Reflections on My Visit to Huawei in Shenzhen

Zero Trust

Earlier this year, I concluded my term as President of Cámara de Tecnologías de Información y Comunicación , having navigated numerous challenges and opportunities within Costa Rica's tech industry, none more controversial than the response from the industry to the Executive Decree to ban 5G infrastructure providers from countries that are not signatories of the Budapest Convention on Cybercrime. Recently, I had the opportunity to visit Huawei's facilities in Shenzhen as part of an invitation to the Huawei “COMPASS” event focused on showcasing the use cases of Huawei’s cloud services as they are being deployed by governments and corporations in Latin American markets. Given the geopolitical tensions and the crucial decisions facing Costa Rica regarding 5G infrastructure, I felt it was important to share my reflections on this visit and the broader issue of technology security. While I recognize the sensitivity and complexity of these issues, I seek to provide an objective perspective based on my experiences and interactions.

Disclaimer: While my visit to Huawei was facilitated by their invitation, I have strived to maintain an objective perspective and provide a balanced analysis based on both firsthand observations and broader industry standards.

The Visit to 华为

During my visit to Huawei in Shenzhen, I was impressed by the scale and sophistication of their facilities. The innovations on display highlighted Huawei's commitment to advancing technology. I had the opportunity to interact with members of their cybersecurity team, which included a frank and open conversation with Brian Chamberlin , Executive Advisor, Carrier Marketing at Huawei Technologies. This diverse team underscored Huawei’s global reach and collaborative efforts in the tech industry. It's important to note that my observations are part of a broader effort to gather firsthand information and should be considered alongside other perspectives and evidence.

Insights on Cybersecurity

Before my trip, I had an insightful conversation with a telecoms engineer and standards expert from the USA who happened to be visiting Costa Rica. We discussed Costa Rica's Executive Decree restricting Huawei’s 5G technology, and he mentioned his experience leading working groups in the 3GPP standards organization. He noted, "I still see them [Huawei] in 3GPP international standards often and nowadays they (usually) make quality contributions. They are actually innovative these last number of years."

During my visit to Huawei, I asked Brian Chamberlin, "Currently, which standards and third-party audits allow Huawei to refute arguments such as Costa Rica’s that Huawei cannot be safely used in the telco core?" He explained that several international standards and third-party audits are crucial for ensuring the safety and security of telco operations:

• GSMA's NESAS (Network Equipment Security Assurance Scheme): This is a security assurance framework jointly defined by GSMA and 3GPP to facilitate improvements in security levels across the mobile industry. It provides an industry-wide security assurance framework to ensure that network equipment complies with security requirements.
• Common Criteria (CC) Standard, also known as ISO/IEC 15408: This international standard for computer security certification is recognized globally and provides a framework for evaluating the security properties of IT products. Huawei's 5G solutions have received a rating of EAL4+ under this standard, which is the highest possible rating for this type of product. This rating signifies that the product has been methodically designed, tested, and reviewed to the highest standards.

These standards and certifications are designed to ensure that telecommunications equipment is thoroughly evaluated for security vulnerabilities and resilience against attacks. By adhering to these standards, Huawei demonstrates its commitment to maintaining high security and safety levels in its products.

The Huawei executive advisor then addressed the grounds on which detractors claim the technology is unsafe. He noted, "They claim it is theoretically possible for Huawei to remotely shutdown a network or to install spyware. Even though we provide trusted partners access to our source code to show no such capability exists, the claim is that it's something we might do in the future." This highlights a fundamental challenge: the hypothetical nature of the security concerns, which could theoretically apply to any technology vendor. It is important to acknowledge that while standards and certifications significantly mitigate risks, no system can be considered completely immune to potential future threats.

Embracing the Zero Trust Model

Brian further elaborated, "The important thing for carriers to do is to reject this notion of 'trusted vendors' and adopt a zero trust model. All updates must be tested thoroughly. Many companies resist this because that testing is expensive, but it is very important for building a secure network."

The zero trust model is a security concept that assumes no entity, inside or outside the network, is inherently trustworthy. Instead, every attempt to access the network must be verified before being granted access. This approach contrasts with traditional security models that often rely on perimeter defenses and assume that anything inside the network is safe.

Adopting a zero trust model involves several key principles:

• Verification: Every access request is authenticated, authorized, and encrypted before access is granted.
• Least Privilege: Access is granted only to the resources necessary for a user's role, minimizing potential attack vectors.
• Continuous Monitoring: Regularly monitoring and analyzing all network traffic to detect and respond to threats in real-time.

By implementing these principles, organizations can mitigate the risks associated with potential vulnerabilities in any vendor's technology, including Huawei's. This approach ensures that security is maintained through rigorous testing and continuous monitoring, regardless of the vendor. While this model can be resource-intensive, the benefits of enhanced security and resilience make it a worthwhile investment.

The Geopolitical Context

The geopolitical pressures surrounding 5G infrastructure are significant, particularly the US-China dynamics. Brian Chamberlin’s comments during my visit to Huawei reinforced the importance of adhering to international standards and rigorous testing protocols. The notion that any vendor could potentially introduce vulnerabilities in future updates is a reminder of the need for comprehensive security measures across the industry. It's also essential to consider these security measures within the broader context of geopolitical influences, recognizing that objective, evidence-based criteria are fundamental to making sound decisions.

In conclusion, my visit to Huawei provided valuable insights into their cybersecurity practices and the broader issues of security and standards in the tech industry. It is clear that technical standards and rigorous testing are essential for ensuring the security of 5G infrastructure. As we navigate the complex landscape of geopolitical influences and technological advancements, it is crucial to base our decisions on objective, evidence-based criteria and to foster a collaborative approach to building secure, resilient networks. While my reflections are informed by my experiences, I encourage ongoing dialogue and evaluation to continuously improve our understanding and practices in this critical field.