Much of the feedback on my column about Britain's Huawei Cyber Security Centre lambasting the Chinese telco giant code for being badly written, and horrendously insecure, centred around "yes but other vendors' software sucks as well".

That is very true. Here's a recent example of that from the company that invented networking, Cisco. Security researchers last year found serious flaws in some of the company's routers, the equipment that passes data traffic between networks.

They reported the flaws to Cisco so the company could develop a fix, as per the usual responsible disclosure processes.


Without getting too technical, the flaws are very easy to exploit by anyone to commandeer the equipment — not some obscure, difficult to understand bugs per se.

They're design mistakes — as if whoever wrote the code did not understand security basics.

Cisco issued a fix, but it's totally ineffective and had techies around the world rolling eyes and ridiculing the patch. So yes, it's not just Huawei.

Cisco has an excellent cyber security unit, Talos, that could've told the coders that "no no, that's a really bad idea to do it like that" if they had been asked, and there's really no excuse.

That said, it's worth noting the Huawei Cyber Security Evaluation Centre (HCSEC) report was the fifth annual one. The cyber security centre had raised the issues it contained in the past, and wasn't happy with the lack of action over the years.

While the HCSEC is a good transparency initiative, it doesn't appear to have been all that helpful in sorting out security issues that stem from bad coding.

If there's no control over the code that operate the network equipment, it's hard to get things fixed fast, even when you spot problems.

What's more, if there are tens of thousands of pieces of equipment in a network, working out which need sorting out, deploying fixes, and managing the massive exercise is fraught with problems.


As it happens, engineers have already thought about the above. Furthermore, it's work that New Zealand is at the forefront of via the Research and Education Advanced Network New Zealand, Victoria University and Google — open source-based software defined networking or SDN.

This is getting a bit deep geek, but if you imagine adding an SDN layer that controls the underlying hardware, with the latter being isolated from the actual production data network and easily monitored, then you wouldn't have to worry so much about insecure code operating on the actual equipment.

Done right, SDN proponents say the technology removes complexity and improves security as it means you don't need to worry about each piece of equipment on a network. Since it's open source, you control the code and can fix things, without leaving it to an overseas vendor.

Google uses SDN and the United States National Security Agency (NSA) is also a big supporter of the technology.

The upcoming 5G mobile broadband upgrade also contains SDN that allows operators to virtually "slice" networks without hardware changes to optimise them for specific functions such as Internet of Things sensor data traffic.

Network equipment vendors are less than enthusiastic about the technology as SDN turns them into "dumb pipes" which would reduce their value proposition.

Nevertheless, vendors are seeing which way the wind is blowing and now provide SDN solutions — Huawei included.

Telcos that have spent the past few decades cost-cutting by outsourcing their network designs, builds and maintenance might not have the technical ability any more to implement SDN properly.

Law changes could be required too, to allow SDN operators to reconfigure their networks on the fly when needed without having to wait for weeks for approval from GCSB.

Hurdles ahead but SDN could help defuse those awkward 5G network equipment bans. Wins for everyone, New Zealand included.