In what some security experts consider a watershed report by the bipartisan Congressional committee on the national security implications of the two largest Chinese telecommunications companies -- Huawei and ZTE -- conducting business here in the U.S., the committee didn't mince words in its warning of the dangers of working with the companies, which it has been investigating for the past year. But even with the high-profile report calling out the companies' lack of cooperation in the investigation and concerns about their relationships with the Chinese government, experts say it isn't likely to result in any lessening of computer breaches executed by Chinese cyberspy actors.
"We have to be certain that Chinese telecommunication companies working in the United States can be trusted with access to our critical infrastructure," said House Intelligence Committee chairman Mike Rogers, R-Mich. "Any bug, beacon, or backdoor put into our critical systems could allow for a catastrophic and devastating domino effect of failures throughout our networks. As this report shows, we have serious concerns about Huawei and ZTE, and their connection to the communist government of China. China is known to be the major perpetrator of cyber espionage, and Huawei and ZTE failed to alleviate serious concerns throughout this important investigation. American businesses should use other vendors."
Richard Bejtlich, chief security officer at Mandiant, says the report overall isn't likely to make much of a dent on China's cyberespionage operations. "I know there are many factions over there," Bejtlich says, so it isn't likely to change much in the big picture, even if the civilian side of the Chinese government were to make a move to back off. The more aggressive military side wouldn't be likely to stop its cyberespionage operations, he says.
[ How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense. See Turning Tables: ID'ing The Hacker Behind The Keyboard. ]
This is the second major and very public call by the U.S. government to take a stronger stand against China's cyberespionage activities: The first was the Office of the National Counterintelligence Executive's (ONCIX) report earlier this year that basically identified China as the most active and persistent economic espionage actor, points out Scott Aken, a former special FBI agent who worked on counterintelligence on cyberespionage cases.
Aken says while the content of the House Intelligence Committee's report comes as no surprise to the intelligence community, it's a significant message to the general public. "This is the first time a [government] report is focused specifically on [China's spying in] cyberspace," he says. "To me, the ONCIX report was really the start when they called China out on the mat for the first time publicly."
The House report takes it a step further by pointing out the potential of Huawei and ZTE being agents of the Chinese government, Aken says.
"It's great they are starting to open aperture to the problem. But it isn't going to go away. Cyberespionage is certainly going to continue for [our] lifetimes," Aken say. "By making this a well-known issue to those outside the U.S. government, now U.S. companies can make better decisions on who they purchase [equipment] from ... To me, it's really important because this is the first time they are letting the general public know what maybe those in the intelligence community and DoD" already know, he says.
Dmitri Alperovitch, co-founder and CTO of CrowdStrike, says the report doesn't really break much new ground, but it does shine a spotlight on how China operates in the business world. "This is a watershed moment. People are going to start asking the hard questions about how Chinese companies are competing against the U.S., and whether they are doing so fairly," Alperovitch says. "Cyberespionage is one part of it, and the Chinese government funding is another level of it."
The House committee says neither Huawei nor ZTE cooperated in the committee's investigation, and never fully explained their ties and relationships with the Chinese government, as well as their U.S. business operations. There were reports of corruption, bribery, and immigration illegalities, according to existing and former employees of the firms, the report says.
"One of the companies asserted clearly both verbally and in writing that it could not provide internal documentation that was not first approved by the Chinese government. The fact that Chinese companies believe that their internal documentation or information remains a 'state secret,' only heightens concerns about Chinese government control over these firms and their operations," the report said.
Huawei reportedly shot down the findings in the report. "Unfortunately, the Committee's report not only ignored our proven track record of network security in the United States and globally, but also paid no attention to the large amount of facts that we have provided ... We have to suspect that the only purpose of such a report is to impede competition and obstruct Chinese ICT companies from entering the US market," the company said in a statement published in a report by The Wall Street Journal.
The House report also recommends that U.S. government agencies and contractors avoid Huawei and ZTE equipment in their procurements and systems, and that the Committee on Foreign Investments in the United States (CFIUS) block "acquisitions, takeovers, or mergers involving Huawei and ZTE given the threat to U.S. national security interests."
It also urges Chinese companies to become more open about their operations, and that Congress consider legislation to address potential risks like this.
To date, there have been reports of backdoors in ZTE equipment. "But the broader concern may not be the backdoors to date, but if [the equipment] is controlled by the Chinese, can you trust the next update" to the systems, CrowdStrike's Alperovitch says.
The full committee report is available here (PDF) for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.