Cybersecurity

Former feds take vital cyber skills to foreign companies

Thinkstock

As a major Chinese telecommunications company suspected of espionage hires former U.S. government officials, critics are raising concerns about the adequacy of government post-employment restrictions, as well as the risk of national security threats.

Huawei, based in Shenzhen, China, has been methodically snapping up former senior federal officials, lobbyists and congressional staffers. Company officials say they are attempting to attract more U.S. business, partly by recruiting well-respected Westerners with government and security backgrounds.

The employment of more Americans at foreign firms can benefit the United States by fostering worldwide security standards and boosting stateside investments. But the unknown variable is to what degree Huawei, a multinational tech company founded by a former People’s Liberation Army member, acts on behalf of the Chinese military. A congressional investigation indicated the company might be inserting backdoors into products that can remotely siphon data or sabatoge computers. 

The firm, which is branching out worldwide, disputes claims that it is under control of an authoritarian government or tampers with clients’ technology. “Let me be clear: Huawei has not and will not jeopardize our global commercial success nor the integrity of our customers’ networks for any third party, government or otherwise—ever,” Charles Ding, Huawei corporate senior vice president, told a House committee in September. 

In July, Andy Purdy, the one-time head of the Homeland Security Department’s national cybersecurity division, became Huawei USA’s chief security officer. Purdy’s move to the company took former colleagues by surprise at his previous employer, federal contractor CSC, according to people familiar with the situation. 

Huawei has maintained a U.S. headquarters in Plano, Texas, for 11 years and has plans to hire Americans to fill 70 percent of its stateside jobs. 

During the past year, the company hired Doyce Boesch, a former Senate aide, and William Black, former chief of staff to Rep. Steny H. Hoyer, D-Md., as lobbyists. Huawei Global Chief Cybersecurity Officer John Suffolk previously worked for the U.K. government as the chief information officer and chief information security officer. A number of American attorneys, from organizations such as Arnold Porter LLP and the University of Virginia Law School, declined to comment because they or their practices have represented Huawei. 

The fear is less that U.S. personnel who had access to sensitive government information will intentionally divulge state secrets, and more that the line between Huawei’s business interests and China’s political interests is too direct. 

“Not that any of these people are of poor character at all,” says Chris Bronk, former diplomat with the State Department and now a cybersecurity research fellow at Rice University. One could look at Purdy’s move to Huawei as “taking his expertise to a foreign competitor, and that’s bad for the United States—or this is trust-building,” he says.

From Huawei’s perspective, a company spokesperson says, “It’s a global world. Global companies hire the best employees they can find. No global company has all of its people and all of its offices in one country. That’s what makes them global.” Purdy was unavailable for an interview. 

There is little precedent for dealing with Chinese employment after working in computer security for the federal government. Exit restrictions at DHS, the FBI and other cybersecurity- related agencies are largely prohibitions on doing business with one’s former department while employed by an overseas business. “In general, the FBI is not aware of any law, regulation or policy which would preclude an individual who has not been an FBI employee for more than a year, like any former U.S. government employee, from working for a private foreign-owned company,” bureau spokeswoman Kathleen Wright says. 

Pentagon spokesman Lt. Col. Damien Pickart says, “The Department of Defense does not have an official policy dictating where employees and service members can work after they leave the department, including foreign firms.” When a Defense employee with a security clearance exits the department, the individual is bound by a nondisclosure agreement not to divulge sensitive, classified or Pentagon proprietary information. When a cleared FBI employee departs, that individual, too, must sign a nondisclosure agreement, FBI officials say. Homeland Security officials say personnel can seek ethics advice from department attorneys about these restrictions.  

But curbs on disclosing sensitive information after leaving government are hard to enforce, as evidenced by the anti-secrets website WikiLeaks and a new book by a former Navy SEAL who helped kill Osama bin Laden. 

“Unless he does it with the purpose and intent of harming the United States, there is in the United States very little restriction on what someone with classified information can do,” a former intelligence community official says. The U.S. government would have to prove the offender meant to jeopardize American security interests by exposing classified information, as in the military’s prosecution of Pfc. Bradley Manning for sharing intelligence with WikiLeaks. 

Some say blocking former feds from joining companies such as Huawei could jeopardize American manufacturing partnerships and Chinese investments in U.S. communities. American firms operate there, and the communist state manufactures equipment for U.S. networks.

But the professional risks could be great for former U.S. government employees who join Chinese firms. 

The DHS secretary or U.S. attorney general could dictate to feds that “if you choose to leave your cleared employment in the U.S. government for a Chinese company it may be difficult if not impossible to re-enter cleared employment in the United States again,” Bronk says. “That’s the kind of thing that needs to be a reminder: You are burning a bridge.”

The former intelligence official says it would be difficult to renew or obtain a U.S. security clearance after exiting a Chinese company. “They would question his dedication and commitment to the United States,” he says.

The situation with Huawei has no historical parallel, sources say.  “This isn’t like going to a Soviet-owned company. This isn’t the Cold War. At the very least eyebrows would be raised if he filed an application,” says a cyber industry executive who offers guidance to the U.S. government and spoke on the condition of anonymity. “We don’t have a mutual defense pact with China,” Bronk says. “So this is something to worry about.” On the flipside, he adds, “maybe this represents a way that Huawei can talk to us about these issues. We have to talk to China anyway, so maybe it’s better to have Americans there.” 

Still, Congress members are wary and maintain that Huawei likely must comply with any request from the Chinese government to manipulate the U.S. supply chain. The House Intelligence Committee also accuses Huawei of stealing rival tech companies’ trade secrets. 

“It’s very hard to differentiate a ‘good’ Chinese company from a ‘bad’ Chinese company,” the intelligence official says. “They almost always have some form of government partnership.” The immediate concern is that Huawei, the second largest manufacturer of telecommunications equipment in the world, intentionally may be selling insecure technology. 

William Plummer, Huawei vice president for external affairs, said in a statement that the privately held, employee-owned company does business in almost 150 countries, “deriving around 70 percent of its revenues from outside of our headquarters market of China. Huawei is Huawei. Huawei is not China.”

The company has offered to let U.S. officials dismantle its software to study the firm’s source code, but that doesn’t seem to have mollified anybody. A company can reveal its source code without showing everything and trapdoors can be difficult to discern, the intelligence official says.

The U.S. cyber executive says former feds may not know what awaits them when they sign up with Huawei, because of the Communist state’s influence on industry shifts. “Governments today regard cybersecurity as an instrument of state power,” the executive says. “That a government would look at cyberspace as an instrument in support of its national interests, that’s all fine, but the unknown for the U.S. hire is whether he has aligned himself with the company or with a foreign nation-state’s national interests and policies.”

Plummer says such suggestions are absurd and reflect a misunderstanding of the “globalized, interdependent information and communications technology industry writ large.”

For the past decade, Huawei has sold telecom equipment to the United States in regions like the Great Lakes, and procured $30 billion in goods and services from American companies during the past five years, according to the firm.

“Huawei could be as popular as Sony in five years,” Bronk says. “Like it or not, the Chinese companies are not just going to build the low end of our gadgets and they are building devices of increasing sophistication.” 

Threatwatch Alert

Credential-stealing malware / Cyber espionage / Network intrusion / User accounts compromised

Ring of Cyber-Peepers Brought Down

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
// 4:16 PM ET
X CLOSE Don't show again

Like us on Facebook