Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/30/2020
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FCC Designates Huawei & ZTE as National Security Threats

Backdoors in 5G network equipment from these vendors could enable espionage and malicious activity, agency says.

The US Federal Communications Commission (FCC) Tuesday formally designated China's Huawei and ZTE Corp. as national security threats, citing their close relationship with the Chinese government.

The decision means that US carriers can no longer use money available under the FCC's Universal Service Fund (USF) to purchase 5G — or any other — equipment, services, or systems from either of the two Chinese equipment manufacturers or any of their subsidiaries and affiliates. The US Department of Defense and other government agencies previously announced decisions to discontinue use of technologies from Huawei and ZTE equipment from their networks.

“Both companies have close ties to the Chinese Communist Party and China's military apparatus," FCC chairman Ajit Pai said in a press statement. "Both companies are broadly subject to Chinese law obligating them to cooperate with the country's intelligence services."

The FCC's move finalizes a decision by the agency last November barring the use of federal funds on equipment from companies deemed as posing a threat to US national security. At the time, the FCC had named Huawei and ZTE as companies that would be covered under the ban. Today's announcement formalizes that decision.

The FCC last November had also noted that it would require US carriers to remove already installed equipment from these two vendors from all USF-funded networks. Tuesday's FCC notice did not provide any new information on when that requirement would go into effect. But it did note that the agency would work with impacted telecommunications providers to figure out a schedule and a way to pay for ripping and replacing existing equipment.

The USF is an $8.3 billion-a-year fund that is used to ensure affordable access to telecommunication services — including 5G networks — in high-cost areas, for low-income populations, for rural-healthcare providers, and for schools and other entities. Many of those who use the fund are smaller, rural communications providers. The FCC ban means these companies, and others, can no longer use the funds to "purchase, obtain, maintain, improve, modify, or otherwise support any equipment or services produced or provided by [Huawei and ZTE]," the FCC said.

Both Huawei and ZTE have consistently denied any close relationship with the Chinese government or intelligence agencies. They have claimed that the charges against them by the US government — and several other Western nations — are driven purely by economic and geopolitical rivalries with little basis in fact.

Persistent Concerns
However, the US government and intelligence agencies have equally consistently warned about the risks to national security from deploying next-gen 5G networks based on technologies from Chinese firms such as Huawei and ZTE.

The concerns have to do with what is widely perceived as the close — and often forced — relationship between Chinese businesses and the country's government and intelligence apparatus. Of particular concern are national statutes in China that require companies to report certain business-related activities to the government. Reports about companies such as Huawei receiving substantial subsidies from the Chinese government have also spurred questions about their ability to operate independently of government influence.

Many have noted China's extensive cyber-espionage activities over the past decade. They have contended that Beijing could force telecom equipment manufacturers such as Huawei and ZTE to plant backdoors and other traps in their technology to enable cyber espionage and surveillance on a truly global scale.

The fact that companies such as Huawei provide services for managing telecommunications equipment means they have authorized access to customer networks that could be exploited for malicious purposes, the FCC noted in explaining its decision. The FCC also pointed to reports from former Huawei employees about the company providing network services to an elite "cyber-warfare" unit within China's army.

The FCC also cited cybersecurity vulnerabilities in products from both vendors that it said posed a risk to companies that deployed the technology. Concerns over these vulnerabilities had prompted other countries to bar the use of the equipment, the FCC said.

"Modern communications networks are an integral component of the US economy, enabling the voice, data, and Internet connectivity that fuels all other critical industry sectors," the agency noted.

But these networks are vulnerable to various forms of surveillance and attack that can lead to denial of service as well as the loss of integrity and confidentiality of network services. As the United States upgrades to 5G technologies, "the risk that secret 'backdoors' in our communications networks will enable a hostile foreign power to engage in espionage, inject malware, or steal Americans' data becomes even greater," the FCC said.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2020 | 10:51:02 PM
Made in America
I would consider communication to be a critical function for a country. I think with this in mind we should look to creating our own infrastructure because otherwise you run this risk. I'm typically a trade/import advocate due to the benefits but sometimes just to be safe its better to keep things internal.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...