Archive for Connectivity

Concerns Over Huawei and ZTE Equipment and Software

A statement from the Czech National Cyber and Information Security Agency (NCISA) has warned network operators that using software or hardware made by Chinese telecom equipment suppliers Huawei and ZTE could represent a security threat.

Why?

Huawei, which the world’s biggest producer of telecoms equipment, is based in China, and according to the NCISA, private companies residing in China are required by law to cooperate with intelligence services.  This could mean that the products and services of those companies could, in theory, become part of the Chinese state security systems e.g. Huawei and ZTE could be used for spying on behalf of China.

Global Suspicion & Action

According to the Wall Street Journal, espionage chiefs from Australia, Canada, New Zealand, the U.K. and the U.S. (the so-called ‘Five-Eyes’), agreed at a meeting in July this year to try to contain the global growth of Chinese telecom Huawei because of the threat that it could be spying for China.

The US, Australia and New Zealand have barred Huawei Technologies Ltd. as a supplier for fifth-generation networks, and Japan also looks set to ban government purchases of equipment from Huawei and ZTE.

The U.S. government is also reported to have been putting pressure on Deutsche Telekom, the majority owner of T-Mobile US, to stop using Huawei equipment, although the head of Germany’s Federal Office for Information Security (BSI) Arne Schoenbohm is reported to have told German news outlet Der Spiegel that proof is required to substantiate the accusations.

Detained

Meng Wanzhou, the chief financial officer of Huawei, was recently detained in Vancouver at the request of U.S. authorities for violating US sanctions on Iran. The arrest of Meng Wanzhou happened on the same night that President Trump was dining with Chinese President Xi Jinping during the G20 summit in Argentina.  China’s state-run media, and some other commentators have suggested that Meng’s detention appears to be politically or economically motivated.

Response

The response by a Huawei spokesperson to the NCISA warning has been to deny any suggestion that a national security threat is posed by Huawei to the Czech Republic, and to call for NCISA to provide proof of its claims.

What Does This Mean For Your Business?

If the ‘Five-Eyes’ are to be believed, Huawei’s products and network software could have backdoors built-in to them which could, in theory, allow covert surveillance or control, or destruction of phone networks (which are accessible via the internet).  The fear is that those acting for the Chinese state could gain access to the data stored / routed through Huawei devices, telecoms equipment and software, and could even, perhaps, monitor the conversations on mobile phones.

There does, however, appear to be a lack of clear proof for the allegations, and bearing in mind that Huawei is the world’s biggest producer of telecoms equipment, and that its products are popular (this year it overtook Apple in terms of the number of handsets it was shipping worldwide) and that UK stores are still stocking and selling its handsets, the warnings of various governments look unlikely to be heeded for now.  It is worth noting that BT uses Huawei systems as part of its network, but is now is removing Huawei systems from the core of the mobile network EE, which it purchased in 2016.

The advice as part of the recent Czech warning is that system administrators in critical information infrastructure should take ‘adequate measures’ against the threat.  This advice appears a little vague, and until conclusive proof can be produced, many people and businesses will feel that they can decide for themselves what, if any, action to take.

02 Outage – What Happened

After last week’s major O2 4G mobile network outage which left millions of customers with no network data access has been blamed on an expired software certificate that 3rd party supplier Ericsson had installed for some customers at business-critical part of the network.

What Happened?

On Thursday last week, O2 smartphone users were unable to use their mobile phone data for 24 hours.  O2, which is owned Spanish communications company Telefonica, has the UK’s second-largest mobile network, which is part of BT, and as well as having 25 million users, it provides services for the Sky, Tesco, Giffgaff and Lycamobile networks (whose networks were also affected).  It is estimated, therefore, that the outage affected around 35 million users in the UK and other parts of Europe (and even Japan’s SoftBank).

As well as the considerable disruption and inconvenience caused to individual customers, there were knock-on disruptive effects for organisations that run connectivity services on O2’s network, including Transport for London (TfL), Shropshire Council and a number of NHS trusts. In the case of TfL, bus information display boards, part of the Countdown Systems network, stopped working at approximately 5 am. Shropshire Council reported problems with its car park payment machines, which use O2 data connections.

£Millions In Damages + Compensation Expected

The scope, severity and duration of O2’s data network outage, and the impact on the company’s reputation as well as on its users have led to reports that 02 looks likely to seek up to £100 million in damages from Ericsson.

Also, O2 has already made announcements about how it plans to compensate customers.  For example, Pay As You Go customers look set to get 10% extra when they top up their phone in the new year or 10% off when they buy data for mobile broadband devices.

Both O2 and Ericsson have apologised.  It has been reported that Telefonica’s UK chief executive Mark Evans has promised a full audit of the problem across both organisations, and Marielle Lindgren, chief executive of Ericsson UK and Ireland has said that the software that caused the issues will be decommissioned.

What Does This Mean For Your Business?

Modern businesses now rely heavily on stable and reliable broadband connections and data network services.  Any disruption to these can be very disruptive and costly to businesses with potentially disastrous consequences.  In this case, a whole day was lost, and the true cost to UK businesses  (and their customers) may be difficult to calculate. For O2 and Ericsson, the incident appears to have caused some damage to their reputations.

As several tech commentators have since pointed out, the incident has illustrated how complex IT infrastructure has become and how, despite this complexity, organisations must stay on top of matters relating to software certificates, particularly those in business-critical systems. This incident also illustrates how problems with machine identities at critical nodes can have a wide-reaching impact on business and the economy.

Some commentators have also highlighted how operators picking up more IoT traffic and the introduction of 5G could mean that businesses are likely to experience more outages of this nature in the future.  The incident with O2 may also make some businesses take another look at their mobile strategies, feel less comfortable putting all their communications through a mobile operator, and take steps to reduce their dependence on any single external point of failure.