14 Comments

Summary:

The U.S. Congress is set to release a report that tells U.S. firms not to buy gear from Chinese telecoms vendors Huawei and ZTE. But is the report a real assessment of a threat or just economic protectionism? Here’s how we might be able to tell.

huaweithumb

Update: The report has been published, and is located here.

Chinese telecom gear makers Huwaei and ZTE are about to get blacklisted by the U.S. Congress in a report to be published Monday. Reuters reports that the U.S. House of Representatives’ Permanent Select Committee on Intelligence will recommend U.S. companies don’t use wares from the two companies over fears that their gear constitutes a security threat.

Sunday night the Intelligence Committee’s chairman, Mike Rogers, told 60 Minutes that Americans should “find another vendor” if they care about their own IP, their privacy and U.S. national security, which means that not only could telecommunications companies and data center gear buyers find themselves sans Huawei and ZTE gear, but also those interested in cheap handsets. Huawei has launched handsets in the U.S. market with rural and pre-paid carriers.

A Huawei handset for T-Mobile.

The report allegedly implies that Huawei and ZTE install backdoors and other mechanisms that allow them to spy on the packets traversing networks containing their gear. The reports also implies that these companies’ close ties to the Chinese government mean that they would share information gleaned from their snooping with the Chinese government. Thus, buying gear from these companies is akin to letting the Chinese spy on your network traffic. This same logic was used a few years back to stop Huawei from buying 3Com, U.S. networking company later bought by HP.

Huawei’s Bill Plummer emailed me the following in response to the alleged contents of the Congressional report:

Huawei is a globally trusted and respected company doing business in 150 markets with over 500 operator customers – the quality and security of our product is world proven. This investigation and report are nothing more than a politics exercise that has ignored technical, commercial and cultural realities – it achieves nothing in terms of securing networks in a world in which every major vender develops, codes and builds globally, including in China. Huawei looks forward to leaving this political distraction behind us so that we can work with rational industry and government stakeholders to develop real solutions to what are real and industry-wide cyber challenges.

Not exactly 50 shades of grey, but enough to confuse things.

This is a tough issue. Both Huawei and ZTE deny having close ties to the Chinese government and that they install such software on their gear. Yet, the Chinese government has supported both companies in their history and has a history of spying on U.S. companies. For example, Google came out in 2010, and said it had detected Chinese hacking on its network. Earlier this year Nortel, a former telecommunications gear vendor, disclosed that hackers originating from China had broken into its network.

So both Huawei and ZTE have benefited from Chinese governments (in the form of economic development loans at least), and the Chinese government is widely believed to have been a dedicated hacker. But are Huawei and ZTE guilty by association? There is also a strong hint of economic protectionism here as well. Both companies are a solid threat to Cisco and Juniper, two U.S. companies that stand to lose if their products are undercut by low-cost Chinese switches and routers. Cisco’s CEO John Chambers is a very active Republican who is vocal on this issue.

Plus, both Cisco and Juniper (as well as many U.S. companies) frequently make some of their hardware and even write some of their code in China and other places that the U.S. might consider a threat. Domestic companies point out that they don’t let engineers writing code overseas have full access to the source code, and that the foreign-produced code is reviewed, but there is an element of hypocrisy here.

Disclosure is the solution, but no one wants that

It’s cheaper to build things in China, be it software or hardware. Plus, executives at U.S. companies tell me that they never buy used networking gear from any vendor because it can have unexplained Chinese software on it. The Chinese don’t necessarily need a company in its pocket to install networking spyware, when it can sell gear on eBay to unsuspecting corporate buyers.

A source in the networking industry tells me that the solution here may be to demand a full source code review from Huawei to prove that Huawei is spying and sending what it discovers back to the Chinese. However, this person also notes that Huawei would be well within its rights to point out that the U.S. guys should do the same with code that they have written in China.

The problem standing in the way of the truth here is twofold. Problem one is that evaluating networking technology and espionage through hacking is a highly specialized and esoteric skillset, and problem two is that China’s opacity and ties to hackers, as well as the lack of transparency by both companies, make it difficult for the average person to believe ZTE and Huawei’s denials over the government’s influence and involvement in their corporate activities. So, if the U.S. House says don’t buy Huawei and ZTE gear, that will hurt those companies in this market — one where Huawei employs 1,700 people (it has 140,000 worldwide) and hopes to list on the public stock market.

Perhaps more will be revealed later today after the full version of the report is released (a classified version with more information was also prepared). The bottom line here is that when it comes to hacking allegations, China and national security, there’s a lot of self-interest and accusations based on some esoteric and difficult-to-prove allegations that can color the results of this report. However, the conclusions will undoubtedly cause economic harm to Huawei and ZTE in the U.S.

  1. Unfortunately, the Chinese have proven decade after decade that they only get ahead by cheating, and copying our technology…and god forbid we ask them to pay for it…I said ban all their wares from the states…

    Share
    1. So I guess the Chinese should follow the Western route of colonizing and enslaving the indigenous people. Then after decades of prosperity, it can judge others for following the same route.

      Share
    2. Where’s your proof that the Chinese cheat…also I didn’t know copying was a crime.

      Share
    3. El Bart:

      so where’s your evidence that the Chinese cheat?

      Also, I didn’t know copying was a crime.

      Share
  2. Rupert Baines Monday, October 8, 2012

    There were two recent pieces in the ECONOMIST on this subject — well worth reading.

    Chinese multinationals: Who’s afraid of Huawei? | The Economist
    http://www.economist.com/node/21559922

    Huawei: The company that spooked the world | The Economist
    http://www.economist.com/node/21559929

    They made a number of good points but three are worth repeating:

    First, that other governments have same (legitimate) worries but have taken different paths to stop it.

    They report how the UK has done it: GCHQ (the equivalent of NSA) has had full access to Huawei internals, source, and audits things – before saying that they were comfortable with the security.

    Not quite “sunlight is the best disinfectant but perhaps a more pragmatic approach than a room of lawyers & politicians…?

    This is what you suggest above: according to The Economist, Huawei offered this but the US declined?

    Secondly, this Committee’s approach to security architecture is flawed (and perhaps complacent). “Trust No-one”.

    As you say above, there are many vulnerabilities. Other products are written in China, or may have holes (deliberate or otherwise), or external attacks. Relying on “our vendors are perfect” is dangerous: networks should be designed assuming there will be vulnerabilities – but it won’t matter.

    Third, The Economist points out that while Huawei could do more to be open and improve trust, but that there is a lot of mistrust in both directions.

    As such, I suspect this report has more to do with protectionism than sensible steps. “Techno-nationalism is not the answer”

    Share
    1. Agreed

      Share
  3. Over the years I have heard similar things:
    Sun Micro systems, duplication of network packets in HW layer on servers sold to overseas “research”
    Microsoft NSA encrypted backdoor

    There’s always the classic trusting trust from Ken, which the kids wanting to look at source code seem to have never heard of:
    http://cm.bell-labs.com/who/ken/trust.html

    Share
  4. “Yet, the Chinese government has supported both companies in their history and has a history of spying on U.S. companies.”

    And if that weren’t enough, Huawei was founded by a senior PLA officer, and some of the major shareholders and directors of ZTE are also members of the Central Committee.

    Share
    1. How different is this from the US? We have lawmakers largely sympathetic to wallstreet. They fund our campaigns, they lobby issues in congress. What interest do you think they represent?

      Commercial!!

      So how would they approach an issue that involved a foreign company that is fast growing and encroaching the economy?

      That!

      Share
  5. It smacks of protectionism more than security. One suspects a similar report could be written regarding NSA, DOD, and DARPA links to American companies. The UK response mentioned by Rupert Baines seems the most reasonable but, given the US political climate, I feel we’ll see more accusations and fewer facts.

    Share
  6. Spelling of Huawei is wrong…Huwaei

    Share
  7. No Ravi, the spelling of Huawei is not wrong. That took me two web clicks.

    Share
    1. David, I assume Ravi meant the typo on the first line of the first paragraph.

      Share
  8. Perhaps we here in Denmark should require the same kind of reviews of Cisco, Juniper equipment. And services from US software companies.

    But oh no, wait. No need to review. The Patriot Act makes it mandatory for US companies to give US government whatever they need.

    Seen from any non-US, e.g. Danish perspective, isn’t the US just as bad as it is blaming China of being?

    Share

Comments have been disabled for this post