Interview: Wagner Morais, Cyber Security Consultant at VIVO Brazil

Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Francesca Greane, Marketing, Content and Community Lead for 5G Latin America 2020, spoke with Wagner Morais – Cyber Security Consultant at VIVO Brazil – to discuss the new security threats that are surrounding the emergence of 5G in Latin America.

5G Latin America: In your opinion, what are the latest security threats when it comes to 5G in Latin America?

Wagner Morais (WM): The biggest threat to 5G security is to fail to comply with these practices and not to implement continuous supervision mechanisms with regard to security aiming at the integrity of the control and administration plan, as well as the implementation of interconnection supervision mechanisms (IPx). Most threats and fraud start with network interconnections. One thing is certain, the 5G network will inherit all the vulnerabilities of 4G networks, and research indicates that 100% of 5G networks are vulnerable to Denial of Service (dos) attacks. , privacy is another challenge threats like semantic information attacks, time attacks, and border attacks are primarily aimed at subscriber location privacy.

5G Latin America: What are the new threats that are being created by the move to 5G in Latin America?

WM:  In addition to the vulnerabilities inherited from the 4G network, we will have the growth of DDos attacks, and the possibility to exploit flaws to track the location of the cell phone and even transmit false emergency alerts.

5G Latin America: Is building infrastructure a cause for concern or an opportunity for new security architecture?

WM: The 5G infrastructure remains the most disruptive technology in recent years, I understand that it is an opportunity to explore this technology and the demand for 5G infrastructure and the incredible benefits offered by this technology have stimulated the investment of the main market participants. The security architecture is a great challenge, as new threats have emerged, and many challenges are to come.

5G Latin America: What are your recommendations for service providers and solution providers to evaporate these security fears?

WM: Investment in infrastructure and partnerships with companies that already have security tools and solutions for networks 4 and 5G with proven positive results and network security because of a greater exposure to attacks and a greater number of potential entry points for attackers. With 5G networks increasingly based on software, the risks associated with important security flaws, such as those resulting from bad software development processes at the suppliers themselves, are gaining importance. Therefore, the need for research and investments in security.

5G Latin America: What difficulties do the likes of IoT and new business verticals present in terms of this security question?

WM: One of the biggest concerns will be with the number of connected IoT devices. Security companies say that by 2020 there will be about 20 billion of these devices. And, no wonder, the number of Internet of Things attacks is increasing because device protection is poor and malware distribution is easily scalable. The company found 800,000 vulnerable devices last year. And, to avoid attacks of great destruction capacity, with threat of interruption of services, operators with 5G will have to develop new threat models more in tune with these realities.

5G Latin America: What are your recommendations for overcoming these challenges?

WM: All good security practices regarding the segregation of the entire control infrastructure, separation (micro / nano segmentation) of resources, reducing possible attack surfaces, as well as policies for hardening and approving equipment from the security point of view are necessary, 5G security starts “by design”, that is, all components are designed with security bias. In addition, it is necessary to create mechanisms for continuous security auditing in the various plans (control, data, administration). Not forgetting the continuous training and awareness of teams working on 5G systems.

Wagner Morais will be joining our speaker line-up for 5G Latin America 2020. Joining our Cyber Security Panel, Wagner will go into further detail on the security threats that are surrounding the emergence of 5G in Latin America, and how the ecosystem can overcome these emerging challenges.

 

Be in the audience for Wagner’s discussion, and join us for three-days of content focused on how operators and solution providers can unleash the 5G future in Latin America. Operators you can claim your FREE pass to 5G Latin America 2020 by clicking here. Solution providers, don’t miss out on your full-access pass by clicking here to purchase now.

Huawei dismisses fresh US racketeering charges

Huawei has publicly rebutted the new superseding charges of racketeering and trade secret theft filed by the US Department of Justice.

Officials from the DoJ and the FBI announced the charges against Huawei as well as two of its official subsidiaries, Huawei Device Co. Ltd. (Huawei Device), Huawei Device USA Inc. (Huawei USA), and two of its unofficial subsidiaries, Futurewei Technologies Inc. (Futurewei) and Skycom Tech Co. Ltd. (Skycom). Also on the defendants list is Huawei’s CFO, Meng Wanzhou (Meng), already in detention in Canada fighting her extradition case. The new charges being a superseding indictment means it contains and expands on the earlier charges officially announced in January 2019. As a result, most of cases listed out in detail in the full document are familiar to those following the Huawei vs. USA saga closely.

Huawei denies all the charges. “This new indictment is part of the Justice Department’s attempt to irrevocably damage Huawei’s reputation and its business for reasons related to competition rather than law enforcement,” the company said in a statement. “These new charges are without merit and are based largely on recycled civil disputes from last 20 years that have been previously settled, litigated and in some cases, rejected by federal judges and juries. The government will not prevail on its charges, which we will prove to be both unfounded and unfair.”

The charges broadly fall into two categories: racketeering and breaking US international sanctions.

Most of them fall into the first category. The DoJ alleges that Huawei and the associated parties have violated the 1970 “Racketeer Influenced and Corruptions Act (RICO)”. The law, targeted at organised crimes, lists 35 types of offenses that may qualify as “racketeering”, from bribery and kidnapping to obstruction of criminal investigation by law enforcement agencies and everything in between. In the present case, the DoJ accused Huawei of “misappropriated intellectual property included trade secret information and copyrighted works, such as source code and user manuals for internet routers, antenna technology and robot testing technology”, then, after winning unfair competitive advantages, Huawei and its subsidiaries reinvesting the gains from this “alleged racketeering activity in Huawei’s worldwide business, including in the United States.”

Specifically this category of actions allegedly include “entering into confidentiality agreements with the owners of the intellectual property and then violating the terms of the agreements by misappropriating the intellectual property for the defendants’ own commercial use” and poaching competitor employees the “directing them to misappropriate their former employers’ intellectual property”, as well as “using proxies such as professors working at research institutions to obtain and provide the technology to the defendants.” Huawei is also alleged to have incentivised its employees for obtaining the most valuable competitor information.

When it comes to breaking sanctions, the indictment, updated with more details, is against Huawei and its subsidiaries’ alleged “business and technology projects in countries subject to U.S., E.U. and/or U.N. sanctions, such as Iran and North Korea – as well as the company’s efforts to conceal the full scope of that involvement.”

Meanwhile, the Department of Commerce decided to renew the Temporary General License for Huawei for 45 more days, which means American companies can have another one and half months to do business with Huawei legally while moving “to alternative sources of equipment, software and technology”, the DoC said.

In response to the DoC decision, Huawei reiterated its position that it should be removed the government’s Entity List completely instead of being granted one at a time. Not doing so “has done significant economic harm to the American companies with which Huawei does business, and has already disrupted collaboration and undermined the mutual trust on which the global supply chain depends,” the company said in an emailed statement.

Incidentally, while the DoJ alleged Huawei of using scholars to gain access to advanced technologies otherwise unavailable to it, the Department of Education has launched an investigation into gifts from foreign governments to America’s top universities, with Harvard and Yale being singled out. These two schools as well as other Ivy League and leading schools including Georgetown, Texas A&M, Cornell, Rutgers, MIT, and Maryland, have failed to declare fundings from Qatar, China, Saudi Arabia, and the United Arab Emirates. The DoE said since its enforcement efforts started in July last year, $6.5 billion previously undisclosed foreign money has been reported.

The crackdown on the US academics’ links to the Chinese government went up a notch when late last month, Charles Lieber, the chair of Harvard University’s department of chemistry and chemical biology and one of the world’s leading nanoscientists, was arrested for lying about his link with Chinese government-sponsored lab in China as well as the hefty payments ($50,000 per month) he received.

Huawei attacks US Government and Wall Street Journal credibility

Huawei has issued its retort to US accusations that it has access to telco networks, suggesting the US Government should be more mature than resorting to PR and propaganda campaigns.

“US allegations of Huawei using lawful interception are nothing but a smokescreen – they don’t adhere to any form of accepted logic in the cyber security domain,” the statement reads. “Huawei has never and will never covertly access telecom networks, nor do we have the capability to do so.”

Earlier this week, US officials briefed journalists at the Wall Street Journal regarding a technical loophole which granted Huawei access to telco networks around the work. Intended for law enforcement agencies, these backdoors offered opportunity for ‘Lawful Intercept’ activities when validated by the courts, though Huawei allegedly had access to these backdoors.

While it is a claim which certainly would have shocked a few people around the world, the story itself was a little bit suspect…

Firstly, if this is evidence of a smoking gun to prove espionage, why weren’t US officials showing this to the Governments of allied nations. Secondly, the US officials didn’t actually state that Huawei had done anything wrong. Third, it seemed unusual that only Huawei has access to these backdoors. And finally, if this is a situation which has been present since 2009, why are we only finding out about it now?

It would be foolish to completely disregard claims of espionage from the Chinese Government, but these statements from the US Government to the WSJ look more like a propaganda campaign, an offensive move to turn the tide of public opinion. If there was evidence, as the US officials suggest, surely it would be presented to other regulators and governments rather than a news outlet.

In its response to the allegations, Huawei has hit back suggesting the claims are nothing more than a rouse, the WSJ should have more credibility than to blindly follow such statements, its products are built to standards which make provisions for lawful intercept, and that it is an equipment manufacturer to the telcos.

The last point is an interesting one. Huawei manufacturers equipment which it sells to telcos, who then operate it behind security firewalls and systems. There would have to be some very sophisticated and nefarious software skills to embed such treacherous backdoors, and considering the damning reports the National Cyber Security Centre (NCSC) gave it in recent months, it seems like a long shot. Not impossible, but perhaps improbable.

At some point the telcos are going to have to put their hands up and say they aren’t that incompetent. Security is one of the most important roles in a telco nowadays, and to suggest Huawei has managed to dupe the telcos for all these years without a single sniff of suspicion, or at least someone accidentally bumping into a backdoor, is also quite unlikely.

If a network is breached or has played a role in international espionage, the telco which owns it has as much to lose as Huawei; how many subscribers or enterprise customers would it have left if this was the case? How many lawsuits would they open themselves up to if all these allegations could be proven true? Eventually, the telcos are going to have to say they aren’t idiots and know what they are doing to mitigate risk and uphold the security principles they preach.

US throws more mud at Huawei

US Government officials have been baiting the line of deceit for Huawei once again, this time half-accusing the vendor of maintaining backdoor entry to networks through its equipment.

In an interview with the Wall Street Journal, the officials have suggested Huawei has access to backdoors built into communications infrastructure equipment which were intended for law enforcement agencies. It is not entirely clear how these backdoors have been built, how they have remained secret for so long, or why Huawei is the only company which can access them, but this is apparently the evidence the US has been hinting at for so long.

While it might sound like a ludicrous idea, the US Government knows it is possible to build backdoors into communications infrastructure equipment because it has done so frequently in the past. In 2013, Edward Snowden came forward with evidence to prove the National Security Agency (NSA) and Central Intelligence Agency (CIA) was spying on national and international citizens with zero accountability via products made by Cisco and Juniper Networks.

What is not entirely clear from the statements made from the US officials is whether Huawei is actually doing anything about it. The officials have told the WSJ that there are backdoors, and Huawei is aware of them, however, there is no assertion that any nefarious behaviour has been undertaken.

Huawei is yet to make comment on the matter for the moment, though the question remains whether it actually has to do so just yet. The US has been making these accusations for some time, and this might just be another twist on the argument. Until evidence of the backdoor is verified, or that Huawei actually spied on anyone at the behest of the Chinese Government, this is little more than another wave of US propaganda.

Although these claims are more specific than others which have been made in the past, it will be interesting to see whether it is validated by anyone else. European Governments have asked the US to present them with a smoking gun if they were to consider banning Huawei, and it has not done so yet. Presumably the US officials have approached counterparts in allied nations to coincide with this PR campaign through the WSJ, otherwise the credibility falls straight to the floor.

This might be one of the strongest accusations made by the US to date, but if European Governments are not taking action it is either because (a) the US officials have not presented this evidence to them, or (b) the evidence is not deemed sufficient to make a decision on banning the vendor. The coming days and weeks will fill in some of the blanks, but if no action is taken by European Governments, this should be chalked up as nothing more than a PR campaign to turn the tides of public opinion.

The US Government might be losing the battle to turn public opinion in Europe against Huawei, but that is because it has not yet presented anything aside from rhetoric and suspicion. And it is easy to understand why the US Government is so suspicious and worried over espionage from the Chinese Government, given its own rich history in the matter.

Benign brother has got your back: China launches coronavirus app

China’s government bodies and businesses have jointly launched a mobile app to help detect if people have been in close contact with those suspected of carrying the novel coronavirus.

The app has access to multiple official holders of private data. By registering with his or her name and Chinese ID number, a smartphone user can use the app, called “Close Contact Detector” to check if he or she has been in proximity of those who are later either confirmed or suspected to have the virus. Such close contacts include travelling in the same train carriage or sitting within three rows on the same flight with those carrying the virus.

One registered user can check the status of up to three users by inputting their ID numbers and names. One ID number is limited to one check per day. The app will then return an assessment of which category the individual in question falls into: Confirmed case, Suspected case, Close contact, Normal. Xinhua, one of the major official propaganda outlets, reported that over 105 million checks have been made by users three days after the app was launched.

The app development was led by the government organisations responsible for health which was joined by China Electronics Technology Group, one of the country’s largest state-owned enterprises, as well as the leading smartphone makers Huawei, Xiaomi, OPPO, and Vivo. The backend data comes out of the National Health Commission, the Ministry of Transport, China State Railway Group Company, the state owned enterprise that operates all the rail transport in China, and the Civil Aviation Administration, the aviation regulator.

The fact that private travel data is made readily available to business entities without explicit consent from the individuals involved may raise plenty of eyebrows in places like Europe, but the attitude in China is different. “From a Chinese perspective this is a really useful service for people… It’s a really powerful tool that really shows the power of data being used for good,” Carolyn Bigg, a Hong Kong-based lawyer, told the BBC.

“Close Contact Detector” has been pushed out by the smartphone brands as a priority app to their users in China. It is unclear how or if promoting to users of other smartphone brands, iOS users, or non-smartphone users, will be conducted. Nor is it clear if there are plans to extend the coverage to residents without a Chinese ID number, such as foreign nationals staying in China.

Telecoms.com has learned that over the last few weeks there have been other online tools to help concerned users check if they had unknowingly come into contact with confirmed victims of the new coronavirus. The key difference from the new contact detector is that, in the earlier attempts, backend data was crowdsourced from publicly available information including the flight and train numbers of the confirmed cases published in the media.

Neither is contact detector the only use case where user data is playing a role. A recent video clip making rounds on social media shows a drone flying a blown-up QR code that drivers can scan to register before they enter Shenzhen after the long Chinese New Year break. The method is deployed presumably to prevent cars and drivers registered to the major disease hit regions from going through, as well as reduce human-to-human interaction. Xinhua reported that the Shenzhen Police, which is responsible for managing the local traffic and owns the automobile and driver data, is behind this measure.

Germany set to follow UK on Huawei conundrum – report

Huawei looks to have survived another European scare as Germany closes in on a deal which would offer the company restricted freedoms, similar to the position of the UK.

According to reports in Reuters, the leading political parties in Germany are set to agree on a strategy paper which would allow Huawei a restricted role to participate in the deployment of 5G networks. It might be considered a bit of a snub to the US, but like the UK this would appear to be a pragmatic approach to delivering the next generation of connectivity.

“State actors with sufficient resources can infiltrate the network of any equipment maker,” the agreement states. “Even with comprehensive technical checks, security risks cannot be eliminated completely – they can at best be minimized.

“At the same time, we are not defenceless against attempts to eavesdrop on 5G networks. The use of strong cryptography and end-to-end encryption can secure confidentiality in communication and the exchange of data.”

Although this is not a confirmed position yet, it is believed the new position will be voted in later today (February 11). There are still aggressors who are pursuing an all-out ban, namely the Social Democratic party, a junior coalition partner to the Christian Democratic party, though it appear Huawei will survive, albeit in a limited function.

The paper would outline a similar approach to managing Huawei as the UK has taken. As you can see from the statement above, the German authorities seem to be taking the approach that as it is impossible to guarantee 100% safety, irrelevant of the equipment manufacturer, it is not logical to target one specific company.

The paper apparently states the network would be split into the three different components (radio, transmission and core), and different procedures for handling Huawei equipment dependent on its designation. This is a risk-management approach, similar to the one taken in the UK.

The issue which the Germans are facing is also similar; German telcos are all existing customers of Huawei and have signed agreements to work with Huawei going forward. Should a ban be implemented, not only would this create a problem in terms of time (negotiating new commercial agreements, testing equipment etc.) but there might also have to be expense incurred as ‘rip and replace’ projects are kicked off to ensure backwards compatibility.

In the UK, BT has said it will cost £500 million to become compliant with the Huawei restrictions in the RAN. This might sound like a significant investment, but it would have been considerably worse if a complete ban had been introduced.

Other elements of the strategy which could impact the telcos are potential demands to enforce a multi-vendor supply chain, and security checks on equipment which all vendors would have to adhere to. This is an idea which has been raised in the past, paying homage to the complexity and variety of supply chains nowadays; as 100% security cannot be guaranteed by everyone, every vendor would be forced to demonstrate security credibility.

It is not yet guaranteed that Germany will take this approach, but it does appear the German Government will try to mitigate risk and compensate for the current status quo.

Despite all the lobbying and threats which have been passed across the Atlantic from the White House, it does appear US delegates were unable to present evidence of a ‘smoking gun’ which would have turned European governments against Huawei and other Chinese vendors. This is a win for the US, it has demonstrated it has influence over Europe after all, but its ability to dictate policy is becoming weaker.

One question which does remain is the impact this will have on the German-US relationship. President Trump has not been on the greatest of terms with Merkel over the years and considering the influence Germany has on the European Union bureaucracy, the White House find itself more irritable.

On the other side of the coin is the relationship between Germany and China. China is an important trade partner of Germany, especially the automotive industry which has such a powerful lobby in the country. Irritating this relationship with the Chinese would not be something many would want, and it does appear a snub to the US is tolerable.

While the UK and Germany are only two nations, it does appear the US is losing the political influence game in Europe. Other European countries pay attention to the opinions and actions of these Governments, and it might be a case of the first dominoes to fall, especially with the likes of France and Italy also leaning towards a Huawei-friendly environment

Trump throws his toys out of the pram over UK Huawei decision

US President Donald Trump reportedly gave UK PM Boris Johnson a major ear-bashing over the phone following the UK’s decision to allow Huawei in parts of its 5G networks.

The news comes courtesy of the FT, who has an anonymous source that reckons they know how the phone call went. We’re told Trump was apoplectic and expressed his views in livid terms. It must have been a hilarious call, with Trump hurling abuse and BoJo countering with placatory phrases such as “steady on, old chap”.

Trump’s notorious petulance aside, it’s becoming increasingly clear that his administration views 5G as a matter of core geopolitical concern, both in terms of security and commerce. It has been moved to the front line of the battle of wills between Trump and Chinese supremo Xi Jinping and the US is trying to insist its allies to what they’re told on the matter.

US Attorney General William Barr made a speech yesterday in which he banged on about what a threat to all we hold sacred China is. Barr thinks 5G is a critical weapon to be used against China and reiterated the FCC’s position on the importance of getting hold of C-Band spectrum as part of an increasingly state-sponsored bid for 5G dominance.

At the core of his speech was the need to have an alternative to Huawei that the US state can control. Apparently oblivious to the hypocrisy of this stance, since it’s the suspicion of Chinese state control over Huawei that has fuelled US hostility towards it, Barr seems to think state intervention in the affairs of private companies is OK so long as the goodies are doing it.

“There have been some proposals that these concerns could be met by the United States aligning itself with Nokia and/or Ericsson through American ownership of a controlling stake, either directly or through a consortium of private American and allied companies,” said Barr. “Putting our large market and financial muscle behind one or both of these firms would make it a far more formidable competitor and eliminate concerns over its staying power or their staying power. We and our closet allies certainly need to be actively considering this approach.”

The US position on 5G, security and China seems to be evolving rapidly. In the space of what feels like just a few weeks it has moved from trying to persuade its allies to distance themselves from Huawei to shouting at them down the phone and contemplating direct intervention in their companies. Trump needs to seriously consider winding his neck in on this before he permanently alienates the US from its global friends.

US hints at state support for domestic ORAN push

The US government is thinking of subsidising US tech companies to help them get better at 5G software, in the hope that will solve the Huawei problem.

The rumour comes courtesy of the WSJ, which actually has a named source for once. White House economic adviser Larry Kudlow told the Journal that the White House is ‘working with’ tech companies to help them raise their game when it comes to networking software. This would enable the US to be self-reliant on 5G in the advent of the Open RAN movement getting to the point when it was actually useful.

Presumably US tech companies have previously tried to take on Huawei in the networking market but failed. What a few top tips from President Trump will do to tip the balance in their favour is unclear, but a shed-load of public cash never does any harm. Among the companies involved in the initiative are AT&T, Microsoft and Dell, apparently, but Ericsson and Nokia also seem to have been adopted by the US for the purpose of this exercise.

Unsurprisingly Dell and Microsoft are especially keen to get involved, cognisant as they presumably are of the massive new market available to them is networks can be run by software sitting on any old server. Apparently Michael Dell has even gone on the record as saying “software is eating the hardware in 5G.”

While we would never suggest that some US tech companies might exploit the current use of Huawei as a pawn in the trade war with China, we can imagine the likes of Dell exaggerating the short term prospects of ORAN in order to tell budget-holding politicians what they want to hear. For further analysis, check out this Light Reading piece.

Vodafone claims removing Huawei from its European cores will cost €200 million

Vodafone group reported solid Q4 2019 numbers for Europe but says it  will have to blow €200 million on swapping Huawei out of many of its network cores.

Group revenues were up 7% year-on-year, driven by a 10% jump in Europe, which in turn was helped by the Liberty Global acquisition. Having said that, organic service revenue growth was flat, which is probably why the Vodafone share price is unmoved by the results. An additional factor will be an unchanged outlook.

“I am pleased with the pace at which we have executed our commercial and strategic priorities, which has allowed us to maintain our momentum in the quarter,” said Group Chief Exec Nick Read. “Competition in Europe remains challenging, primarily in the value segment, however we continued to improve customer loyalty and to grow in broadband, and we achieved good growth in Africa. We expect a further gradual improvement in service revenue growth in Q4, led by Europe.

“We have recently announced the proposed sale of our stake in Vodafone Egypt, which simplifies the Group into two scaled regional platforms – Europe and sub-Saharan Africa – and reduces our net debt. We have also appointed the senior management team for our European TowerCo, and we are preparing for a potential IPO in early 2021.”

The juicy bit of the quarterly presentation concerned Huawei, inevitably, with Vodafone detailing the implications of the recent decisions made by the UK and the EU on its business. The good news is that Vodafone UK is already complying by the restrictions, so no adjustments are needed. In parts of Europe, however, there are bits of Huawei gear in the core, which will apparently cost around €200 million to rip and replace.

We spoke to telecoms Analyst John Strand and he was keen to flag up the wording on the last part of the above slide, noting the €200 million number was just a ‘position’, rather than a piece of hard accounting. He also noted that, in the UK, BT has said the cost of replacing Huawei is essentially priced into regular network investment, so why is Vodafone implying this is extra cost. That whole section of the slide could be interpreted as laying the ground to get compensation from the EU and to lobby against quotas in countries where it has a lot of Huawei in the RAN, like Germany.

Other than that, the hell that is the Indian telecoms market remains a major issue. “In October, the Supreme Court gave an adverse judgement in the adjusted gross revenue (“AGR”) case against the industry,” said the Vodafone report. “The outlook for Vodafone Idea Limited (“VIL”) remains critical. VIL is actively seeking various forms of relief from the Indian Government to ensure that the rate and level of payments it makes to the Indian Government is sustainable and it can meet its other commitments as they fall due.

“In November, the Department of Telecommunications granted a two-year spectrum moratorium to the industry. In January, the Supreme Court rejected the review petition filed by VIL and other industry participants in relation to the AGR judgement. Both VIL and Bharti Airtel Limited have subsequently filed modification petitions, which are expected to be heard imminently, to request the Court to order the Department of Telecommunications to determine a payment schedule in relation to AGR dues and other reliefs.”

So Vodafone seems to be keen on state aid pretty much everywhere. To be fair a lot of the special circumstances it finds itself in have been brought about by state activity, but it still needs to be strategic about how often it extends the begging bowl. If governments and regulators start to perceive Vodafone as excessively opportunistic, they’re likely to lose sympathy fast.