Incident: Huawei Eavesdropping Scandal on KPN Mobile Network in Netherlands

Published Date: 2021-04-19

Postmortem Analysis
Timeline 1. The software failure incident where Huawei was able to eavesdrop on conversations on one of the biggest mobile networks in the Netherlands happened in 2010 [113374].
System The software failure incident reported in the article involves a failure in the security system of the mobile network operated by KPN in the Netherlands due to potential unauthorized access and eavesdropping by Huawei staff. The systems that failed in this incident include: 1. Security system of KPN's mobile network in the Netherlands [113374] 2. Huawei's monitoring and access control systems [113374]
Responsible Organization 1. Huawei (Chinese communications giant) [Article 113374]
Impacted Organization 1. KPN's mobile network users, including former Prime Minister Jan Peter Balkenende, government ministers, and Chinese dissidents [113374] 2. KPN as a company, facing risks to its continued existence and potential loss of trust from government and businesses [113374] 3. Dutch government, leading to the exclusion of Huawei from developing a new 5G network in the country [113374]
Software Causes 1. Unauthorized access and monitoring capabilities in Huawei's equipment leading to eavesdropping on conversations on KPN's mobile network in the Netherlands [113374].
Non-software Causes The non-software causes of the failure incident reported in Article 113374 were: 1. Lack of proper vetting and oversight in the selection and monitoring of equipment suppliers like Huawei for critical infrastructure projects, leading to potential security risks and vulnerabilities in the network [113374]. 2. Concerns over national security and espionage activities by countries like China and Russia, prompting the Dutch government to exclude Huawei from participating in the development of the new 5G network [113374]. 3. Pressure from the U.S. government and warnings by the Dutch intelligence agency about the dangers of Chinese espionage influencing the decision to exclude Huawei from the 5G network development [113374].
Impacts 1. The software failure incident involving Huawei being able to eavesdrop on conversations on one of the biggest mobile networks in the Netherlands had severe implications for KPN, the Dutch telecoms company. The incident raised concerns about the security and privacy of KPN's 6.5 million subscribers, including government officials and Chinese dissidents [113374]. 2. The incident led to calls from Dutch MPs for the government to respond to the report about Huawei's role in the KPN mobile network, indicating a potential loss of trust in KPN and the risk of licenses being revoked [113374]. 3. As a consequence of the incident, the Dutch government decided to exclude Huawei from having a role in developing the new 5G network in the country, opting for Ericsson to build its core 5G mobile networks instead [113374]. 4. The software failure incident also had international implications, with a number of Western countries, including the UK, expressing national security concerns over Huawei's involvement in building 5G networks. The UK initially granted Huawei a role in building its 5G network but later banned the company over national security concerns, leading to a significant shift in policy [113374].
Preventions 1. Implementing strict security protocols and regular security audits to detect any unauthorized access to the network [113374]. 2. Conducting thorough background checks on persons with access to the network to prevent potential security breaches [113374]. 3. Choosing equipment suppliers with a proven track record of security and reliability to minimize the risk of unauthorized access [113374]. 4. Enforcing stronger vetting processes for telecom equipment suppliers to ensure they do not pose a threat to national security [113374]. 5. Proactively responding to intelligence agency warnings about potential risks associated with certain suppliers to prevent security incidents [113374].
Fixes 1. Implement strict vetting and background checks for all personnel with access to the network to prevent unauthorized access and monitoring [113374]. 2. Consider banning or excluding high-risk suppliers like Huawei from critical network infrastructure projects to mitigate potential security risks [113374]. 3. Enhance cybersecurity measures and protocols to prevent unauthorized access and eavesdropping on user communications [113374]. 4. Conduct thorough risk assessments and security audits regularly to identify and address any vulnerabilities in the network infrastructure [113374].
References 1. Dutch newspaper de Volkskrant 2. Consultancy firm Capgemini 3. KPN (Dutch telecoms company) 4. Huawei Netherlands 5. Dutch intelligence agency AIVD 6. Dutch government task force 7. UK Government 8. Chinese ambassador to the UK, Liu Xiaoming

Software Taxonomy of Faults

Category Option Rationale
Recurring multiple_organization (a) The software failure incident related to Huawei eavesdropping on conversations on the mobile network in the Netherlands is specific to Huawei. There is no mention in the articles of a similar incident happening again within the same organization. (b) The articles mention that concerns about Huawei's involvement in telecommunications networks have been raised by multiple countries. For example, the UK initially granted Huawei a role in building its 5G network but later banned the company over national security concerns [113374]. Additionally, the Dutch government excluded Huawei from having a role in developing a new 5G network in the country based on advice from the Dutch intelligence agency [113374]. This indicates that similar concerns about Huawei's involvement in telecommunications networks have been raised by multiple organizations and countries.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the case of Huawei being able to eavesdrop on conversations on one of the biggest mobile networks in the Netherlands. This incident was attributed to Huawei potentially accessing users' calls without the knowledge of the Dutch telecoms company KPN. The incident highlighted a significant security flaw in the design or implementation of the network system, allowing unauthorized access to sensitive information [113374]. (b) The software failure incident related to the operation phase can be observed in the potential eavesdropping on KPN's mobile users by Huawei staff, both within KPN buildings and abroad in China. This indicates a failure in the operation or misuse of the system, where individuals within the organization or external parties may have exploited vulnerabilities to access and monitor user data without proper authorization [113374].
Boundary (Internal/External) within_system (a) within_system: The software failure incident reported in the articles is primarily within the system. The incident involved Huawei allegedly being able to eavesdrop on conversations taking place on one of the biggest mobile networks in the Netherlands, KPN. The failure was attributed to Huawei's staff having the ability to monitor all of KPN's mobile users and eavesdrop on their private conversations, indicating a breach within the system itself [113374]. (b) outside_system: There is no clear indication in the articles that the software failure incident was primarily due to contributing factors originating from outside the system. The focus of the incident was on Huawei's internal access and monitoring capabilities within KPN's mobile network, rather than external factors causing the failure.
Nature (Human/Non-human) human_actions (a) The software failure incident occurring due to non-human actions: The incident reported in the articles does not involve a software failure caused by non-human actions. It primarily revolves around concerns related to Huawei's potential ability to eavesdrop on conversations on a major mobile network in the Netherlands, raising national security and privacy issues. The focus is on the capabilities of Huawei's equipment and potential unauthorized access rather than a software failure caused by non-human actions [113374]. (b) The software failure incident occurring due to human actions: The incident reported in the articles is more related to potential human actions leading to security risks rather than a software failure caused by human actions. The concerns raised involve the possibility of Huawei staff monitoring conversations on a major mobile network, indicating potential human involvement in breaching security and privacy protocols. However, this does not directly point to a software failure caused by human actions but rather unauthorized access and monitoring activities [113374].
Dimension (Hardware/Software) hardware (a) The software failure incident related to hardware: - The incident involving Huawei being able to eavesdrop on conversations on the KPN mobile network in the Netherlands was primarily a hardware-related issue. Huawei, as a supplier of equipment for KPN's mobile networks, had the ability to access mobile numbers and eavesdrop on calls due to hardware components or systems they provided [113374]. (b) The software failure incident related to software: - The software failure incident involving Huawei's ability to eavesdrop on conversations on the KPN mobile network in the Netherlands was not directly attributed to software issues. The incident was more focused on the hardware aspect, where Huawei's equipment allowed for unauthorized access to mobile numbers and calls [113374].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in the articles is malicious in nature. The incident involved Huawei allegedly being able to eavesdrop on any conversation taking place on one of the biggest mobile networks in the Netherlands, including monitoring calls of government officials, Chinese dissidents, and other users without authorization [113374]. This indicates a deliberate attempt to access and monitor private conversations, suggesting malicious intent behind the software failure incident.
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions The intent of the software failure incident related to the Huawei eavesdropping incident in the Netherlands can be categorized as a combination of poor_decisions and accidental_decisions. 1. Poor Decisions: The incident involved poor decisions related to the competitive telecommunications market in 2010, where security was not considered as important. Huawei was able to gain access to KPN's mobile network due to the competitive pricing and lack of emphasis on security at that time [113374]. 2. Accidental Decisions: There were accidental decisions or unintended consequences involved in the incident, as KPN confirmed that Huawei had not to its knowledge improperly monitored any of its mobile users or stolen customer data. Additionally, the Capgemini report did not establish whether Huawei had actually monitored any users or taken data [113374].
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The software failure incident related to development incompetence is evident in the case of Huawei being able to eavesdrop on conversations on one of the biggest mobile networks in the Netherlands. The incident was attributed to Huawei's staff having the ability to monitor all of KPN's mobile users and eavesdrop on their private conversations without KPN's knowledge [113374]. This failure highlights a significant lack of oversight and control over the software systems and access permissions within the network, indicating a failure in professional competence by Huawei in ensuring the security and privacy of the mobile network users. (b) The accidental aspect of the software failure incident is not explicitly mentioned in the articles.
Duration permanent The software failure incident reported in the articles is more aligned with a permanent failure. This is evident from the fact that Huawei was reportedly able to eavesdrop on any conversation taking place on one of the biggest mobile networks in the Netherlands for an extended period of time, specifically in 2010 [113374]. The incident was not a one-time occurrence but rather a continuous capability that Huawei had allegedly possessed, indicating a permanent failure in terms of the breach of privacy and security on the network.
Behaviour other (a) crash: The incident reported in the article does not involve a system crash where the system loses state and stops performing its intended functions. (b) omission: The software failure incident does not involve the system omitting to perform its intended functions at an instance(s). (c) timing: The software failure incident does not involve the system performing its intended functions correctly but too late or too early. (d) value: The software failure incident does not involve the system performing its intended functions incorrectly. (e) byzantine: The behavior of the software failure incident does not align with a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. (f) other: The software failure incident involves a serious security breach where Chinese communications giant Huawei was reportedly able to eavesdrop on any conversation taking place on one of the biggest mobile networks in the Netherlands. This behavior falls under the category of a severe security breach rather than the specific failure modes listed in options (a) to (e) [113374].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (a) unknown (b) unknown (c) unknown (d) unknown (e) unknown (f) unknown (g) unknown (h) Theoretical consequences of the software failure were discussed in the articles. The report prepared by consultancy firm Capgemini for KPN flagged that Huawei could have been accessing users' calls in 2010 without KPN knowing, potentially leading to serious consequences such as the revocation of licenses or loss of trust in KPN if it was known that the Chinese government could eavesdrop on KPN mobile numbers and shut down the network [113374]. (i) unknown
Domain other (a) The failed system in the incident was related to the telecommunications industry, specifically the mobile network sector in the Netherlands. The incident involved Chinese communications giant Huawei being able to eavesdrop on conversations taking place on one of the biggest mobile networks in the Netherlands, operated by KPN [Article 113374].

Sources

Back to List