recommended reading

China’s defense of Huawei? U.S. tech companies spy too

Zeus Kerravala, principal analyst with ZK Research.

Zeus Kerravala, principal analyst with ZK Research. // Flickr user Alex Dunne

China could retaliate if the U.S. government excommunicates Chinese technology firm Huawei by reciprocating charges of cyberespionage and denying American tech companies market access, some industry analysts say.

The results of a nearly yearlong congressional probe into the second-largest telecommunications firm in the world suggests Huawei facilitates wiretaps for the Chinese government through the equipment it sells stateside. The House Intelligence Committee, which released the findings Monday, has since alerted U.S. companies doing business with Huawei and ZTE to use another vendor.

“I thought of this from the reverse side. What if the Chinese government had accused us of this?” questioned Zeus Kerravala, principal analyst with ZK Research. “Wouldn’t we be in an uproar?”

One could argue American firms have similar U.S. government ties. Post-Sept. 11 rules enforcing the 2001 USA Patriot Act and updating the 1994 Communications Assistance for Law Enforcement Act, or CALEA, require U.S. telecommunications carriers and manufacturers to build backdoors into networks allowing U.S. authorities to intercept messages.

“I do believe the Chinese could view [federal wiretap rules] as a clandestine way of U.S. officials spying on foreign citizens,” Kerravala said.

William Plummer, Huawei vice president of external affairs, has warned of reprisals from foreign governments in response to the House panel’s conclusions. Blocking Huawei from doing business in the United States would set a "monstrous, market-distorting, trade-distorting policy precedent that could be used in other markets against American companies,” he has said.

Alienating the Shenzhen, China-based firm and its homeland could backfire on U.S. companies that depend on Chinese parts, Kerravala said. “Cisco and other U.S. manufacturers buy components from China. What if the components had backdoors? You could take this to the nth degree and by default you’re saying, ‘Don’t take or buy anything from China,’ ” he said.

Kerravala added that barring Huawei also could hurt U.S. innovation, which has benefitted from increased foreign competition. “Has Huawei put price pressure on the market? Absolutely. But good companies adapt their sales models accordingly,” he said.

According to former personnel, however, Huawei cheats by disregarding the intellectual property rights of U.S. companies -- a claim that Huawei denies. The House report did not name the former Huawei employees.

The unclassified account accuses Huawei and ZTE, a smaller Chinese telecom company, of selling products that pose a national security threat but stops short of identifying specific technical vulnerabilities.

“Companies around the United States have experienced odd or alerting incidents using Huawei or ZTE equipment,” the report stated. “Opportunities to tamper with telecommunications components and systems are present throughout product development, and vertically integrated industry giants like Huawei and ZTE provide a wealth of opportunities for Chinese intelligence agencies to insert malicious hardware or software implants into critical telecommunications components and systems . . . China may seek cooperation from the leadership of a company like Huawei or ZTE for these reasons.”

Kerravala said, “The whole premise of that report is based on a lot of innuendo.”

Former U.S. intelligence officials said the concerns Congress aired may be above Huawei’s pay grade. It is widely believed that the Chinese government exercises financial and legal control over all China-based company decisions and public disclosures.

“In many ways, it’s not Huawei’s fault. It’s the Chinese government’s fault, which is why you’re not seeing the same thing with Sony-Ericsson,” a Japanese telecom company, said Dave Aitel, a former National Security Agency computer scientist and now chief executive officer of cybersecurity firm Immunity Inc. Huawei officials “have to answer to the Chinese communist party. They could not explain in the end who controls the company” to House investigators.

Other foreign countries may be more accepting of America’s trapdoors than China’s Trojan software, because U.S. organizations are not known for being “the world's most active and persistent perpetrators of economic espionage" as the Office of the Director of National Intelligence called Chinese actors in 2011.  

The worry about Huawei is less about company officials “Trojaning their systems. It’s about whether Huawei can play by the rules,” Aitel said.

U.S. firms sometimes are able to quell foreign governments’ fears by, for instance, providing open source products that reveal their programs’ underlying code, said Aitel, whose company exposes its source code.

Huawei unsuccessfully offered U.S. officials independent inspections of its products to prove the Chinese government cannot activate features to trigger cyberwarfare. House lawmakers argued that such postproduction evaluations might not catch all malicious code. And technology can behave differently after it is deployed.

Upgrades, maintenance and service vendors “will affect the ongoing security of the network,” the report stated. “It is highly unlikely that a security evaluation partnership such as that proposed by Huawei or ZTE, independent of its competence and motives, will be able to identify all relevant flaws in products the size and complexity of core network infrastructure devices.”

Kerravala acknowledged that Huawei could improve its business dealings through better external corporate communications. “If ZTE and Huawei do want to be treated as a credible alternative in the United States, they need to provide the same level of access” to the media as American businesses, he said.

Huawei has recruited a number of well-connected former U.S. officials to help expand its stateside operations.

Huawei officials declined to comment for this story.

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.