Huawei Telecom Gear Much More Vulnerable to Hackers Than Rivals’ Equipment – WSJ

“Reminds me of  the 1990’s Microsoft Windows/Internet Explorer Security Issues, Not Stuxnet”

-Mayo615

Source: Huawei Telecom Gear Much More Vulnerable to Hackers Than Rivals’ Equipment, Report Says – WSJ

A detailed report, prepared by Finite State, a Columbus, Ohio-based cybersecurity firm, concludes that Huawei telecom switching gear is far more vulnerable to hacking than other vendors’ hardware due to firmware flaws and inadvertent “back doors” that were discovered. The report has been circulated widely among cybersecurity experts in the U.S. and UK, and it is considered credible. The report stops short of concluding that Huawei deliberately inserted the flaws to enable espionage, as it appears more likely that these are flaws that are due to undetected software development errors. The Trump Administration has nevertheless seized on the report to claim evidence of Chinese espionage intent. The report’s conclusions do offer sound evidence that Huawei gear should not be inserted into telecom systems until these errors are removed.  This reminds me of the time when Microsoft Internet Explorer and Windows were suspected of being serious security risks for having so many security holes.

Huawei Enterprise Network Switch

From the Wall Street Journal:

WASHINGTON—Telecommunications gear made by China’s Huawei Technologies Co. is far more likely to contain flaws that could be leveraged by hackers for malicious use than equipment from rival companies, according to new research by cybersecurity experts that top U.S. officials said appeared credible.

Over half of the nearly 10,000 firmware images encoded into more than 500 variations of enterprise network-equipment devices tested by the researchers contained at least one such exploitable vulnerability, the researchers found. Firmware is the software that powers the hardware components of a computer.

The tests were compiled in a new report that has been submitted in recent weeks to senior officials in multiple government agencies in the U.S. and the U.K., as well as to lawmakers. The report is notable both for its findings and because it is circulating widely among Trump administration officials who said it further validated their policy decisions toward Huawei.

“This report supports our assessment that since 2009, Huawei has maintained covert access to some of the systems it has installed for international customers,” said a White House official who reviewed the findings. “Huawei does not disclose this covert access to customers nor local governments. This covert access enables Huawei to record information and modify databases on those local systems.”

The report, reviewed by The Wall Street Journal, was prepared by Finite State, a Columbus, Ohio-based cybersecurity firm.

While the report documents what it calls extensive cybersecurity flaws found in Huawei gear and a pattern of poor security decisions purportedly made by the firm’s engineers, it stops short of accusing the company of deliberately building weaknesses into its products. It also didn’t directly address U.S. claims that Huawei likely conducts electronic espionage for the Chinese government, which Huawei has long denied.

A Huawei official said the company welcomed independent research that could help improve the security of its products but added he couldn’t comment on specifics in the Finite State report because it wasn’t shared in full with the company.

“Without any details, we cannot comment on the professionalism and robustness of the analysis,” the Huawei official said.

Based in Shenzhen, Huawei is the world’s largest telecommunications equipment provider and a leader in next-generation 5G wireless technology.

Huawei has emerged as a central fixture in the growing rift between the U.S. and China over technology, especially with the approach of 5G cellular technology.

The Commerce Department in May cited national-security concerns when it added the telecommunications giant to its “entity list,” which prevents companies from supplying U.S.-origin technology to Huawei without U.S. government approval.

Finite State Chief Executive Matt Wyckhouse co-founded the firm in 2017, after spending nearly 13 years at nearby Battelle, a private, nonprofit applied-science and technology firm that does work in the private and public sectors.

Mr. Wyckhouse, a computer scientist who worked in Battelle’s national security division handling defense and intelligence-community contracts, said Finite State did the work pro-bono and not on behalf of any government. He also said he felt the best way to make policy makers aware of the issues was to make his firm’s research available to the public. He plans to publish it this week.

“We want 5G to be secure,” Mr. Wyckhouse said.

Finite State said it used proprietary, automated systems to analyze more than 1.5 million unique files embedded within nearly 10,000 firmware images supporting 558 products within Huawei’s enterprise-networking product lines.

The company said the rate of vulnerabilities found in Huawei equipment was far higher than the average found in devices manufactured by its rivals, and that 55% of firmware images tested contained at least one vulnerability—which the authors described as a “potential backdoor”— that could allow an attacker with knowledge of the firmware and a corresponding cryptographic key to log into the device.

The report includes a case study comparing one of Huawei’s high-end network switches against similar devices from Arista Networks andJuniper Networks Inc. It found that Huawei’s device had higher risk factors in six of nine categories, generally by a substantial margin.

“In our experience, across the board, these are the highest numbers we have ever seen,” Mr. Wyckhouse said.

In one instance in the case study, Huawei’s network switch registered a 91% risk percentile for the number of credentials with hard-coded default passwords compared against all of Finite State’s entire firmware data set.

By comparison, the risk level for Arista and Juniper was rated at 0%.

Chris Krebs, the top cybersecurity official at the Department of Homeland Security, said Finite State’s research added to existing concerns about Huawei equipment and the conclusion that the company hasn’t shown the intent or capability to improve its security practices.

“With Huawei having not demonstrated the technical proficiency or the commitment to build, deploy, and maintain trustworthy and secure equipment, magnified by the Chinese government’s potential to influence or compel a company like Huawei to do its bidding, we find it an unacceptable risk to use Huawei equipment today and in the future,” Mr. Krebs said.

White House officials who reviewed the Finite State report said the findings revealed flagrant violations of standard protocols. They said the report’s findings also suggested Huawei may be purposely designing its products to include weaknesses.

For example, some of the vulnerabilities found are well-known cybersecurity problems that aren’t difficult to avoid. Of the devices tested, 29% had at least one default username and password encoded into the firmware which could allow malicious actors easy access to those devices if the credentials were left unchanged, according to the report.

A particularly unusual finding was that security problems became quantifiably worse in at least one instance for users who patched a network switch with an updated version of firmware compared with the two-year-old version being replaced. Patches are intended to reduce cybersecurity weaknesses, but a comparison of the two versions found the newer one performed worse across seven of nine categories measured.

“For years, Huawei has essentially dared the international community to identify the security vulnerabilities that have so often been alleged regarding the use of the company’s products,” said Michael Wessel, a member of the U.S.-China Economic and Security Review Commission, a bipartisan panel that makes recommendations to Congress. “It’s hard to see the range and depth of the vulnerabilities identified by Finite State to be anything other than intentional.”

The U.K.’s National Cyber Security Centre also reviewed the Finite State research, people familiar with the matter said, and found it broadly aligned with the technical analysis in the agency’s own report, published in March. The U.K. report accused Huawei of repeatedly failing to address known security flaws in its products and admonished the firm for failing to demonstrate a commitment to fixing them.

A 2012 U.S. government review of security risks associated with Huawei didn’t find clear evidence that the company was being used by China as a tool for espionage, but concluded its gear presented cybersecurity risks due to the presence of many vulnerabilities that could be leveraged by hackers.

Rep. Mike Gallagher, (R., Wis.), said the report highlights the urgency for members of Congress and others to stop Huawei from taking over the global telecommunications supply chain.

“I’ve long thought we should treat Huawei as an appendage of the Chinese Communist Party,” said Mr. Gallagher, who earlier this year introduced legislation targeting Chinese telecommunications firms. “But even I was taken aback by the scale of the security flaws within Huawei’s network architecture as revealed by the report.”

Strategic Inflection Points

I want to more fully explain the concept of Strategic Inflection Points. I have referred to this topic in my Week 5 and Week 11 update videos. Former Intel CEO Andy Grove first described a strategic inflection point as a time in the life of a business when its fundamentals are about to change. That change can mean an opportunity to rise to new heights. But it may just as likely signal the beginning of the end. An inflection point can be the result of an action taken by a company or an action taken by another entity. An excellent recent example may be Facebook’s announced intention to enter the cryptocurrency market. The markets have already reacted sharply to Facebook’s move. Analysts have suggested that it may significantly alter the forecasts for cryptocurrencies. Change is inevitable and change is happening more rapidly than ever. Adaptation to change is imperative for corporate survival.

Managing The Accelerated Corporate Lifecycle

As Change Accelerates, More Important Than Ever

Anyone starting a new company should understand the concept of the “corporate life cycle”, and use it as a guide for understanding where the company is in that cycle, to understand the risks at each stage, and to recognize the need for action to change course. This graphic shows a typical corporate life cycle and different possible paths as the company matures. Management of the corporate life cycle also dovetails with the concept of a “strategic inflection point,” which I briefly discussed in my Week 5 Report, The Internet of Things. John Chambers, the former CEO of Cisco Systems has pointed out that the rapid acceleration in market changes has also accelerated the corporate life cycle, emphasizing the importance of understanding it. Companies abound that were initially very successful and yet eventually closed their doors, or were acquired because the company did not anticipate market changes and the need to adapt to the new situation.

Strategic Focus versus Nimbleness

This week I want to discuss the importance of strategic focus, while still being open to possible opportunities, sometimes called corporate “nimbleness,” which may seem like a contradiction. I am a strong believer in strategic focus, however, I have also personally experienced a case where an “openness” to opportunity transformed the enterprise from a pedestrian company into a Silicon Valley legend. Ascend Communications was “focused” on ISDN based video conferencing with a modest and profitable OEM agreement with AT&T. However, AT&T came to Ascend and asked if it could solve a much bigger problem…

Paris, the Rising Hope for a European Silicon Valley | OZY 🇫🇷

Aix/Marseilles, Bourdeaux, Lyon, Paris, and Toulouse Are All Thriving French Tech Innovation Hubs

This article and others have focused on the recent meteoric rise of Paris as an emerging high technology innovation hub. However, there is much more to it than just Paris. There are thriving La French Tech Hubs all over France and in international locations around the World.  Both KPMG’s annual global Technology Industry Innovation Survey and the 2019 Startup Genome Global Startup Ecosystem Report have validated the significant advance of France and Paris as a leading innovation center.

 

Source: Paris, the Rising Hope for a European Silicon Valley | Fast Forward | OZY

Nick Fouriezos, Reporter

WHY YOU SHOULD CARE ABOUT THE RISE OF FRENCH TECH

The French, with their 35-hour workweek and café culture, might be poised to attract the next great tech talent.

Rand Hindi has the quintessential tech guru genesis story. He started coding at age 10 and built a social network by 14. After getting a Ph.D. in artificial intelligence, the entrepreneur set his sights on Silicon Valley. But that’s where the narrative began to fray. Despite all the hype, the Bay Area, known for innovation, felt like a bust. “When you [speak] to people, everybody says they want to do something great,” Hindi says. “But what people really want is to work at Google or sell their company to Google.” So Hindi returned to his native France, started Snips, a company specializing in AI voice technology, and watched his company flourish from three employees in 2013 to 80 today.

As a growing souring on Silicon Valley sinks in, young tech workers aren’t just leaving hot spots like San Francisco and New York, as OZY has previously reported. They are also leaving the country altogether. And while Asia’s — and in particular China’s — tech advances are drawing the world’s attention, it turns out that a growing number of startups are swooning for the City of Love.

For the first time, more than half of respondents to KPMG’s annual global Technology Industry Innovation Survey in 2019 believed that Silicon Valley will no longer be the technology innovation center of the world in four years — due to questions around its escalating cost of living, lack of diversity and troublesome corporate cultures. Cities like Beijing, Tokyo, Shanghai and Taipei are best placed to replace it, the survey suggests. But it’s Paris that is gaining the most steam. After not being ranked in last year’s KPMG survey, it moved up to No. 14 — behind only London among European cities. Other analysts are even more bullish: Paris ranked fourth in the A.T. Kearney Global Cities Report and third in the IESE Business School Cities in Motion Index.

IT MAKES PERFECT SENSE THAT PEOPLE WHO ARE THINKING ENTREPRENEURIALLY WOULD WANT TO BLAZE A DIFFERENT PATH.

ANDREW RUSSELL, SUNY POLYTECHNIC INSTITUTE

Driving this shift is a growing contrast in France’s approach toward global tech innovations to the U.K. and the U.S., experts say. On the one hand, London’s status as a financial and innovation hub stands challenged by Brexit’s enduring uncertainties. And America and Britain are tightening up on immigration. On the other hand, the French government is aggressively courting tech entrepreneurs and investments — a strategy that’s showing results. Paris rents are also 61 percent cheaper than San Francisco’s, according to Numbeo, the crowd-sourced global database of statistics such as consumer prices, perceived crime rates and quality of health care.

In 2017, the Emmanuel Macron government introduced a program that fast-tracks four-year residence visas for tech entrepreneurs and their families. Since then, French tech startups are witnessing a dramatic increase in funding: There were 743 French startups raising money in 2017, a 45 percent increase from 2016, according to CB Insights. Global giants are taking notice, with both Facebook and Google opening new AI research centers in Paris. Google has even announced plans to create local “hubs” to teach digital skills in other French cities, such as Rennes, with the goal of getting more people online (and using Google products).

The private and nonprofit sectors are pitching in too. Since June 2017, Paris has hosted the 366,000-square-foot Station F, the world’s largest startup incubator, backed by French billionaire Xavier Niel and Iranian-American executive Roxanne Varza. In October 2018, nonprofit StartHer hosted Europe’s biggest startup competition in Paris explicitly catering to female founders, with a record 363 applications from 30 countries. And this March, the French government further expanded access to its tech visa, from around 100 qualifying startups to more than 10,000.

“It makes perfect sense that people who are thinking entrepreneurially would want to blaze a different path” given the high rent, cost of living and income disparities emerging in the Bay Area, says Andrew Russell, dean of the College of Arts & Sciences at SUNY Polytechnic Institute. Cities like Paris see “an opportunity to capture some of the energy” of Silicon Valley “without falling into some of the excesses and toxicity,” Russell adds.

Admittedly, the European market does not hold the same kind of stratospheric (and, to this point, largely unrealized) potential of Asia. But the new buzz around France’s startup scene simply didn’t exist just a few years ago. Hindi remembers the policies of François Hollande being “anti-startup” when the former French president first took over in 2012. But a rising backlash driven by business leaders led to significant change, says Hindi, a former member of the French Digital Council advising on AI and privacy issues.

Before, if your company went bankrupt, you were banned from starting another one for nine years, making students from French business and tech schools risk-averse. That policy has since been scrapped. Tax credits for hiring people were created, and up to 30 percent of a startup’s technology and salary expenses are reimbursed by the French government, allowing French companies to operate at a fraction of the cost of their foreign competitors. Then there’s the tech visa and its expansion.

Those incentives are sorely needed, considering the obstacles France does have. While the country has enough angel investors — and a de facto investor with the government — there isn’t much of an exit market. Unlike American companies, European companies have a tradition of more of a revenue-profit mindset and less of a willingness to take on the (substantial) risk of acquiring a mid-tier player and turning it into a massive, industry-defining giant, Hindi says. They also prefer to invest in goods and services over potentially groundbreaking technology that needs a few years to develop before producing, he adds. The even bigger challenge? The language, which is why London has typically reigned supreme in the European market.

Some of those issues are more perception than reality, say entrepreneurs and tech workers in France. Snips engineer Allen Welkie — who moved to Paris after working at startups along the East Coast of the United States — says many French-based companies are bilingual and that the visa process was simple. A better work-life balance than in the U.S. helps boost retention too, Hindi says. “In Silicon Valley, everybody is fighting for the same few talented people. … If you’re lucky, they’re going to stay a couple of years. How can you build a company if people are constantly leaving?” As San Francisco becomes more and more untenable for everyone but the highest earners, it’s worth asking whether you can build a city that way either.