Risk
10/15/2012
12:01 PM
Craig Mathias
Craig Mathias
Commentary
50%
50%

Should You Buy From Huawei?

Congress says U.S. companies should not purchase products from Chinese firms Huawei and ZTE, citing national security concerns. I say Congress is dealing more in fear than facts.

Warning: this column is really about politics. But isn't everything these days?

The U.S. House of Representatives Permanent Select Committee on Intelligence recently issued a positively scathing report on Chinese telecommunications equipment giants Huawei and ZTE that basically suggested, yeah, um, let's go with this: U.S. companies should not buy equipment from these two vendors. They cited, among other factors, a lack of transparency in the Committee's dealings with representatives of these two firms, and allegations of impropriety.

With no hard evidence presented, the U.S. government is using little more than suspicion and innuendo to accuse both Chinese firms of being fronts for the government of China and its military. The cellular base station as an instrument of foreign intelligence? This from a government that already claims the right to intercept any traffic it wants (presumably with a court order, of course)?

OK, I was a political-science major before I switched to technology, and I was active in politics, including elective office, for many years before getting on with other matters. I've held government security clearances and I strongly believe that the U.S. government and military should absolutely buy American. But I also believe in a global economy and that ultimately, world peace and prosperity depend upon global economic progress, yes, through global competition.

[ For more on Congress's concerns with Huawei and ZTE, read Why Huawei Has Congress Worried. ]

It would be one thing if the U.S. government had hard evidence with which to charge these offshore firms, but what we have here appears to be little more than thinly disguised protectionism, paranoia, and borderline psychosis from an institution that itself has no problem with running up $1 trillion in new debt every year, has approval ratings from its own constituents barely above zero, and lacks the technical and business skills to have even a clue what it's talking about.

Really, who's kidding whom here? Is this simply the groundwork for the Alcatel-Lucent and Ericsson Full-Employment Act? That's right; we don't make cellular base stations here anymore.

Now, I'm not saying that the companies in question haven't done anything wrong. But I, too, have no hard data one way or the other.

As you've no doubt heard, there's already a good deal of controversy surrounding Huawei. Perhaps you saw the "60 Minutes" piece on October 7. Essentially, criticism of the company revolves around two core claims: that Huawei steals intellectual property, and that the firm is a front for the Chinese army and/or government.

Again, I have no reliable data on either of these, but I do understand the concern. China is an emerging economic power, and throughout history, some emerging economic powers have sometimes engaged in activities that in retrospect were bad ideas--not the least of which were slavery and the wholesale slaughter of indigenous peoples, just for example. While the theft of IP and hidden motives are indeed serious concerns, we most certainly do not have anything unusual going on here. Misappropriation of IP occurs throughout our industry, from an inadvertent violation of patent rights to a programmer using a proprietary technique learned at a past job for a new employer--and we have mechanisms for redress in place.

But most importantly, keep in mind that Huawei is a $30+ billion firm, and it is simply beyond comprehension that such a company would risk everything--literally everything--and that the government of China would risk war--yes, war--by committing acts that are clearly overt threats to others, including customers, users, and/or foreign governments.

Let's suppose, just for example, that Huawei has logic deep in its custom chips that seeks out sensitive data and forwards it to secret locations. Could anyone honestly believe that this activity wouldn't eventually be detected? And the very least of the consequences of such shenanigans would likely be an immediate reprisal at the governmental level, effectively putting the company out of business. Think what would happen if Alcatel-Lucent, or Cisco, or Enterasys, or Ericsson, or any other company did something like this--such would not be recoverable. The management of Huawei certainly knows this, no matter what the Chinese government might desire or even demand.

Politics is one of the most important elements of human culture, and it should never be discounted or underestimated--indeed, consider how the current domestic election cycle is reshaping America itself. But politics translated into technology can't be kept secret or strategic for very long. For now, and until an offshore equipment supplier is unequivocally exposed as an agent of a foreign power, it deserves the benefit of the doubt, with the company's products and services evaluated on their technical, business, and financial merits alone.

Just my two cents, of course, but all of us--customers, users, and residents of this planet--are better off when we just stick to the facts. And dear members of Congress, you lack those at present.

Note: neither Huawei nor ZTE are clients of Farpoint Group.

Cybersecurity, continuity planning, and data records management top the list in our latest Federal IT Priorities Survey. Also in the new, all-digital Focus On The Foundation issue of InformationWeek Government: The FBI's next-gen digital case management system, Sentinel, is finally up and running. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
tech_head
50%
50%
tech_head,
User Rank: Apprentice
10/16/2012 | 12:52:38 AM
re: Should You Buy From Huawei?
Let's see....
Huawei was found to infringe on Cisco's hardware/software down to bugs in the code and silkscreen.
The Chinese state has very little respect for other's intellectual property.
In 2010 the Chinese gov't rerouted a non trivial portion of the world's internet traffic so if could snoop. http://defensetech.org/2010/11...

Huawei was founded by an ex-Chinese military officer.
I wouldn't trust the U.S. infrastructure to an equipment builder that is headquartered in a country that is definitely not our friend.

Also do you think they would tell us that they are going to snoop?
Just say no.....
dbtinc
50%
50%
dbtinc,
User Rank: Apprentice
10/16/2012 | 12:50:58 PM
re: Should You Buy From Huawei?
Where possible avoid chinese manufacturing in general. Yes, low cost to consumers is a positive but soon we'll be lucky to have enough people employed in this country to buy the cheap +º-«ap made by these 'ho's ...
techpro
50%
50%
techpro,
User Rank: Apprentice
10/16/2012 | 5:40:03 PM
re: Should You Buy From Huawei?
What's the problem? China is a shining example of human rights, modern civilized freedoms and original innovation.
radsit481
50%
50%
radsit481,
User Rank: Apprentice
10/16/2012 | 5:57:52 PM
re: Should You Buy From Huawei?
There goes your credibility Craig. I think tech_head said it all! What more do you need to know??!
Embedded SW Dev
50%
50%
Embedded SW Dev,
User Rank: Apprentice
10/16/2012 | 6:21:00 PM
re: Should You Buy From Huawei?
If you remember the Greek Summer Olympics, there was a cell network break-in, where someone replaced some of the software on the switch, allowing unauthorized intercepts, particularly of national heads of state present in Greece for the Olympics. It was never determined who did this, but it had to be someone with access to the source code to the Ericsson equipment. Search for "greek cell phone caper" for more details. It's entirely possibly that the US intelligence community did this, or some other one. However, its much more likely that the Chinese government has access to the source code of Huawei and ZTE equipment, and knows the way to patch some wiretapping changes into the code. It's also possible that the US doesn't have access to the source, and can't make similar changes, and is unhappy for that reason. Even if the audio is encrypted, its hard to hide the two parties and their location from the network. Either way, I don't see the position of the US government changing. But, the US government knows what can be done, and doesn't want it to be done. Count on any network with Huawei or ZTE equipment to never get a US government communications contract.
elleno
50%
50%
elleno,
User Rank: Apprentice
10/16/2012 | 6:49:55 PM
re: Should You Buy From Huawei?
I worked in the telecommunication software field for over 30 years. The last 20 years as VP of software development for companies that made network management software for the large global telcos. Many tier 1 and 2 telcos around the world used the software my teams developed.

Since our software had to provision and activate all telco equipment we had to have intimate knowledge of equipment from all the large network manufacturers. Naturally Huawei was included on the list.

Aside from the fact that the early Huawei equipment actually threw Cisco error messages modern Huawei equipment invariably had (my experience runs to 2010) mysterious entry traps and entry points that allowed external control of the equipment. These entry points required encrypted information and were not accessible except to Huawei personnel.

When we asked Huawei why this code was included in the firmware their answers were invariably unclear or non-existent. If they replied to our support requests the answer was usually vague implying the entry points were related to remote support. It was plain, however, that these obfuscated entry points in the firmware could be used for external control of the equipment.

Where national security is an issue I would not use Huawei equipment.

I wonder if Mr Mathias has ever really reverse engineered one of Huawei's devices? (I cannot speak for ZTE.) If so, he would not be so sanguine about Chinese made network equipment.

Full disclosure I am not American. I have, however, extensive experience doing technology business in both China and India. I have set up development facilities (for software, not hardware) in these countries. On more than one occasion I have been offered money to assist with contracts by providing my companies support for Chinese products. The point being that Chinese businessmen are ruthless when it comes to business and their own national interest.

Re-reading Mathias' article I find his naivete almost heart stopping. Arguments such as 'they wouldn't dare do it since it could foment even a war' or a '$30 billion company would never dare to do that', are - let me repeat the word - breathtakingly naive in the extreme.

The standard joke in international business is how green Americans are at dealing with non-American based cultures. The joke is that some 'good' Americans, unsophisticated in the ways of the world project American values onto everyone and assume that all cultures really hold American values at heart and use America's values in business. And worse - assume these companies behave as American companies would.

Mr Mathias, based on his article, certainly seems to hold these assumptions. As the modern world is increasingly showing this is a very frightening and wrong view to take.

What a silly and dangerous article. Mr Mathias should know better. It would also be interesting to know whether the author has ever consulted to Huawei or ZTE.
cgates880
50%
50%
cgates880,
User Rank: Apprentice
10/16/2012 | 7:12:02 PM
re: Should You Buy From Huawei?
The author is either extemely naive or on the Chinese payroll as well. I've been in technology for over 20 years. The first half was in the Army. China is and will remain our largest threat as long as they remain under the current government. Everything, people and "private" companies included, are resources of the government.
Flyingdog5000
50%
50%
Flyingdog5000,
User Rank: Apprentice
10/16/2012 | 7:29:40 PM
re: Should You Buy From Huawei?
Mr. Mathias provides considerable food for thought to the discussion relating to recent news concerning Huawei. Ignoring the somewhat philosophical detour that briefly distracted him from his thesis. I am concerned by the seeming lack of awareness that he displays in his comments relating to China's government/military connections with large Chinese corporations. It is not news that, on the whole, Corporate China, the Party, and her Military are intertwined like a Gordian knot. Still, does the presence of smoke always mean fire?

Mr. Mathias says, "...keep in mind that Huawei is a $30+ billion firm, and it is simply beyond comprehension that such a company would risk everything--literally everything--and that the government of China would risk war--yes, war--by committing acts that are clearly overt threats to others".

Huawei is indeed a major global player in telecommunications and I might find his argument compelling, were it not clear that China has a long history of governmental (including through corporate proxies) espionage.

Now, it is certainly not news that every world power worthy of the name(and China is certainly one, or at least on the threshold) has spent liberally to acquire, by any means possible, intelligence relating to the capabilities and intentions of its rivals. This does not excuse a country when it gets caught with its hand in the cookie jar, and instead serves rather to warn others to be exceedingly wary. Furthermore, the thought that China would be risking a shooting war by playing such a spy-vs.-spy game is silly. Both China and the US have too much invested in mutual markets and global political stability to rattle sabers over what would be considered in diplomatic circles a minor dust up. Damage to Huawei could be more worrisome to its directors, but any potential long term damage is likely to be mitigated by its rapidly expanding internal markets.

The US is not the only nation with concerns. In 2009, India also barred Huawei from competing for contracts in regions near their sensitive border with Pakistan. Since then, Australia and some European countries have also barred, or limited Huawei's access to contracts. None of these countries was able to point to any specific evidence either. Still, with national security potentially on the line, isn't it better to be cautious?

Does Huawei engage in corporate skulduggery? There is no evidence that it does; what seems clear is that China encourages corporate espionage, and that malware and other cyber attacks emanating from China are routine. There is also ample evidence that Chinese corporations have engaged in espionage of the more standard variety, i.e. acquiring secrets from individuals who have information to sell. Again, only smoke. but Huawei doesn't seem interested in clearing the air.
JSmithy67
50%
50%
JSmithy67,
User Rank: Apprentice
10/16/2012 | 9:41:32 PM
re: Should You Buy From Huawei?
In the world of international espionage it's considered a good thing when your country has the ability to intercept communications and signals of other world players. It's bad when they can intercept yours. Just ask Iraq how devastating that little Stuxnet program was to their national ambitions. This is a perfect example of why you want your country and allies to be ahead in this game.

Nothing could be more strategic to the viability of national defense and a strong economy than a secure telecommunications infrastructure. This is too important to simply trust to a company who operates beyond the reach of federal oversight and enforcement. Unless the full transparent cooperation by Huawei is demonstrated in advance and safeguards are in place to take control of all software and firmware are in place, the US Congress is right to err on the side of security. Every time.

These ARE the facts. And prudent people should be wary.
CLAFOUNTAIN100
50%
50%
CLAFOUNTAIN100,
User Rank: Apprentice
10/16/2012 | 10:15:53 PM
re: Should You Buy From Huawei?
My analysis however, which looks at the core issue, is that the technology was originally developed by Chinese Nationals, for Chinese market. The troubles with highly educated Chinese hardware and software developement teams likely is in finding qualified translators who can translate Chinese into English, and vise-versa.

Likely the answers being furnished are through the marketing department who markets and sells the product for use. I have performed this work before, typically with companies in India.

My main guess is that the report was created without a proper translation with the proper teams at huawei. Translating English specifications to English (between multiple groups) and prioritization of software functions requires a team itself!

Cisco definitely seems to have trouble with this; their head engineers left to head their R&D departments. It's great technology based on the white papers available online, and Cisco's cut backs in R&D over the years are showing. Cisco acquired Scientific Atlanta, a set-top box manufacturer for cable. They were recently sued by TiVo for infringing of patents AGAIN in the past 6 months.

http://www.reuters.com/article...

If Cisco has issue with retaining key employees, even after NDAs have been satisfied, then, they should be on the same Industry Standards Committees and Groups as Huawei so they have a product that is compatible, ready for sale, and competitively priced.

Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.