Background

The sigh of relief from those who hold an interest in Australia’s security was almost audible as news hit the press this morning that Huawei and ZTE would be blocked from rolling out the national 5G network [1].

Both entities have been in the media extensively over reported links back to, and control exercised by, the Chinese Government (despite the protestations of both). In the United States for example, Hauwei responded to the Federal Communications Commission’s (FCC) notice of proposed rulemaking (NPRM), by taking the line that the US would pay more for its infrastructure under other providers, as if there’s a price limit on assuring a country’s security and sovereignty.

According to the article, “The FCC had used the NPRM to suggest that it ensure Universal Service Fund (USF) funding not be spent on “equipment or services from suppliers that pose a national security threat to the integrity of communications networks or the communications supply chain”, with the FCC including direct references to Huawei and fellow Chinese company ZTE.”

Why are they even under consideration?

That the Chinese would even be positioned to be bidding on main-line communications networks and systems anywhere outside of their own territories should be a concern to the populations who are placed at risk, based on reporting.

The weight of evidence uncovered by companies like US-based cyber consultancy Mandiant, paints a rather grim picture of the Chinese threat; highlights of a report released by The Mandiant Intelligence Centre in 2013 [2] found:

  • Evidence linking Advanced Persistent Threat (APT) 1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398).
  • A timeline of APT1 economic espionage conducted since 2006 against 141 victims across multiple industries.
  • APT1’s modus operandi (tools, tactics, procedures) including a compilation of videos showing actual APT1 activity.
  • The timeline and details of over 40 APT1 malware families.
  • The timeline and details of APT1’s extensive attack infrastructure.

The emerging evidence against Huawei and ZTE

There has been a steady stream of supporting evidence in the period since 2013. The UK Government only recently highlighted the fact that there were a range of shortcomings in Huawei’s engineering process, which it said “…have exposed new risks in UK telecoms networks” [3]. What was noteworthy in that article was that suggestion that, as the “…world’s biggest producer of telecoms equipment and…major supplier of broadband and mobile network gear in Britain”, Hauwei was introducing 3rd party software and components that were not subject to “…sufficient control”.

In fairness, this is not necessarily limited to Chinese suppliers though, and discrete pieces of equipment and software introduced to any secure network represents a risk that must be managed.

At the very least, the lack of transparency around the relationships between the Chinese Government and its commercial entities abroad make it an unsafe proposition where the national security of another country is at risk. Australia is no exception, and it brings into doubt any platforms, solutions equipment and software that these companies control.

It also begs the question, what on earth was the Western Australian Government thinking when it recently awarded Huawei a $136M 4G telecommunications contract for Perth trains? [4] This decision comes on the back of the 99-year leasing of the pivotal Darwin Port to a Chinese owned company for $100M [5], and what you would have expected was clear advice around the security risks involved in critical infrastructure investments by foreign entities. Evidence of the latter is clearly in the Federal Government’s decision announced this morning.

________________________________________________________________

RELATED ARTICLES: Musings On Security Risk Assessments  | The Benefits Of SECTARA’s Advanced & Intuitive Risk Assessment Methodologies  | What Is A Risk Assessment Template?What Is A Risk Assessment Matrix?

________________________________________________________________

The Australian Chairman’s conflicted Huawei 5G position

The ongoing security concerns that have been raised by multiple Western Governments cannot be placated by the conflicted assertions of John Lord, the Australian Huawei chairman, that “There’s no reason for us to pass lots of data back to China…” [6]. And the fact that Huawei Technologies was reported to be “…the biggest corporate sponsor of overseas travel for Australian politicians…” [7] can only heighten fears that attempts are ongoing to undermine the interests of Australia.

One needs only to look to the Labor Party’s disgraced Sam Dastyari, who resigned his position in the Australian Senate after being accused of repaying Chinese financial favours with favourable political positions, for an affirmation of how things can be perceived to work.

So good on the Federal Government for looking after Australia on this one. One would hope that this really was a pragmatic decision based on security risk management, and not one influenced by political expediency in view of the current political malaise in our country.

Either way, this is only one victory for common sense; let’s hope there are many more.

Yours in SRM,

Konrad Buczynski

Konrad was a graduate of the Royal Military College Duntroon and served as an Australian Army Officer and telecommunications specialist until 2001. He has helds roles as Director of the Australian Centre for Security Management and Chief Security Officer | Crisis/Business Continuity Program Manager at Thales Australia-New Zealand, the region’s largest Defence Prime Contractor at the time.

A Certified Practising Risk Manager, Registered Security Professional, member of numerous security working groups and technical committees and designer and author of innumerable security risk management programs, Konrad was the architect and co-founder architect of SECTARA. He is a company Principal and SECTARA’s Managing Director.

Did you known that the Security Risk Management Aide Memoire (SRMAM) is free to all SECTARA subscribers (yes, even on the free plan).

How to get started with SECTARA

If you see the same great benefits that we do in SECTARA, there are several methods to get started:

As a valued subscriber, you will be comprehensively supported via our Ticketing System and Knowledge Base, and you can still always contact us direct when you need to.

[1] https://www.theaustralian.com.au/business/huawei-banned-from-rolling-out-australias-5g-network-due-to-security-concerns/news-story/f8cd0faa71d5fd510c2360cc6c4dc9af

[2] https://www.fireeye.com/blog/threat-research/2013/02/mandiant-exposes-apt1-chinas-cyber-espionage-units.html

[3] https://www.bbc.co.uk/news/technology-44891913

[4] //www.abc.net.au/news/2018-07-09/huawei-wins-wa-telecommunications-rail-contract-security-fears/9957258

[5] //www.abc.net.au/news/2016-03-07/darwin-port-deal-funds-quick-hit-to-nt-economy/7228000

[6] //www.abc.net.au/news/2018-06-27/huawei-boss-defends-telco-foreign-interference-debate-continues/9915164

[7] https://www.arnnet.com.au/article/642957/huawei-top-sponsor-aussie-politicians-overseas-trips/