KPN Disputes Reported Surveillance Risk to Users, Who Included Dutch Prime Minister
A bombshell news report suggests that Dutch mobile network provider KPN in 2010 didn’t know if one of its major equipment suppliers – China’s Huawei – was spying on its users.
Viewed 11 years later, the report – which has just come to light – stands as a risk management reminder that all organizations must regularly review the security of their supply chains to identify and address any potential security shortcomings.
“Not a single KPN supplier has ‘unauthorized, uncontrolled and unlimited’ access to the networks and systems or is in a position to listen in to the conversations of KPN customers or to view ‘tapped’ information.”
On Saturday, Dutch newspaper De Volkskrant reported that it had obtained a copy of a confidential report commissioned by KPN in 2010 from consultancy Capgemini that was designed to evaluate the risk posed by using equipment manufactured by Huawei, as well as Huawei employees’ behavior.
The report found that due to Huawei’s ability to access KPN’s mobile core network for maintenance purposes – including from China – it would be possible for the Chinese state to eavesdrop, without leaving a trace, on anyone using KPN’s network, De Volkskrant reports. At the time, users of KPN’s network included Prime Minister Jan Peter Balkenende and other high-level government ministers, as well as numerous Chinese dissidents living in the Netherlands.
KPN reportedly commissioned Capgemini to study the problem after receiving warnings from the Dutch General Intelligence and Security Service, known as the AIVD, about the information security risks posed by using Huawei, given ongoing Chinese espionage campaigns targeting the Netherlands, Germany and their allies.
KPN Says It Acted on Report
KPN in a statement issued Saturday in response to De Volkskrant’s reporting, notes that it commissioned the Capgemini report to improve its risk posture and used the findings to fashion “a remediation and improvement plan” that it immediately implemented in 2010.
“The purpose of the analysis was specifically to survey the risks and address these internally so as to improve the security and integrity of KPN’s systems and to facilitate diligent decision-making,” KPN says.
“Not a single KPN supplier has ‘unauthorized, uncontrolled and unlimited’ access to the networks and systems or is in a position to listen in to the conversations of KPN customers or to view ‘tapped’ information,” KPN says. “We have never detected customer data being stolen from our network or systems or ‘eavesdropping’ taking place by Huawei. If we would have, we would certainly have informed the competent authorities and our customers and have taken appropriate action towards the supplier.”
One risk identified by the Capgemini study, however, was that KPN might not have been able to detect such eavesdropping because the software used by Huawei was written in Chinese and also because the company seemed hesitant to fully describe its practices to KPN.
Identified Problem: Weak Encryption
Another problem identified by Capgemini involved the tapping of telephone lines to comply with “lawful intercept” court orders. The consultancy warned that Huawei’s equipment used very weak encryption and also handled key management itself. As a result, it would have been easy for Huawei to decrypt the lawful intercept database to identify which phone numbers were being tapped, Capgemini reportedly found.
In a statement, Huawei says that its ability to access KPN’s network and mobile traffic was never abused. “Huawei employees have not had unauthorized access to KPN’s network and data, nor have they extracted data from that network. Huawei has at all times worked under the explicit authorization of KPN,” the Chinese technology vendor says. “This applied to both employees of Huawei and the Huawei employees hired by KPN to support its activities.”
Huawei also notes that KPN’s environment includes numerous security controls not described in the news report. “The allegation that the prime minister could be overheard by us is completely untrue and an underestimation of the security of the interception environment,” says Gert-Jan van Eck, COO of Huawei Netherlands. “It just isn’t possible.”
Is it right to judge KPN on supply chain management realities that it faced 11 years ago? As KPN says, “We keep note of the evolving views with regard to protecting vital infrastructure, which are different nowadays from what they used to be in the past.”
In the intervening years, KPN says that as part of a “continuing process,” it has made numerous changes to how it does business to manage these types of risks. For example, for its 5G rollout, the company has tapped Huawei’s Swedish competitor Ericsson to provide equipment.
KPN says that in 2010, it commissioned the Capgemini report to evaluate the risk of outsourcing its core mobile network and concluded that it would not take that step. “KPN still performs that maintenance today itself, supported by experts from a variety of parties,” it says. Multiple news outlets report that now, only western providers get used for such maintenance.
The ‘Huawei Question’
Much of the so-called “Huawei question” has revolved around whether networking gear manufactured by China’s Huawei or ZTE can be trusted, or if it might have built-in backdoors for allowing access by Chinese spies. The question has centered not on evidence of whether this has happened, but on the risk that it might.
Capgemini’s warning about Huawei’s gear not being engineered with sufficient security controls is also a reminder, however, that whether or not Huawei – or insert the name of any other supplier here, Chinese or otherwise – might have had the capability to eavesdrop on communications, flaws in its equipment meant that others could potentially have hacked into those systems for eavesdropping purposes.
In March 2019, the U.K. National Cyber Security Center’s Huawei testing lab warned that Huawei’s “software engineering and cybersecurity processes” continued to be beset by unresolved “defects” and that improvements promised by the manufacturer had yet to be seen. Defects mean software bugs, and such vulnerabilities equate to flaws that any attacker could potentially exploit to gain remote access.
Huawei: Banned in Few Countries
When that NCSC report was issued, the U.K. government believed that the risk of using Huawei equipment as part of the country’s 5G rollout was manageable because it was continuing to use Huawei gear for its 3G and 4G networks.
After furious lobbying by the U.S., however, in July 2020, U.K. Prime Minister Boris Johnson made a U-turn, ordering that Huawei equipment not be used by U.K. telecommunications firms in their core mobile networks and that its use for noncritical functions be restricted. Since then, the government has said that all Huawei gear must be expunged from the country’s mobile networks by 2027.
Beyond the U.K., few other countries in Europe have announced outright bans on Huawei. As the now-leaked 2010 KPN report suggests, at least some telecommunications providers have been attempting to manage their supply chain security risks, even as the perceived risk posed by some countries’ manufacturers continues to evolve (see: Britain’s 5G Policy Failure: No Ideal Alternative to Huawei).
As the SolarWinds supply chain attack, the recent on-premises Microsoft Exchange server attacks and the zero-day attacks against Accellion’s File Transfer Appliance have demonstrated, potential supply chain risks need to be managed – and that must involve much more than just taking action based on the flag flown by a product’s manufacturer. All firms – mobile network providers or otherwise – need to keep a close eye on their supply chains and then decide, in consultation with appropriate outside experts, which risks are acceptable.