Huawei’s big role in open source threatens new security backlash

Kubernetes, an open-source platform popular in the telecom industry, counts some of America’s best-known technology companies among its biggest contributors.

Google, the progenitor of the project, unsurprisingly heads a community dashboard list partly shown below (and fully available here).

But Red Hat (owned by IBM), VMware, Microsoft, Intel, and IBM itself all feature in the top ten. Scanning that list, any US politician nervous about the security implications of open source can rest assured that Kubernetes is in safe hands.

Until they stumble upon the name of the seventh-biggest contributor, that is. Huawei, a Chinese equipment vendor banned on security grounds from numerous Western markets, is identified in that spot.

Further down, in seventeenth position, our increasingly jittery public servant encounters ZTE, a kind of miniaturized Huawei backed by China’s government. Alibaba and Tencent, China’s answers to US Big Tech, make it into the top 50 as well. And several other Chinese names feature in the top 100.

Detractors have long argued that open source is risky business because it exposes organizations to code written by naughty characters. But its use in critical infrastructure looks set to grow.

The clampdown on Chinese vendors has buoyed a technology alternative called open RAN, designed to standardize the interfaces between different parts of the radio access network. This, supporters argue, would afford more specialist vendors a role.

Yet open RAN, as envisaged by Europe’s biggest operators, would also be heavily reliant on open-source code.

This much was made clear in a list of open RAN technical priorities, issued last year by Deutsche Telekom, Orange, Telefónica, TIM (Telecom Italia) and Vodafone.

Kubernetes, they said, should be the “mainstream implementation” of the cloud platform that hosts open RAN functions and applications. A follow-up document published earlier this year shows they have not changed their minds.

Western authorities are uneasy. In May, a report commissioned by EU member states about the cybersecurity implications of open RAN pointed out that “open-source software can provide attackers with a target-rich environment due to its widespread use.”

Earlier in the same report they had noted that “the possible use of open-source components could mean that the vulnerabilities are publicly known and could therefore be more easily exploited by malicious actors.”

Safety in numbers

The people who trade in open source dismiss these fears as nonsense. Code exposed to the world’s scrutiny cannot logically be less secure than proprietary software hidden from view in development stage, they argue.

The safety-in-numbers rationale assumes that criminals stand little chance of breaking in and causing damage when there are so many sentries stationed around the building.

“The advantage of an open model is that many people review the code that goes into open-source projects,” said Chris Wright, the chief technology officer of Red Hat.

“A lot of intellectual power goes into not just creating the code but also reviewing the code to make sure it meets the community’s standards for what should be produced.”

For a company like Huawei, already on the watchlist, slipping malicious code into Kubernetes would be like spiking a drink in public while forced to wear a “this barman is dodgy” T-shirt.

To read the complete article, visit Light Reading.