Risk
10/15/2012
12:01 PM
Craig Mathias
Craig Mathias
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Should You Buy From Huawei?

Congress says U.S. companies should not purchase products from Chinese firms Huawei and ZTE, citing national security concerns. I say Congress is dealing more in fear than facts.

Warning: this column is really about politics. But isn't everything these days?

The U.S. House of Representatives Permanent Select Committee on Intelligence recently issued a positively scathing report on Chinese telecommunications equipment giants Huawei and ZTE that basically suggested, yeah, um, let's go with this: U.S. companies should not buy equipment from these two vendors. They cited, among other factors, a lack of transparency in the Committee's dealings with representatives of these two firms, and allegations of impropriety.

With no hard evidence presented, the U.S. government is using little more than suspicion and innuendo to accuse both Chinese firms of being fronts for the government of China and its military. The cellular base station as an instrument of foreign intelligence? This from a government that already claims the right to intercept any traffic it wants (presumably with a court order, of course)?

OK, I was a political-science major before I switched to technology, and I was active in politics, including elective office, for many years before getting on with other matters. I've held government security clearances and I strongly believe that the U.S. government and military should absolutely buy American. But I also believe in a global economy and that ultimately, world peace and prosperity depend upon global economic progress, yes, through global competition.

[ For more on Congress's concerns with Huawei and ZTE, read Why Huawei Has Congress Worried. ]

It would be one thing if the U.S. government had hard evidence with which to charge these offshore firms, but what we have here appears to be little more than thinly disguised protectionism, paranoia, and borderline psychosis from an institution that itself has no problem with running up $1 trillion in new debt every year, has approval ratings from its own constituents barely above zero, and lacks the technical and business skills to have even a clue what it's talking about.

Really, who's kidding whom here? Is this simply the groundwork for the Alcatel-Lucent and Ericsson Full-Employment Act? That's right; we don't make cellular base stations here anymore.

Now, I'm not saying that the companies in question haven't done anything wrong. But I, too, have no hard data one way or the other.

As you've no doubt heard, there's already a good deal of controversy surrounding Huawei. Perhaps you saw the "60 Minutes" piece on October 7. Essentially, criticism of the company revolves around two core claims: that Huawei steals intellectual property, and that the firm is a front for the Chinese army and/or government.

Again, I have no reliable data on either of these, but I do understand the concern. China is an emerging economic power, and throughout history, some emerging economic powers have sometimes engaged in activities that in retrospect were bad ideas--not the least of which were slavery and the wholesale slaughter of indigenous peoples, just for example. While the theft of IP and hidden motives are indeed serious concerns, we most certainly do not have anything unusual going on here. Misappropriation of IP occurs throughout our industry, from an inadvertent violation of patent rights to a programmer using a proprietary technique learned at a past job for a new employer--and we have mechanisms for redress in place.

But most importantly, keep in mind that Huawei is a $30+ billion firm, and it is simply beyond comprehension that such a company would risk everything--literally everything--and that the government of China would risk war--yes, war--by committing acts that are clearly overt threats to others, including customers, users, and/or foreign governments.

Let's suppose, just for example, that Huawei has logic deep in its custom chips that seeks out sensitive data and forwards it to secret locations. Could anyone honestly believe that this activity wouldn't eventually be detected? And the very least of the consequences of such shenanigans would likely be an immediate reprisal at the governmental level, effectively putting the company out of business. Think what would happen if Alcatel-Lucent, or Cisco, or Enterasys, or Ericsson, or any other company did something like this--such would not be recoverable. The management of Huawei certainly knows this, no matter what the Chinese government might desire or even demand.

Politics is one of the most important elements of human culture, and it should never be discounted or underestimated--indeed, consider how the current domestic election cycle is reshaping America itself. But politics translated into technology can't be kept secret or strategic for very long. For now, and until an offshore equipment supplier is unequivocally exposed as an agent of a foreign power, it deserves the benefit of the doubt, with the company's products and services evaluated on their technical, business, and financial merits alone.

Just my two cents, of course, but all of us--customers, users, and residents of this planet--are better off when we just stick to the facts. And dear members of Congress, you lack those at present.

Note: neither Huawei nor ZTE are clients of Farpoint Group.

Cybersecurity, continuity planning, and data records management top the list in our latest Federal IT Priorities Survey. Also in the new, all-digital Focus On The Foundation issue of InformationWeek Government: The FBI's next-gen digital case management system, Sentinel, is finally up and running. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
vuil
50%
50%
vuil,
User Rank: Apprentice
10/20/2012 | 7:14:22 PM
re: Should You Buy From Huawei?
"Craig is an internationally recognized expert on wireless communications and mobile computing technologies."

But not, as far as I can see, an expert on the internals of large telecommunication routers and switches and the possibility of Huawei and ZTE containing potential spying code. Of course, if you have a political inclination (and coming from MA I'd wager he favors the left side of the aisle) it never stops you from expressing your opinion on such technical matters.

After all the objective is to slag the House of Representatives rather than truly caring for the US as a sovereign nation. Any sensible person would err on the side of caution. After all these Chinese companies are not struggling for business.

Us, lesser beings, step aside on technical matters outside our direct experience. Not Craig who often spouts forth at conferences on everything with the gusto, often of the ignorant.

Guess you lefty poli-sci prof would be proud of you hey Craig.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
10/19/2012 | 5:53:26 AM
re: Should You Buy From Huawei?
I think the devices should be avoided because they are of questionable quality running decades old code that does not jive with today's security standards. I think it is more a matter of cluelessness and carelessness than any malicious intent.
edarr432
50%
50%
edarr432,
User Rank: Apprentice
10/18/2012 | 11:34:04 PM
re: Should You Buy From Huawei?
Craig you're trying very hard not to get it, but don't despair, Charlie doesn't get it either. The issue is security. While we might be able to find software hacks, we're not going to have the luxury of reverse engineering every piece of telecom hardware we buy from Chinese companies. There is a communist party committee in each of those companies. They can't refuse to do what that committee tells them. They play hardball.
dbartlett329
50%
50%
dbartlett329,
User Rank: Apprentice
10/18/2012 | 5:11:39 PM
re: Should You Buy From Huawei?
Okay, all here understand the technology, but that is only the media. With ChinaGÇÖs (and others) past record of overt and covert behavior and their disdain for our people as a whole, why would we even consider continuing to allow suspect companies as these to operate inside our semi-secure architecture and play below our radar?
Craig Mathias
50%
50%
Craig Mathias,
User Rank: Apprentice
10/17/2012 | 5:37:17 PM
re: Should You Buy From Huawei?
OK, I knew this would be controversial, but, as usual, the commentary is straying from the real issues at hand. The most important of these is whether the US government should be recommending against buying the products of a given firm based on allegations and innuendo. Again, the facts are lacking here, and I consider what Congress did too be very dangerous indeed. As I said, absolutely, the US government should buy American. It's hard to do in the case of cellular infrastructure, but I'm very sensitive to the issues here regardless. And at no time here have I recommended buying from Huawei or anyone else. If you don't want to buy from Huawei or anyone else based on, as I wrote, technical, business, or financial (or, really, any other) reasons, don't. But I view the slope as created by Congress as slippery and dangerous, highly political, provocative, and even naive and hypocritical.

And the whole issue is bigger still - see my blog at http://www.networkworld.com/co... for more.
TSRL
50%
50%
TSRL,
User Rank: Apprentice
10/17/2012 | 4:18:46 PM
re: Should You Buy From Huawei?
Craig,

If you are convinced that Huawei are completely on the up-and-up, why don't you buy their equipment for your telcom and networking needs. After all, it is cheaper and that's what the bottom line is all about.

Having spent a significant amount of time in China and having dealt with their telcom folks I can tell you two things: life is cheap and all IP is the property of the government (including whatever IP they can "appropriate" from any other source). I will never deal with those folks again.
saburgan
50%
50%
saburgan,
User Rank: Apprentice
10/17/2012 | 1:58:00 PM
re: Should You Buy From Huawei?
Craig, you silly guy. You have no clue.
ANON1255554460131
50%
50%
ANON1255554460131,
User Rank: Apprentice
10/16/2012 | 11:25:33 PM
re: Should You Buy From Huawei?
I wonder what happen if all countries in the world do the same. The Chinese government forbid all American made software and hardware. India do the same so do all BRICK nations and every other country in the world. I wonder how does it affect global economy?
CLAFOUNTAIN100
50%
50%
CLAFOUNTAIN100,
User Rank: Apprentice
10/16/2012 | 10:29:41 PM
re: Should You Buy From Huawei?
My analysis however, which looks at the core issue, is that the technology was originally developed by Chinese Nationals, for Chinese market. -áThe troubles with highly educated Chinese hardware and software developement teams likely is in finding qualified translators who can translate Chinese into English, and vise-versa.

Likely the answers being furnished are through the marketing department who markets and sells the product for use. -áI have performed this work before, typically with companies in India. -á

My main guess is that the report was created without a proper translation with the proper teams at huawei. -áTranslating English specifications to English (between multiple groups) and prioritization of software functions requires a team itself!

Cisco definitely seems to have trouble with this; their head engineers left to head their R&D departments. -áIt's great technology based on the white papers available online, and Cisco's cut backs in R&D over the years are showing. -áCisco acquired Scientific Atlanta, a set-top box manufacturer for cable. -áThey were recently sued by TiVo for infringing of patents AGAIN in the past 6 months. There's an article at Reuters, where Cisco then counter-sued for TiVo not marketing and making TiVo's patents available. Basically, Cisco outsourced R&D to an existing product line manufactured by a competitor, then sued for the right to market it. Pretty interesting R&D strategy!

If Cisco has issue with this, they should be on the same Industry Standards Committees and Groups as Huawei so they have a product that is compatible, ready for sale, and competitively priced.
CLAFOUNTAIN100
50%
50%
CLAFOUNTAIN100,
User Rank: Apprentice
10/16/2012 | 10:24:02 PM
re: Should You Buy From Huawei?
Great insight, and I appreciate it.

In my estimation however, is that the hooks in the firmware were originally placed to fill a requirement, likely for foreign law. Think Patriot Act requirements or similar. Likely without the required additional hardware, which it seems your company didn't purchase, the software still functioned.

My guess again is that the Chinese software development team didn't acquire a full spec document which specifically requested removal of this functionality. Everyone remembers VISTA. It was slow because the kernel processed too much information; similar with Windows 98.

This happens from time to time. Hopefully that hardware wouldn't need to be purchased in a few years when Patriot Act is sunsetted; not renewed.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.