Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/8/2012
04:51 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Congressional Intelligence Committee Warns Against Doing Business With Chinese Telecom Firms

Buying from or teaming with Huawei and ZTE is risky business for U.S. communications infrastructure due to nation-state implications -- but avoiding these firms still won't stop Chinese cyberespionage

The House Intelligence Committee today sent a strong message to U.S. companies: Steer clear of doing business with Chinese telecommunications companies Huawei and ZTE due to the possible security risks to U.S. communications infrastructure and threat of cyberespionage in light of their potential ties to the Chinese government.

In what some security experts consider a watershed report by the bipartisan Congressional committee on the national security implications of the two largest Chinese telecommunications companies -- Huawei and ZTE -- conducting business here in the U.S., the committee didn't mince words in its warning of the dangers of working with the companies, which it has been investigating for the past year. But even with the high-profile report calling out the companies' lack of cooperation in the investigation and concerns about their relationships with the Chinese government, experts say it isn't likely to result in any lessening of computer breaches executed by Chinese cyberspy actors.

"We have to be certain that Chinese telecommunication companies working in the United States can be trusted with access to our critical infrastructure," said House Intelligence Committee chairman Mike Rogers, R-Mich. "Any bug, beacon, or backdoor put into our critical systems could allow for a catastrophic and devastating domino effect of failures throughout our networks. As this report shows, we have serious concerns about Huawei and ZTE, and their connection to the communist government of China. China is known to be the major perpetrator of cyber espionage, and Huawei and ZTE failed to alleviate serious concerns throughout this important investigation. American businesses should use other vendors."

Richard Bejtlich, chief security officer at Mandiant, says the report overall isn't likely to make much of a dent on China's cyberespionage operations. "I know there are many factions over there," Bejtlich says, so it isn't likely to change much in the big picture, even if the civilian side of the Chinese government were to make a move to back off. The more aggressive military side wouldn't be likely to stop its cyberespionage operations, he says.

[ How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense. See Turning Tables: ID'ing The Hacker Behind The Keyboard. ]

This is the second major and very public call by the U.S. government to take a stronger stand against China's cyberespionage activities: The first was the Office of the National Counterintelligence Executive's (ONCIX) report earlier this year that basically identified China as the most active and persistent economic espionage actor, points out Scott Aken, a former special FBI agent who worked on counterintelligence on cyberespionage cases.

Aken says while the content of the House Intelligence Committee's report comes as no surprise to the intelligence community, it's a significant message to the general public. "This is the first time a [government] report is focused specifically on [China's spying in] cyberspace," he says. "To me, the ONCIX report was really the start when they called China out on the mat for the first time publicly."

The House report takes it a step further by pointing out the potential of Huawei and ZTE being agents of the Chinese government, Aken says.

"It's great they are starting to open aperture to the problem. But it isn't going to go away. Cyberespionage is certainly going to continue for [our] lifetimes," Aken say. "By making this a well-known issue to those outside the U.S. government, now U.S. companies can make better decisions on who they purchase [equipment] from ... To me, it's really important because this is the first time they are letting the general public know what maybe those in the intelligence community and DoD" already know, he says.

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, says the report doesn't really break much new ground, but it does shine a spotlight on how China operates in the business world. "This is a watershed moment. People are going to start asking the hard questions about how Chinese companies are competing against the U.S., and whether they are doing so fairly," Alperovitch says. "Cyberespionage is one part of it, and the Chinese government funding is another level of it."

The House committee says neither Huawei nor ZTE cooperated in the committee's investigation, and never fully explained their ties and relationships with the Chinese government, as well as their U.S. business operations. There were reports of corruption, bribery, and immigration illegalities, according to existing and former employees of the firms, the report says.

"One of the companies asserted clearly both verbally and in writing that it could not provide internal documentation that was not first approved by the Chinese government. The fact that Chinese companies believe that their internal documentation or information remains a 'state secret,' only heightens concerns about Chinese government control over these firms and their operations," the report said.

Huawei reportedly shot down the findings in the report. "Unfortunately, the Committee's report not only ignored our proven track record of network security in the United States and globally, but also paid no attention to the large amount of facts that we have provided ... We have to suspect that the only purpose of such a report is to impede competition and obstruct Chinese ICT companies from entering the US market," the company said in a statement published in a report by The Wall Street Journal.

The House report also recommends that U.S. government agencies and contractors avoid Huawei and ZTE equipment in their procurements and systems, and that the Committee on Foreign Investments in the United States (CFIUS) block "acquisitions, takeovers, or mergers involving Huawei and ZTE given the threat to U.S. national security interests."

It also urges Chinese companies to become more open about their operations, and that Congress consider legislation to address potential risks like this.

To date, there have been reports of backdoors in ZTE equipment. "But the broader concern may not be the backdoors to date, but if [the equipment] is controlled by the Chinese, can you trust the next update" to the systems, CrowdStrike's Alperovitch says.

The full committee report is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15237
PUBLISHED: 2019-08-20
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
CVE-2019-15228
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
CVE-2019-15229
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
CVE-2019-15231
PUBLISHED: 2019-08-20
Webmin 1.890, in a default installation, contains a backdoor that allows an unauthenticated attacker to remotely execute commands. This is different from CVE-2019-15107. NOTE: as of 2019-08-19, the vendor reports that "at some point" malicious code was inserted into their build infrastruct...
CVE-2019-15232
PUBLISHED: 2019-08-20
Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.