Huawei, 5G and the UK: What is the real risk for enterprises?

Much to the chagrin of the U.S. government, the UK Government announced in late January it would allow Huawei equipment to be used in the rollout of 5G in the country. While some western intelligence agencies and politicians still claim Huawei poses a national security threat if its technology is used, the decision ensures the rollout of 5G technology and networks in the UK avoids long delays.

Ignoring the politics and rhetoric, what real risk does 5G pose to UK enterprises, and does Huawei increase those dangers?

UK cautiously says yes to Huawei

While the Chinese company is regarded as a ‘high-risk vendor” and may be used in a limited capacity, the UK Government deems the risk to be acceptable and manageable. At the same time, the NCSC published advice on using equipment from high-risk vendors such as Huawei in UK telecoms networks. These include not using said vendors on core parts of network functions, capping high-risk vendors to 35% of network equipment, keeping high-risk equipment away from sites significant to national security, or deploying them on networks used for operation of government or critical national infrastructure.

“We ask operators to use Huawei in a limited way so we can collectively manage the risk,” NCSC Technical Director Dr. Ian Levy said in a blog post. “We’ve never ‘trusted’ Huawei and the artefacts you can see (like the Huawei Cyber Security Evaluation Centre [HCSEC] and the oversight board reports) exist because we treat them differently to other vendors.”

While Levy acknowledged that the NCSC considers Huawei to be a high-risk vendor, it was not the only one on that list (ZTE are also regarded as such) and the sector needed greater plurality of choice. “There are only three scale suppliers of 5G Radio Access Network kit that can currently be used in the UK: Nokia, Ericsson and Huawei. That’s crazy. We need to diversify the market significantly in the UK so that we… do not end up nationally dependent on any vendor.”

According to the NCSC, factors that contribute toward whether a vendor is high risk include scale in the UK and global market, quality and transparency of the vendor’s engineering practices and cyber security controls, past practices, resilience, and considerations around ownership and location including influence and legislation of states. 

Politicians in the U.S. have expressed their disappointment at the move, which they say may affect future relations. The U.S. and Australia have already banned the Chinese technology company from its networks based on national security concerns, but a softer stance has been taken in Europe.

Germany has already stated it will allow Huawei into its 5G networks while the European Union Commission recently published guidelines on how to help secure high-risk venders and left the decisions around such venders up to the member states, tacitly giving countries the greenlight to use Huawei if they see fit.

Huawei backdoors, possibly — vulnerabilities, definitely

When it comes to Huawei’s involvement in 5G, most of the concern is around the company’s links to the Chinese communist party and whether there are government-mandated backdoors that could allow state actors and intelligence services direct access to critical infrastructure. Though there has been little evidence publicly revealed around this, it remains a distinct possibility. 

However, there is more reason for concern around the company’s engineering practices. Though its equipment has been used in UK telecoms infrastructure for years, the NCSC has long considered Huawei a high-risk vendor because of its market share, relationship with the Chinese Government and the regulatory environment in the country, and often low engineering quality. The HCSEC Oversight Board, a body set up to identify and mitigate risks from Huawei’s involvement in the UK’s critical national infrastructure, has previously identified “significant technical issues” in Huawei’s engineering processes and approach to software development.

The “serious and systematic defects in Huawei’s software engineering and cybersecurity competence” HCSEC found include issues around configuration management, use of an old and soon-to-be unsupported operating system, flaws in software component lifecycle management, and hundreds of software vulnerabilities. However, HCSEC did acknowledge that Huawei is still willingly working with it to fix issues and the current arrangement is the best way to identify and mitigate risks around Huawei’s involvement in the UK telecommunications sector.

The head of Germany’s Federal Office for Information Security (BSI), Arne Schönbohm, has previously said the agency has no such evidence around government-mandated backdoors to justify banning the company from Germany’s networks.

“The issue highlighted by the security agencies has mainly been down to a lack of consistency in deployed devices, compared to the tested ones” says Jimmy Jones, cybersecurity telecoms expert at Positive Technologies. “A lot of this probably comes from Huawei creating ‘local software solutions’ to support onsite challenges when they deploy in operator environments, but these tend to be complex installations into mature networks with a mixture of vendors. Smaller off-the-shelf solutions should be less affected.”

“Politically it looks pretty obvious there is no way that Huawei can completely unpick itself from the Chinese government, so really it comes down to trust and that is unquantifiable. The final decision for the individual CISO [around using Huawei’s 5G technology] has to come down to corporate stance, the deployment situation and the risks that presents to the core business, and possibly individual opinion.”

5G: New technology, same risk model?

5G may offer benefits around the scale and speed that data can be moved around, but like any new technology it is still a relative unknown when it comes to security. Even before mass deployment, vulnerabilities have been found within 5G standards and protocols, many of which were also present in previous generations and have been brought forward. An EU assessment of the risks around 5G stated that while many of these vulnerabilities are not specific to 5G networks, “their number and significance is likely to increase” due to the increased level of complexity of the technology around and greater reliance on 5G infrastructure.

“Very few operators will deploy standalone 5G networks and, if anything, will be using almost exclusively a mixture of different generations, with the added complication of interworking between them,” explains Jones. “The reality is that many 5G networks contain security flaws from day one due to their reliance on the existing 4G network core. Security threats associated with 3G and 4G will continue to remain long after 5G reaches the public and will heavily influence deployments for at least the next three to five years.”

As an example of how this can be exploited, a cross-protocol attack reveal a subscriber’s international mobile subscriber identity (IMSI), the unique id number associated with that connection, by exploiting vulnerabilities in 3G networks or obtaining of data about the operator’s network configuration via the 4G part of the network.

Jones adds that many use cases around 5G – augmented reality, drones, driverless cars, robotics, etc. – are so latency sensitive that the networks’ operations are being moved to the edge. So, instead of being located in a highly secure data center, more information is being processed and managed at smaller edge locations such as cell tower base stations with fewer people and security controls.

New ones will inevitably present themselves, too. For example, a report by 5GAmericas suggests 5G network slicing – which allows for the creation of isolated end-to-end networks to create more efficiencies – could be abused if poorly configured. In a potential scenario, malware in an IoT device could jump between slices and infect other endpoints if there isn’t enough isolation between different parts of the network. Other threats could include a denial of service (DoS) attack by depleting the available resources of a given slice.

“5G technology will have a virtualized core,” says NordVPN’s digital privacy expert Daniel Markuson. “That means software, rather than specialized hardware, will be routing voice and other data to ensure it gets to the right destination. Software-based architecture means that there are more potential entry points for attackers, and higher speeds will mean that hackers will be able to work and download data faster.”

The sheer number of devices that 5G will enable is a key consideration that organizations should bear in mind. While those devices will need securing, authenticating, patching and monitoring, the threat model for enterprises won’t change too much, according to Bharat Mistry, principal security strategist at Trend Micro. “Enterprise networks are mainly hub-and-spoke designs whereby devices connect to centralized switching and routing infrastructure, where cyber hygiene such as inspection and control can be practiced,” he says.

“With 5G, the network will change from centralized hardware switching to distributed software-defined digital routing. In a 5G software-defined network, activity is pushed outward to a web of digital routers throughout the network, denying the potential for chokepoint inspection and control,” says Mistry.

To remedy this, he says, security operations teams will need to think about how to protect and detect malicious activity on remote 5G devices — as many will connect to a network without any firewall or intrusion protection capabilities — as well as how to retrieve data from the devices and how to contain or isolate the infected devices.

How companies need to think about 5G security

While it is still in its infancy in terms of large-scale deployments, end-user companies are already concerned around some of the security challenges 5G will pose. Over 40% of organizations believe 5G will have very “significant impact” on their networks and may require a new security stack or an entirely new set of processes, according to a survey of over 700 security professionals globally by AT&T. Chief concerns were around a larger attack surface due increased connectivity, fears about the number of devices connecting to the network (and the policies and authentication around those devices), and the fear of as yet unknown vulnerabilities in 5G technologies.

5G still the most secure connection

“It should be stressed that 5G will probably be the most secure external connection an enterprise can use” says Positive’s Jones. “The telecom community has woken up to the security issues of previous generations and with 5G are attempting to design in security.”

He advises that CISOs should ensure their service providers are working on their security as an ongoing process and ensure the operator fulfilled their due diligence but also made the effort to understand their unique environment. “It can no longer be a cookie cutter approach. The relationship with the telecom operator needs to be far more proactive. A yearly visit to discuss the call charges or upgrade the office phone system will no longer cut it,” Jones says.

In the world of 5G deployments, the relationship between the 5G provider and the enterprise may well have to take on a different look, with more collaboration needed to ensure the network and everything on it is adequately protected.

“The traditional network perimeter as we know it will be completely eradicated as 5G connected devices can communicate over the internet to both public and corporate applications and services,” says Trend Micro’s Mistry. “Protection of these devices requires a collaborative approach between the enterprise organisations and the 5G service provider – conceptually very similar to the cloud services shared responsibility model.”

“Management and network orchestrating is one of the most important components of the 5G infrastructure. It is responsible for the configuration and management of all significant functions of 5G, and CISOs will want to know the ‘guard rails’ the ISP has put in place to ensure the infrastructure is configured in the correct manner, based on best practices and how they ensure any misconfigurations or actions of a malicious insider are identified and mitigated quickly.”

In addition, supply chain management becomes even more important when dealing with 5G. Enterprises should be aware that outsourcing is common, meaning although a 5G service may be being supplied by a network provider, behind the scenes it might be being directly run by the potentially high-risk vendors building the infrastructure.

Jones also says enterprises need to consider the applications they consume that are delivered via 5G. “The 5G core is expected to allow much greater third-party access with additional elements added to facilitate API access, allowing the third party to directly communicate and deploy to the operator’s infrastructure,” says Jones. “If an enterprise uses these services, they need to ensure they understand exactly how, and who is delivering the services. Telecom operators are almost implicitly trusted, but their level of control could be eroded so a full understanding of the supply chain is needed.”