Vulnerabilities / Threats
5/10/2013
10:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Huawei CEO Dismisses Security, Spying Concerns

Company founder denies that Huawei employees would ever be forced to spy for China.

The founder and CEO of Chinese networking equipment manufacturer Huawei, in his first-ever media interview, Thursday dismissed allegations that backdoors may have been built into the company's products to facilitate Chinese espionage.

"Huawei has no connection to the cybersecurity issues the U.S. has encountered in the past, current and future," Huawei CEO Ren Zhengfei, 68, told local reporters -- through an interpreter -- while on a visit to New Zealand this week, according to news reports.

Since founding the company 26 years ago, Ren had previously refused to conduct media interviews. But during his visit this week to New Zealand, he agreed to meet with reporters from four of the country's news outlets.

In response to reporters' questions, Ren dismissed allegations that his employees might be colluding with state security services, instead likening the relationship between his company and the Chinese government to that between New Zealand companies and their government, reported Fairfax Media in New Zealand. Furthermore, he said he was confident that his employees would be free to refuse any request from a Chinese intelligence service to spy on a foreign entity.

[ U.S. officials are trying to ratchet up pressure on China. See Senate Bill Calls For Cyberespionage 'Watch List'. ]

Ren's comments can be read as a criticism of the U.S. singling out Chinese firms Huawei (the world's second-largest telecommunications manufacturer) and ZTE last year in a Congressional report warning that the two companies "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." Accordingly, the U.S. House of Representatives Permanent Select Committee on Intelligence's Oct. 2012 report "strongly encouraged" all U.S. businesses "to seek other vendors for their projects."

American businesses appear to be listening. A recent survey of 454 IT professionals conducted by InformationWeek found that the U.S. government's recommendation to avoid Huawei equipment would influence their buying decision-making. Indeed, 37% of surveyed businesses cited the warning as a major concern, and 34% said it would be a deal-breaker.

But Ren Thursday downplayed his company's presence in the American market. "Huawei equipment is almost non-existent in networks currently running in the U.S. We have never sold any key equipment to major U.S. carriers, nor have we sold any equipment to any U.S. government agency," he said.

His comments echoed those of Huawei executive VP Eric Hu, who last month said, "We are not interested in the U.S. market any more," according to the Financial Times.

Despite that apparent vow to quit the U.S. market, the company subsequently changed its story, saying it would continue to actively sell its products in the United States. "We continue to sell in the U.S. in all three business areas: Device, Carrier Network and Enterprise," Huawei spokesperson Jannie Luong told Network Computing in April.

In the wake of the Oct. 2012 Congressional report, Australia, India and the United Kingdom were already evaluating whether they would continue to work with Huawei and ZTE. Notably, India's Research and Analysis Wing -- the government's main intelligence service -- issued a report warning that "Huawei Technologies is known to have links with the People's Liberation Army (PLA) and the ministry of state security of China."

In response, Huawei proposed that Australia create an information security test center to vet the company's products.

But fears of Chinese espionage were further compounded this week, after an annual report from the Pentagon to Congress directly accused China of running a military cyber-espionage operation that directly accessed U.S. government systems. "China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic and defense industrial base sectors that support U.S. national defense programs," according to the report.

In the wake of that warning, Huawei and ZTE appear to be facing fresh scrutiny by Indian government officials, who said this week that they're creating a testing lab to assess all foreign-built telecommunications and networking equipment. "We know about the concerns of intelligence agencies and are expediting developing [a] system for testing the telecom equipments of foreign manufacturers in networks," an India government telecommunications official told India's Hindustan Times.

Information security experts, however, say that backdoors purposefully built into networking hardware can be notoriously difficult to detect, and warned that devices could also be clean when purchased but later updated with firmware that enables spying.

Furthermore, in a 2012 teardown of the Huawei AR8 and ARE 29 series routers, Felix "FX" Lindner, who heads Berlin-based Recurity Labs, found that the firmware contained sufficient numbers of coding errors that anyone studying the code base might find ways of remotely compromising the devices without needing to resort to purpose-made backdoors.

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jries921
50%
50%
jries921,
User Rank: Apprentice
5/18/2013 | 6:06:38 PM
re: Huawei CEO Dismisses Security, Spying Concerns
I don't believe a word of it. If he were to refuse a request for cooperation from State Security, he'd would go directly to prison and may never be seen again. But if he were to have said anything but what he said, he'd never be able to go home again.
Ronjon13
50%
50%
Ronjon13,
User Rank: Apprentice
5/13/2013 | 2:01:31 PM
re: Huawei CEO Dismisses Security, Spying Concerns
Ren suddenly appears, dismisses all allegations and expects we should just take his word for it?

No mention of Huawei sales to Iran and the efforts to conceal ongoing operations that were uncovered, and no mention of the employees he has at Huawei that aren't really telecom employees but actually are working for the PLA intelligence agency, and no mention of the employees who are monitored and threatened if they do not go along or keep quiet.

Mr Ren, you can buy some people, some favourable articles and some desperate customers but we still do not believe you.
JSmithy67
50%
50%
JSmithy67,
User Rank: Apprentice
5/10/2013 | 6:00:27 PM
re: Huawei CEO Dismisses Security, Spying Concerns
Huawei CEO Ren Zhengfei: " Furthermore, he said he was confident that his employees would be free to
refuse any request from a Chinese intelligence service to spy on a foreign
entity."
While the employees may be "free to refuse" what if they personally choose to obey the request?
It would have been more reassuring for Mr. Zhengfei to say, "Huawei company policy forbids our employees to act on a request from anyone not in their chain of supervision. We will immediately fire or prosecute anyone breaking this policy."
elleno
50%
50%
elleno,
User Rank: Apprentice
5/10/2013 | 5:59:17 PM
re: Huawei CEO Dismisses Security, Spying Concerns
To quote a famous prostitute, Christine Keeler, when she heard one of her high profile politician clients denied all charges.

Ren denies all cybersecurity issues with Huawei: "He would say that wouldn't he".
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

CVE-2014-4511
Published: 2014-07-22
Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.

CVE-2014-4911
Published: 2014-07-22
The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.