Huawei And Security: The Bigger Picture


China-based telecom heavyweight Huawei has been the target of U.S. government scrutiny over concerns about potential security issues related to the possibility its technology could provide a "back door" to hacking or spying by the Chinese government.

However, such security concerns have been more muted when it comes to other China-backed companies whose products also could potentially be configured with similar back doors.

Security issues stem not from a particular country or company but are increasingly pervasive, said John Woodall, vice president of engineering at Integrated Archive Systems, a Palo Alto, Calif.-based solution provider.

There is the traditional nation-state trying to collect data and intelligence on another nation-state, and corporate espionage, and the ubiquitous IT security risks, Woodall said.

"There's a lot of communications going on around the world," he said. "The world is increasingly connected. There are a lot of opportunities for back doors. So is it fair to point out a specific company? Not unless there's specific information."

Huawei's problems with the U.S. government started in early 2008 when the U.S. government's Committee on Foreign Investment in the United States (CFIUS) blocked a proposed merger between Huawei and 3Com on national security grounds.

Since then, the U.S. government has blocked bids by Huawei to supply components to build cellular phone towers across the U.S. and to acquire server virtualization company 3Leaf Systems.

Then late last year, the U.S. House of Representatives' Permanent Select Committee on Intelligence issued a report labeling Huawei a "national security risk," alleging the company could serve as a back door for spying on U.S. communications and data flowing across carrier and other networks based on its technology.

The U.K. and Australian governments also have objected to local telecom agreements with Huawei.

Other Chinese companies have had similar scrutiny, although not at the level of Huawei.

ZTE, another huge China-based telecom vendor, was criticized in the same 2012 Select Committee on Intelligence report that brought Huawei into the spotlight.

Meanwhile, a late July report in the Australian Financial Review said that certain agencies in the governments of the U.S., U.K., Australia, New Zealand and Canada have banned Lenovo PCs from use by their staff because of "allegedly documented 'back-door' hardware and 'firmware' vulnerabilities in Lenovo chips."

Lenovo, which is partly owned by the Chinese government, in 2005 acquired IBM's PC business and is now a top supplier of PCs to governments around the world.

However, the Australian Government Department of Defense,later issued a statement in which it wrote, "This reporting is factually incorrect. There is no Department of Defense ban on the Lenovo Company or their computer products; either for classified or unclassified systems."

Meanwhile, many telecom and networking vendors source components and have parts manufactured in China due to the relatively low cost of manufacturing in that country. China also is by far the biggest supplier of PCs, tablets and smartphones to customers around the world. Any of these products carry the potential for being hacked, although no such hacking has been reported.

Stewart Baker, a partner at Washington, D.C.-based law firm Steptoe & Johnson and the former assistant secretary for policy at the U.S. Department of Homeland Security, told CRN via email that China is a serious threat to U.S. telecom networks.

However, Baker said, the U.S. government has yet to prove allegations of spying. Furthermore, he wrote, while there have been plenty of security flaws found in Huawei gear, "It's not easy to determine whether such flaws are deliberate or negligent."

Baker also wrote that there is a simple reason why the focus in the U.S. has been on the telecom carrier business of Chinese companies, and not on their mobile device business.

"The mobile device market is quite different from the telecom infrastructure market, both from a regulatory and a security point of view, which probably accounts for the difference in treatment so far," he wrote.

The IT supply chain also carries a major risk for cyberattacks, with only around 20 percent of chips used in products sold in the U.S. are made in the country, according to a report by Washington, D.C.-based Federal News Radio. The sheer numbers of components, U.S.-made or foreign-made, provide opportunities for both intentional and accidental introductions of security back doors.

The world is increasingly connected, Woodall said. "Anyone who thinks they can be immune from prying eyes will be disappointed," he said.

PUBLISHED AUG. 19, 2013