Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/8/2012
04:51 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Congressional Intelligence Committee Warns Against Doing Business With Chinese Telecom Firms

Buying from or teaming with Huawei and ZTE is risky business for U.S. communications infrastructure due to nation-state implications -- but avoiding these firms still won't stop Chinese cyberespionage

The House Intelligence Committee today sent a strong message to U.S. companies: Steer clear of doing business with Chinese telecommunications companies Huawei and ZTE due to the possible security risks to U.S. communications infrastructure and threat of cyberespionage in light of their potential ties to the Chinese government.

In what some security experts consider a watershed report by the bipartisan Congressional committee on the national security implications of the two largest Chinese telecommunications companies -- Huawei and ZTE -- conducting business here in the U.S., the committee didn't mince words in its warning of the dangers of working with the companies, which it has been investigating for the past year. But even with the high-profile report calling out the companies' lack of cooperation in the investigation and concerns about their relationships with the Chinese government, experts say it isn't likely to result in any lessening of computer breaches executed by Chinese cyberspy actors.

"We have to be certain that Chinese telecommunication companies working in the United States can be trusted with access to our critical infrastructure," said House Intelligence Committee chairman Mike Rogers, R-Mich. "Any bug, beacon, or backdoor put into our critical systems could allow for a catastrophic and devastating domino effect of failures throughout our networks. As this report shows, we have serious concerns about Huawei and ZTE, and their connection to the communist government of China. China is known to be the major perpetrator of cyber espionage, and Huawei and ZTE failed to alleviate serious concerns throughout this important investigation. American businesses should use other vendors."

Richard Bejtlich, chief security officer at Mandiant, says the report overall isn't likely to make much of a dent on China's cyberespionage operations. "I know there are many factions over there," Bejtlich says, so it isn't likely to change much in the big picture, even if the civilian side of the Chinese government were to make a move to back off. The more aggressive military side wouldn't be likely to stop its cyberespionage operations, he says.

[ How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense. See Turning Tables: ID'ing The Hacker Behind The Keyboard. ]

This is the second major and very public call by the U.S. government to take a stronger stand against China's cyberespionage activities: The first was the Office of the National Counterintelligence Executive's (ONCIX) report earlier this year that basically identified China as the most active and persistent economic espionage actor, points out Scott Aken, a former special FBI agent who worked on counterintelligence on cyberespionage cases.

Aken says while the content of the House Intelligence Committee's report comes as no surprise to the intelligence community, it's a significant message to the general public. "This is the first time a [government] report is focused specifically on [China's spying in] cyberspace," he says. "To me, the ONCIX report was really the start when they called China out on the mat for the first time publicly."

The House report takes it a step further by pointing out the potential of Huawei and ZTE being agents of the Chinese government, Aken says.

"It's great they are starting to open aperture to the problem. But it isn't going to go away. Cyberespionage is certainly going to continue for [our] lifetimes," Aken say. "By making this a well-known issue to those outside the U.S. government, now U.S. companies can make better decisions on who they purchase [equipment] from ... To me, it's really important because this is the first time they are letting the general public know what maybe those in the intelligence community and DoD" already know, he says.

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, says the report doesn't really break much new ground, but it does shine a spotlight on how China operates in the business world. "This is a watershed moment. People are going to start asking the hard questions about how Chinese companies are competing against the U.S., and whether they are doing so fairly," Alperovitch says. "Cyberespionage is one part of it, and the Chinese government funding is another level of it."

The House committee says neither Huawei nor ZTE cooperated in the committee's investigation, and never fully explained their ties and relationships with the Chinese government, as well as their U.S. business operations. There were reports of corruption, bribery, and immigration illegalities, according to existing and former employees of the firms, the report says.

"One of the companies asserted clearly both verbally and in writing that it could not provide internal documentation that was not first approved by the Chinese government. The fact that Chinese companies believe that their internal documentation or information remains a 'state secret,' only heightens concerns about Chinese government control over these firms and their operations," the report said.

Huawei reportedly shot down the findings in the report. "Unfortunately, the Committee's report not only ignored our proven track record of network security in the United States and globally, but also paid no attention to the large amount of facts that we have provided ... We have to suspect that the only purpose of such a report is to impede competition and obstruct Chinese ICT companies from entering the US market," the company said in a statement published in a report by The Wall Street Journal.

The House report also recommends that U.S. government agencies and contractors avoid Huawei and ZTE equipment in their procurements and systems, and that the Committee on Foreign Investments in the United States (CFIUS) block "acquisitions, takeovers, or mergers involving Huawei and ZTE given the threat to U.S. national security interests."

It also urges Chinese companies to become more open about their operations, and that Congress consider legislation to address potential risks like this.

To date, there have been reports of backdoors in ZTE equipment. "But the broader concern may not be the backdoors to date, but if [the equipment] is controlled by the Chinese, can you trust the next update" to the systems, CrowdStrike's Alperovitch says.

The full committee report is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.