United States’ sanctions against the company, raising questions about its ability to maintain its future global 5G network supplies.   

British telecom operators have had “to take extraordinary action to mitigate the risk” brought on by Huawei products in their cellular networks. This is one of several serious security problems identified by the Huawei Cyber Security Evaluation Centre (HCSEC) in Britain. The technical evaluations are not a result of the US-China trade war instigated by President Donald Trump. Rather, the HCSEC is a decade-old facility funded by Huawei, staffed by UK experts, and overseen by an independent board. The board is chaired by the National Cyber Security Centre (NCSC) – the leading British government agency on such matters. Huawei and major UK network operators are also represented. 

The 2020 HCSEC annual report (which covers the 2019 period) found critical vulnerabilities in certain Huawei products that were a result of particularly poor code quality and the use of an old operating system. Other issues included evidence that Huawei is not following its own internal secure coding guidelines, sustained evidence of poor coding practices, a complete lack of security awareness, and inadequate component management. 

The report also stated that Huawei does not meet the basic expectation of industry good practice software engineering and cybersecurity development. This finding echoes remarks made last year by NCSC technical director Ian Levy. According to Reuters, Levy stated that Huawei’s “security is objectively worse”. When he was asked how Huawei fared against other manufacturers, Levi said: “Certainly nothing is perfect, certainly Huawei is shoddy, the others are less shoddy.” 

As was the case with last year’s HCSEC report, the 2020 edition said British officials didn’t believe that Huawei’s issues resulted from Chinese state interference. 

Prime targets 

In SA, Vodacom, MTN, Cell C, Telkom, and rain utilise Huawei’s equipment in their networks. With a 2019 revenue of ¥858.8-billion (about $122-billion), Huawei is the world’s largest telecom equipment maker, which includes digital switches and base stations. (The former route data, like phone calls or emails, from one point in the network to another. The latter, along with the mast and the accompanying antennae, form the most visible part of the network, serving as a connection point for devices like phones and laptops.) 

Of particular concern, the 2020 HCSEC report stated, was “the increasing number and severity of vulnerabilities discovered… by the relatively small team in HCSEC. If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network… Other impacts could include being able to access user traffic…” The report highlighted the vitally important role of network operators in shielding infrastructure affected by Huawei’s deficiencies, saying operator security measures would “remain critically important in the coming years to manage the residual risks caused by the engineering defects identified”. 

Just like smartphones and laptops, telecom networks depend on computer software, which means a network can be hacked. Generally, cyber attacks are rife worldwide, and the Covid-19 pandemic is exacerbating the problem. In May this year, cybersecurity firm Kaspersky reported 726 million confirmed cyber attacks globally, projecting that by year’s end that number would rise to 1.5-billion. 

Attackers and their motives differ. Governments spy on each other, criminal agencies prefer extortion, and sometimes adolescents just want to raise hell. 

Whatever the motivation, telecom networks are prime targets, since they carry vast amounts of private customer data and communications. 

‘An endless and ongoing process’ 

Securing networks is an endless task for operators, according to the director of policy and public affairs for BT Group, Alex Towers. BT Group is the UK’s largest network, and with 30 million customers it covers most of the UK. In June 2019, Towers testified about 5G network security before the UK House of Commons’ Science and Technology Committee. He told UK members of parliament: “We have 3,000 people in the cybersecurity part of our business working 24/7 to try to detect and deal with attacks and vulnerabilities. There are something like 4,000 attacks a day on the network in some way, shape or form. It is an endless and ongoing process.” 

By comparison, MyBroadband reported that SA’s largest mobile service provider, Vodacom had 39.4 million subscribers as of June 2020. But the company declined to give Daily Maverick specific details about the rate and nature of cyber attacks it experiences, or the size of its cybersecurity team. Vodacom stated only that its “security is based on multiple layers of protection, and we have an experienced team of cyber security professionals who continually monitor, protect and defend our networks”. Telkom and MTN did not respond to similar questions and a spokesperson for Cell C declined to comment, saying the information is “commercially sensitive”. CEO for rain, Willem Roos, said the company employed “a significant number of internal staff together with external consultants to carefully manage the security risks around our network. We spend many millions of rands, and we follow best practice, to ensure the network and our customers’ data is safe. Like most large businesses, rain faces a number of cyber attacks on a daily basis.” 

Cybersecurity problems with Huawei’s network equipment are not new. In June, Daily Maverick reported how HCSEC repeatedly uncovered underlying defects in Huawei products over the past decade, and how Huawei at times failed to adequately fix these. The issues were such that in November 2018 Huawei pledged what it called an “initial” amount of $2-billion over five years to a “company-wide transformation programme” aimed at “enhancing” its “software engineering capabilities”. 

Are South Africans safe with Huawei? (Part 2): A different kind of virus

In response to Daily Maverick’s questions for our June article, Huawei said the transformation plan had “already yielded positive results and we are confident this will continue allowing us to also better serve other markets from the progress made”. In contrast, the 2020 HCSEC annual report stated: “While there have been limited improvements in 2019, the significant deficiencies and associated risks detailed in the 2018 report remain. There is not yet evidence that Huawei is undergoing a significant transformation to sustainably fix these deficiencies. NCSC has not seen a credible transformation plan, nor a reasonable allocation of the committed $2-billion investment in transformation.” 

Problems have also crept into Huawei’s 5G equipment. Among the products that HCSEC tested were five versions of a Huawei 5G base station. The report stated: “The 5G product set showed limited improvement over 4G, but no evidence of transformation.” (5G will raise the stakes in network security. The new generation of mobile technology is predicted to usher in the Fourth Industrial Revolution and with it a society far more dependent on data connections, with everything from kitchen appliances, cars, homes, and entire industrial complexes and cities dependent on 5G connections to simply function normally. It’s this increased dependence that has countries across the globe scrutinising network security anew. 

‘New restrictions make it impossible’ 

The latest HCSEC report is not the only piece of bad news for Huawei’s 5G ambitions. 

Sanctions placed on the company by the US contributed strongly to Britain’s announcement in July this year that it would ban Huawei from its future 5G networks, and remove all Huawei 5G components by 2027. This marks a turnaround of the UK’s January decision to only partially ban Huawei. The restrictions were instituted on advice of the National Cyber Security Centre, the UK government noted in a statement: “They found the new restrictions make it impossible to continue to guarantee the security of Huawei equipment in the future.” 

Apart from technical reasons for the UK’s outright ban, Huawei’s relationship with the Chinese government hasn’t helped its case. The British House of Commons Defence Committee has urged the UK government to consider removing all 5G Huawei equipment from UK networks as early as 2025. In a report on 5G security released in October, the committee stated: “Having a company so closely tied to a state and political organisation sometimes at odds with UK interests should be a point of concern and the decision to remove Huawei from our networks is further supported by these links. Concern about Huawei is based on clear evidence of collusion between the company and the Chinese Communist Party apparatus…” 

In the latest blow to Huawei, the UK introduced the Telecommunications Bill on Tuesday, 24 November, which would give the government the power to remove Huawei’s 5G equipment from networks. 

UK members of parliament are not alone in their mistrust of Huawei. The US has had some success in driving anti-Huawei sentiment, at least with its traditional allies. Since 2018, several countries have placed an outright ban or some sort of restriction on the use of Huawei’s equipment, while some quietly opted to use other manufacturers. These include Japan, Australia, New Zealand, Canada, Belgium, and most recently Sweden, although Huawei is fighting that country’s decision in court. 

The US has put forward two major reasons for its crusade against Huawei. Both motivating factors relate to the long-term strategies of the two superpowers. The first is national security. In March, Daily Maverick provided a detailed analysis of the two countries’ security clashes. These two geopolitical rivals don’t want to be dependent on one another for maintaining communications. The second factor – and the Americans say this openly – is money. We’re not necessarily talking about short-term profits for US companies. Huawei’s American competitor, Cisco Systems, lost out on major government deals in China in what appeared to be retaliation for the clampdown on Huawei. 

Part One: Are South Africans safe with Huawei? It’s all about the risk

Instead, the US hopes to gain in the long run. Huawei holds a major share of what’s known as standard essential patents for 5G. Which patents (ie unique innovations) are essential to make real-world technology work is part of an ongoing debate, but you can read about it by world-renowned patent guru Florian Mueller here. Huawei’s ownership of these patents means that if other companies want to build 5G products based on Huawei’s innovations, they have to pay the company royalties. And then there’s the fact, as US lawmakers heard in May last year during a senate session on 5G security, that as was the case with 4G, 5G would open up new possibilities for technological applications which the US could cash in on. But if advances in 5G were happening in China, the innovation and the profits would follow suit. 

The end result of all this, for Huawei, is that the US has made it more difficult for the company to manufacture its equipment. In May 2019, the US placed Huawei and 70 of its affiliates on an entity list, forbidding American firms from doing business with them without a temporary general licence issued by the US Department of Commerce. 

Since that time, this licensing period was repeatedly renewed to give American organisations reliant on Huawei a chance to adapt. But on 15 May 2020, it was extended for the last time. On the same day, new restrictions prohibited foreign firms from selling components built with American-made technology to Huawei without a green light from the US government. Then on 17 August, scarcely three days after the original temporary general licence period finally expired, the US tightened the noose further. It added 38 Huawei affiliates to the entity list. These include Huawei Cloud South Africa, and Huawei OpenLab Johannesburg. 

Despite the sanctions and the coronavirus pandemic, Huawei announced  in October that its third quarter revenue stood at ¥671.3-billion (around $100.4-billion) – a 9.9% increase over last year’s results. 

Stockpiling 

Meanwhile in South Africa, major operators have started to roll out 5G networks, primarily in metropolitan areas, including Tshwane, Johannesburg, Cape Town, Port Elizabeth and Bloemfontein. Teaming up with Huawei, rain launched its 5G service in September 2019. Vodacom followed in May 2020 and MTN kicked off its 5G offering in June 2020. Cell C and Telkom do not yet offer 5G services. 

In the most recent development in July 2020, rain launched its first commercial standalone 5G network – also in partnership with Huawei. (Most of the 5G networks being rolled out globally are non-standalone: in other words, they consist of 5G infrastructure layered upon existing 4G infrastructure. A standalone network, as the name suggests, is a separate network.) 

rain is heavily reliant on Huawei equipment for its current networks as well as its future 5G plans. Cognisant of the HCSEC report, Roos says his company believes that the buck stops with the operator, stating: “rain takes users’ privacy and security extremely seriously. We believe it is primarily the responsibility of the network operator to ensure that its network is secure, customer data is protected and compliance is in line with best-practice and the laws of the country.” 

Roos added that “many of the issues raised in the report would also apply to other manufacturers of 5G equipment”, but did not provide specifics. He said that rain’s move to standalone networks was a step up for security: “Non-standalone relies on both 4G and 5G networks security protocols, and as such can be more complex to implement. Security protocols have also been improved in 5G.” 

But no matter how strong rain’s network security is, being so heavily dependent on a single operator puts it at greater risk, should Huawei’s supply chains falter. Yet Roos said rain was confident that Huawei would remain reliable. He said Huawei had “stockpiled enough components to ensure that they are able to maintain existing equipment over the useful life”, and that Huawei would also be able to “continue to provide appropriate software updates to ensure the proper functioning of the equipment”. 

Indeed, Huawei has been stockpiling. In October, Bloomberg reported that the company had bought enough components to make sure it could supply Chinese telecom operators’ 5G rollout throughout 2021. 

Like rain, Telkom is heavily dependent on Huawei. While its fixed network utilises Huawei and Nokia, its mobile network depends solely on Huawei. In response to Daily Maverick’s questions about the HCSEC report, group executive Hugo van Zyl said the company “takes a strong hands-on approach to cybersecurity. Telkom assesses security on a continuous basis, including recent further developments with regards to Huawei”. Looking on the bright side, Van Zyl said, “It is worth noting that the latest HCSEC report states … that networks are not more vulnerable than in the previous period”. Van Zyl added that the operator had “noted comments on 5G with regard to software coding practices”, that it hadn’t decided who its 5G supplier would be, and that it was in the process of rolling out commercial 5G proof of concept sites where it would use its existing “stringent security measures”. 

Replacing Huawei: ‘What does that mean?’ 

Neither Telkom nor rain have excluded the idea of utilising other vendors, should equipment supply become an issue. Roos said rain will “continually assess the Huawei situation, and will consider alternative vendors should Huawei not be able to meet our broad range of requirements”. But he warned that if Huawei equipment was unavailable, it would “significantly delay the deployment of 5G networks in South Africa, not only by rain, but the rest of the industry as well”. Roos said rain had engaged with two other vendors to run 5G network trials. 

Telkom told Daily Maverick: “Long-term 5G procurement decisions are still to be taken…”, but did not respond to detailed questions about Huawei’s potential supply chain problems. However, in May 2019, Telkom CEO Sipho Maseko did shed some light on the subject in an interview with TechCentral’s Duncan McLeod. Said Maseko: “We think that we have invested quite a bit of time to make sure that we can mitigate this. We’ve modelled how much it will cost us if we have to replace the Huawei core network… What does that mean? And that is why we want to take it more as a sort of macro issue, as a country issue, not just a Telkom issue, and lean on the support of the president and the minister of … foreign affairs to make sure that South Africa and hopefully Africa as a continent has a coordinated response around some of these matters”. Maseko also said he had made a trip to China in May 2019 and spoken to Huawei’s top leaders as well as President Xi Jinping about the issue. 

To get an idea of how dependent the other operators are on Huawei, we asked Vodacom, MTN and Cell C to give us a breakdown of which manufacturers were suppliers for their current and future networks, including 5G networks. None of them would provide specific information about this. We also asked them about the implications of the HCSEC report and the US sanctions for their networks’ security. 

Cell C told Daily Maverick that the company had its “own set of security policies which are aligned to industry best practices” to which companies doing business with them had to conform. Cell C said regular penetration tests were performed on Huawei’s infrastructure and systems by independent companies. 

It stated further: “Regular security vulnerability assessments are conducted by both internal and external auditors. If there are any security vulnerabilities found, these are addressed as per Cell C’s agreed KPIs. In exceptional cases of remote access to Cell C’s infrastructure, secure VPN (virtual private network) tunnels are established. In addition to the aforementioned, a compliance and governance capability has also been established between Huawei and Cell C to evaluate and mitigate security risks within the Huawei domain. Cell C has also deployed security tool sets that are capable of identifying and reporting on security threats and malware.” Asked about how the company would deal with the potential impact of US sanctions, it said: “Mobile network operators have been engaged with the South African government at the highest level since May 2019 when the first executive order was issued by the USA administration. These discussions are ongoing.” 

Vodacom said that its parent company, Vodafone, welcomed the NCSC’s continuing work with industry to understand and manage the risks posed by Huawei, but noted that the UK’s overall assurance level has not changed since the previous HCSEC report. The company said it was “not disclosing the exact composition” of its networks on a country-by-country level, but that it “uses a range of suppliers in its networks, including Huawei”. A spokesperson said: “We will always follow government guidelines, and work closely with governments and our industry partners to provide a secure and reliable service to our customers. Regarding US actions, we continue to review our ways of working in light of changing US restrictions, and will always comply with regulations. 

Regarding the HCSEC report, MTN SA executive for corporate affairs, Jacqui O’Sullivan, said the company “makes use of a number of network equipment providers and our voice and data mobile core is predominantly provided by Sweden’s Ericsson. MTN is aware of the potential issues and we conduct security assessments on an ongoing basis, both internally and through external security providers.” MTN did not respond to further questions about network composition or how it would deal with potential shortages of Huawei components in the future. In June, MTN South Africa’s CEO, Godfrey Motsa, told Reuters that Huawei was responsible for building its 5G networks in Gauteng. 

Daily Maverick sent several questions to Huawei about the 2020 HCSEC report. The company said the report highlights its “commitment to a process that guarantees openness and transparency, and demonstrates an effective collaborative mechanism to mitigate cyber security risks in the UK”. It said the report acknowledges the company’s progress. Asked about its security standards in South Africa, Huawei referred us to a statement made in response to our June article. Huawei said its equipment met the requirements and laws of the country, and that it has “a proven track record in cyber security”. We also sent follow-up questions about potential supply chain disruptions and its ability to supply 5G components in future. Huawei responded by referring to its answers to the first set of questions for this article. 

In South Africa, the US has already lost its 5G battle, with Huawei set to play a major role with the full backing of the SA government. But the world is still a while away from large-scale adoption of 5G, with the Global System for Mobile Communications Association estimating that 5G will only account for a fifth of connected devices worldwide by 2025. 

On the upside, the wait for 5G gives South Africa some time to start talking about its implications for network security. It also gives Huawei some time to work on those base stations. DM

Heidi Swart is an investigative journalist who reports on surveillance and data privacy issues. This story was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s Department of Journalism, Film and TV and Unisa’s Department of Communication Science.

For the full correspondence that Swart had  with the service providers, see documents below:

  

 

Gallery

Comments - share your knowledge and experience

Please note you must be a Maverick Insider to comment. Sign up here or sign in if you are already an Insider.

Everybody has an opinion but not everyone has the knowledge and the experience to contribute meaningfully to a discussion. That’s what we want from our members. Help us learn with your expertise and insights on articles that we publish. We encourage different, respectful viewpoints to further our understanding of the world. View our comments policy here.

All Comments 2

  • Huawei as with any Chinese based company , ultimately reports to the CCP .
    Hmm Mr Maseko went to China , wonder who paid for that ?
    Even met Xi , wow !
    Made a deal , cool, how has that worked for Hong Kong ?
    All our operators have most of their eggs in one basket .
    A CCP basket .
    Glad that all our IT guys and gals are busy , nothing can go wrong !
    Just outnumbered by the 100s of thousands , by a surveillance state .
    Glad to here Huawei is working on some issues to be complete in ?
    Why are they needed ?
    So SA , has to take the words of CEO s that our data is safe ?
    There is a severe lack of transparency from the above article , your questions to Huawei were stonewalled !
    Just say one our IT guys found something wrong ?
    You think we would be told ?
    Wow , Huawei is working on base stations , with enough parts for 2021 at least .
    And making it so much harder for our IT guys to find the ‘backdoors’ !
    In a nutshell ,we will be spied on by the CCP !
    Its a given that Huawei will be in control , as CR and the ANC would hate to upset a BRICS partner and suffer the ire of the CCP as with Australia .
    Careful what you say and do !
    Big brother Xi is watching you , so you can be controlled .

  • BUSINESS MAVERICK

    The office isn’t dead — it’s evolving during the Covid-19 pandemic

    By Ray Mahlaka

    There is a computer security class in the University of Virginia called Defence Against the Dark Arts.