Why Huawei Has Congress Worried

11 Security Sights Seen Only At Black Hat

Chinese telecommunications firms Huawei Technologies and ZTE Corp. should be viewed as potential threats to national security, a U.S. congressional report said on Monday.

The report, "The U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE," presents the results of a House Permanent Select Committee on Intelligence investigation begun in November 2011, nine months after Huawei published an open letter challenging "unfounded and unproven claims" that the company has ties to the Chinese military.

The report says that neither company cooperated sufficiently with the investigation and makes several recommendations for U.S. companies and government agencies that deal with either of the Chinese companies.

While noting that non-compliance isn't the same as wrongdoing, the report nonetheless concludes "the risks associated with Huawei's and ZTE's provision of equipment to U.S. critical infrastructure could undermine core U.S. national-security interests."

[ Security is one thing. Privacy is an entirely different issue. Read Google Privacy Audit Leaves Lingering Questions. ]

The report says that a classified annex, not released to the public, amplifies the Committee's concerns.

According to the report, the increasing global dominance of Huawei and ZTE in the telecom equipment market affords the two companies with an opportunity to spy or conduct malicious activity.

Because U.S. authorities continually cite the threat from Chinese cyber-espionage and both companies are Chinese-founded, Chinese-owned, and have ties to the Chinese government and military, the report concludes that the lack of satisfactory answers from the two companies demands that Huawei and ZTE should be viewed with suspicion and their telecom equipment should be avoided.

It calls for an investigation into potential unfair trade practices, new legislation to address the risk of telecom companies with ties to foreign governments, for public and private sector avoidance of Huawei and ZTE products, and for greater openness by Chinese companies.

The assumption here is that the absence of democratic rights and independent civil institutions in China means that Chinese companies do the bidding of Chinese authorities because they cannot do otherwise and remain in business. Moreover, the Chinese government's role in funding certain industries and its encouragement of nationalism as a source of political unity contribute to an alignment of government and business interests in China.

Huawei in a statement insisted it had cooperated with the investigation and that evidence for the Committee's claims is lacking. "However, despite our best effort, the Committee appears to have been committed to a predetermined outcome," the company said.

ZTE did not immediately respond to a request for comment.

In a phone interview, Gartner research VP Kathie Hackler said that with regard to the security issues being raised, "we've not found anything to indicate there are any ongoing security issues." Stressing that Huawei has gone out of its way to open itself up for security testing, she acknowledged that vulnerabilities had been found in older Huawei routers.

Similar flaws have been identified in Cisco equipment, and the presence of flaws isn't necessarily a sign of a government-directed espionage effort.

Hackler suggested that concern about these companies may have more to do with politics than risk, noting that claims about the dominance of Huawei and ZTE are overstated. Cisco, she said, had 74% of the router market in the U.S., while Huawei can claim just 9%.

Murray Jennex, an associate professor of in the department of information and decision systems at San Diego State University, said in a phone interview that there's substance to the Committee's concerns. But he acknowledged there's no smoking gun that establishes the presence of backdoors placed in Chinese-made telecom equipment at the behest of Chinese authorities.

Jennex said he believes that Stuxnet, the malware designed to interfere with Iran's nuclear centrifuges, is what has people concerned. "Now the Chinese didn't do Stuxnet," he said. "We developed Stuxnet, but that aside, it works."

Indeed, the CIA on its website describes a joint effort in the 1980s by the CIA, the Department of Defense, and the FBI, in conjunction with U.S. private industry, to prepare flawed technology products in the hope they'd find their way into Soviet military equipment.

"We've done it a couple times, so it's logical to assume it can be done to us," Jennex said.