Update: The report has been published, and is located here.
Chinese telecom gear makers Huwaei and ZTE are about to get blacklisted by the U.S. Congress in a report to be published Monday. Reuters reports that the U.S. House of Representatives’ Permanent Select Committee on Intelligence will recommend U.S. companies don’t use wares from the two companies over fears that their gear constitutes a security threat.
Sunday night the Intelligence Committee’s chairman, Mike Rogers, told 60 Minutes that Americans should “find another vendor” if they care about their own IP, their privacy and U.S. national security, which means that not only could telecommunications companies and data center gear buyers find themselves sans Huawei and ZTE gear, but also those interested in cheap handsets. Huawei has launched handsets in the U.S. market with rural and pre-paid carriers.
The report allegedly implies that Huawei and ZTE install backdoors and other mechanisms that allow them to spy on the packets traversing networks containing their gear. The reports also implies that these companies’ close ties to the Chinese government mean that they would share information gleaned from their snooping with the Chinese government. Thus, buying gear from these companies is akin to letting the Chinese spy on your network traffic. This same logic was used a few years back to stop Huawei from buying 3Com, U.S. networking company later bought by HP.
Huawei’s Bill Plummer emailed me the following in response to the alleged contents of the Congressional report:
Huawei is a globally trusted and respected company doing business in 150 markets with over 500 operator customers – the quality and security of our product is world proven. This investigation and report are nothing more than a politics exercise that has ignored technical, commercial and cultural realities – it achieves nothing in terms of securing networks in a world in which every major vender develops, codes and builds globally, including in China. Huawei looks forward to leaving this political distraction behind us so that we can work with rational industry and government stakeholders to develop real solutions to what are real and industry-wide cyber challenges.
Not exactly 50 shades of grey, but enough to confuse things.
This is a tough issue. Both Huawei and ZTE deny having close ties to the Chinese government and that they install such software on their gear. Yet, the Chinese government has supported both companies in their history and has a history of spying on U.S. companies. For example, Google came out in 2010, and said it had detected Chinese hacking on its network. Earlier this year Nortel, a former telecommunications gear vendor, disclosed that hackers originating from China had broken into its network.
So both Huawei and ZTE have benefited from Chinese governments (in the form of economic development loans at least), and the Chinese government is widely believed to have been a dedicated hacker. But are Huawei and ZTE guilty by association? There is also a strong hint of economic protectionism here as well. Both companies are a solid threat to Cisco and Juniper, two U.S. companies that stand to lose if their products are undercut by low-cost Chinese switches and routers. Cisco’s CEO John Chambers is a very active Republican who is vocal on this issue.
Plus, both Cisco and Juniper (as well as many U.S. companies) frequently make some of their hardware and even write some of their code in China and other places that the U.S. might consider a threat. Domestic companies point out that they don’t let engineers writing code overseas have full access to the source code, and that the foreign-produced code is reviewed, but there is an element of hypocrisy here.
Disclosure is the solution, but no one wants that
It’s cheaper to build things in China, be it software or hardware. Plus, executives at U.S. companies tell me that they never buy used networking gear from any vendor because it can have unexplained Chinese software on it. The Chinese don’t necessarily need a company in its pocket to install networking spyware, when it can sell gear on eBay to unsuspecting corporate buyers.
A source in the networking industry tells me that the solution here may be to demand a full source code review from Huawei to prove that Huawei is spying and sending what it discovers back to the Chinese. However, this person also notes that Huawei would be well within its rights to point out that the U.S. guys should do the same with code that they have written in China.
The problem standing in the way of the truth here is twofold. Problem one is that evaluating networking technology and espionage through hacking is a highly specialized and esoteric skillset, and problem two is that China’s opacity and ties to hackers, as well as the lack of transparency by both companies, make it difficult for the average person to believe ZTE and Huawei’s denials over the government’s influence and involvement in their corporate activities. So, if the U.S. House says don’t buy Huawei and ZTE gear, that will hurt those companies in this market — one where Huawei employs 1,700 people (it has 140,000 worldwide) and hopes to list on the public stock market.
Perhaps more will be revealed later today after the full version of the report is released (a classified version with more information was also prepared). The bottom line here is that when it comes to hacking allegations, China and national security, there’s a lot of self-interest and accusations based on some esoteric and difficult-to-prove allegations that can color the results of this report. However, the conclusions will undoubtedly cause economic harm to Huawei and ZTE in the U.S.