Blog Post

Why nobody really wants to get to the bottom of China, ZTE and Huawei

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Update: The report has been published, and is located here.

Chinese telecom gear makers Huwaei and ZTE are about to get blacklisted by the U.S. Congress in a report to be published Monday. Reuters reports that the U.S. House of Representatives’ Permanent Select Committee on Intelligence will recommend U.S. companies don’t use wares from the two companies over fears that their gear constitutes a security threat.

Sunday night the Intelligence Committee’s chairman, Mike Rogers, told 60 Minutes that Americans should “find another vendor” if they care about their own IP, their privacy and U.S. national security, which means that not only could telecommunications companies and data center gear buyers find themselves sans Huawei and ZTE gear, but also those interested in cheap handsets. Huawei has launched handsets in the U.S. market with rural and pre-paid carriers.

A Huawei handset for T-Mobile.

The report allegedly implies that Huawei and ZTE install backdoors and other mechanisms that allow them to spy on the packets traversing networks containing their gear. The reports also implies that these companies’ close ties to the Chinese government mean that they would share information gleaned from their snooping with the Chinese government. Thus, buying gear from these companies is akin to letting the Chinese spy on your network traffic. This same logic was used a few years back to stop Huawei from buying 3Com, U.S. networking company later bought by HP(s hpq).

Huawei’s Bill Plummer emailed me the following in response to the alleged contents of the Congressional report:

Huawei is a globally trusted and respected company doing business in 150 markets with over 500 operator customers – the quality and security of our product is world proven. This investigation and report are nothing more than a politics exercise that has ignored technical, commercial and cultural realities – it achieves nothing in terms of securing networks in a world in which every major vender develops, codes and builds globally, including in China. Huawei looks forward to leaving this political distraction behind us so that we can work with rational industry and government stakeholders to develop real solutions to what are real and industry-wide cyber challenges.

Not exactly 50 shades of grey, but enough to confuse things.

This is a tough issue. Both Huawei and ZTE deny having close ties to the Chinese government and that they install such software on their gear. Yet, the Chinese government has supported both companies in their history and has a history of spying on U.S. companies. For example, Google (s goog) came out in 2010, and said it had detected Chinese hacking on its network. Earlier this year Nortel, a former telecommunications gear vendor, disclosed that hackers originating from China had broken into its network.

So both Huawei and ZTE have benefited from Chinese governments (in the form of economic development loans at least), and the Chinese government is widely believed to have been a dedicated hacker. But are Huawei and ZTE guilty by association? There is also a strong hint of economic protectionism here as well. Both companies are a solid threat to Cisco (s csco) and Juniper (s jnrp), two U.S. companies that stand to lose if their products are undercut by low-cost Chinese switches and routers. Cisco’s CEO John Chambers is a very active Republican who is vocal on this issue.

Plus, both Cisco and Juniper (as well as many U.S. companies) frequently make some of their hardware and even write some of their code in China and other places that the U.S. might consider a threat. Domestic companies point out that they don’t let engineers writing code overseas have full access to the source code, and that the foreign-produced code is reviewed, but there is an element of hypocrisy here.

Disclosure is the solution, but no one wants that

It’s cheaper to build things in China, be it software or hardware. Plus, executives at U.S. companies tell me that they never buy used networking gear from any vendor because it can have unexplained Chinese software on it. The Chinese don’t necessarily need a company in its pocket to install networking spyware, when it can sell gear on eBay to unsuspecting corporate buyers.

A source in the networking industry tells me that the solution here may be to demand a full source code review from Huawei to prove that Huawei is spying and sending what it discovers back to the Chinese. However, this person also notes that Huawei would be well within its rights to point out that the U.S. guys should do the same with code that they have written in China.

The problem standing in the way of the truth here is twofold. Problem one is that evaluating networking technology and espionage through hacking is a highly specialized and esoteric skillset, and problem two is that China’s opacity and ties to hackers, as well as the lack of transparency by both companies, make it difficult for the average person to believe ZTE and Huawei’s denials over the government’s influence and involvement in their corporate activities. So, if the U.S. House says don’t buy Huawei and ZTE gear, that will hurt those companies in this market — one where Huawei employs 1,700 people (it has 140,000 worldwide) and hopes to list on the public stock market.

Perhaps more will be revealed later today after the full version of the report is released (a classified version with more information was also prepared). The bottom line here is that when it comes to hacking allegations, China and national security, there’s a lot of self-interest and accusations based on some esoteric and difficult-to-prove allegations that can color the results of this report. However, the conclusions will undoubtedly cause economic harm to Huawei and ZTE in the U.S.

14 Responses to “Why nobody really wants to get to the bottom of China, ZTE and Huawei”

  1. Perhaps we here in Denmark should require the same kind of reviews of Cisco, Juniper equipment. And services from US software companies.

    But oh no, wait. No need to review. The Patriot Act makes it mandatory for US companies to give US government whatever they need.

    Seen from any non-US, e.g. Danish perspective, isn’t the US just as bad as it is blaming China of being?

  2. It smacks of protectionism more than security. One suspects a similar report could be written regarding NSA, DOD, and DARPA links to American companies. The UK response mentioned by Rupert Baines seems the most reasonable but, given the US political climate, I feel we’ll see more accusations and fewer facts.

  3. The Commons

    “Yet, the Chinese government has supported both companies in their history and has a history of spying on U.S. companies.”

    And if that weren’t enough, Huawei was founded by a senior PLA officer, and some of the major shareholders and directors of ZTE are also members of the Central Committee.

    • How different is this from the US? We have lawmakers largely sympathetic to wallstreet. They fund our campaigns, they lobby issues in congress. What interest do you think they represent?


      So how would they approach an issue that involved a foreign company that is fast growing and encroaching the economy?


  4. Rupert Baines

    There were two recent pieces in the ECONOMIST on this subject — well worth reading.

    Chinese multinationals: Who’s afraid of Huawei? | The Economist

    Huawei: The company that spooked the world | The Economist

    They made a number of good points but three are worth repeating:

    First, that other governments have same (legitimate) worries but have taken different paths to stop it.

    They report how the UK has done it: GCHQ (the equivalent of NSA) has had full access to Huawei internals, source, and audits things – before saying that they were comfortable with the security.

    Not quite “sunlight is the best disinfectant but perhaps a more pragmatic approach than a room of lawyers & politicians…?

    This is what you suggest above: according to The Economist, Huawei offered this but the US declined?

    Secondly, this Committee’s approach to security architecture is flawed (and perhaps complacent). “Trust No-one”.

    As you say above, there are many vulnerabilities. Other products are written in China, or may have holes (deliberate or otherwise), or external attacks. Relying on “our vendors are perfect” is dangerous: networks should be designed assuming there will be vulnerabilities – but it won’t matter.

    Third, The Economist points out that while Huawei could do more to be open and improve trust, but that there is a lot of mistrust in both directions.

    As such, I suspect this report has more to do with protectionism than sensible steps. “Techno-nationalism is not the answer”

  5. El Barto

    Unfortunately, the Chinese have proven decade after decade that they only get ahead by cheating, and copying our technology…and god forbid we ask them to pay for it…I said ban all their wares from the states…