The alienation of an ambitious Chinese tech giantby Peter Griffin
Is the treatment of Huawei down to geopolitics tinged with xenophobia, or does the billion-dollar tech giant really pose a security threat to countries like NZ, which has just banned it from being allowed to supply Spark's 5G network?
Our intelligence agency, the Government Communications Security Bureau, declined Spark’s proposal to use Huawei technology to build its fifth-generation mobile network, citing “significant national security risks”, if the Chinese vendor was allowed to supply the infrastructure.
The GCSB did not detail its concerns, but joined its Five Eyes security partners around the world in effectively blacklisting Huawei as a supplier of key components of telecommunications infrastructure.
The news didn’t come as much of a surprise when I mentioned it to people in China’s tech sector I met last week.
“It’s just political,” one told me with a wry smile. The consensus view was that business will carry on largely as normal because so many companies, including trusted American brands such as Cisco, Juniper Networks, Dell and Apple, use networking and computing equipment that’s manufactured in China, much of it in Shenzhen’s factories.
Certainly, the decision by the governments of Australia and New Zealand to reject Huawei comes as the United States wages a trade war with China, one that thankfully didn’t escalate over the weekend as President Trump and Chinese President Xi Jinping agreed a halt to new tariffs on each other’s goods for the next 90 days.
But is the treatment of Huawei down to geopolitics tinged with xenophobia, or does the company that employs 180,000 people and which had revenue of over US$92 billion last year, really pose a security threat to the countries it wants to do business with?
The answer to that is not clear cut, due to the secrecy in which the intelligence agencies operate. Little compelling technical proof has ever been offered in public. But it is plain to see that Huawei has done itself few favours as it has grown massively over the last decade, without the level of transparency that’s expected of multinationals providing components of critical infrastructure.
Huawei’s latest problems stem from the U.S. House of Representatives Permanent Select Committee on Intelligence report, completed in 2012 when Obama was in the White House. It criticised Huawei and ZTE Corp., another major Chinese networking equipment maker, for “incomplete, contradictory and evasive responses to the Committee’s core concerns”.
The House investigation followed a RAND Corporation report in 2005, completed for the US Government, which identified a “digital triangle” of Chinese firms, the military and state-run research groups, working together in close co-operation.
Where’s the proof?
There was no technical smoking gun identified in the report that would suggest Huawei was at that point doing anything either intentionally or unintentionally, to compromise the security of its networking switches and routers.
Not that the Americans hadn’t gone out of their way to find the proof. In 2013, the leak of classified National Security Agency documents by contractor Edward Snowden, revealed details of Shotgiant, a covert operation, approved by the Bush White House, to hack into Huawei’s Shenzhen facilities.
In his 2018 book, The Perfect Weapon, New York Times national security correspondent, David E. Sanger suggests that a quest to find out the truth about Huawei’s links to China’s Communist Party and the Chinese military was really cover for an effort to infiltrate Huawei products that were increasingly being used in places like Iran, Afghanistan, Pakistan, Kenya and Cuba – high priority intelligence targets for the US.
“Eager as the NSA was to figure out whether Huawei was the People’s Liberation Army puppet, it was more interested in putting its own back doors into Huawei networks,” wrote Sanger.
But there was also considerable concern among US lawmakers that Huawei failed to act like the sort of company that governments prefer to deal with – ones that have transparent governance and company structures and which are known for best-practice in their field. Huawei was and continues to be run by Ren Zhengfei, a former engineer in the PLA and Communist Party member.
Huawei and ZTE weren’t able to convince US lawmakers back in 2012 that their governance, finances and decision making were sufficiently independent from the Chinese Communist Party and that their R&D wasn’t aiding the Chinese military.
Sanger sees those US concerns as justified.
“Any firm built in an authoritarian, government-takes-all environment, is going to turn over to the state whatever data it is told to turn over.”
When it came to Huawei, the report fingered another cause for concern, one that was plaguing Huawei when I visited its massive Shenzhen HQ in March 2007. Huawei had been accused of stealing intellectual property from other companies to develop its own networking products.
Most notably, American networking equipment vendor Cisco Systems sued Huawei in 2003, alleging it had copied Cisco’s software and breached its patents. Huawei was a tiny networking player at the time compared to Cisco, but had turned up in the US market with similar and cheaper products.
During the ensuing court case, a ‘neutral expert’ who examined Huawei’s equipment and software, gave evidence that “Huawei misappropriated this code” from Cisco. As part of a 2004 settlement, Huawei agreed to discontinue selling certain products and changed the source code of others, though there was no massive settlement for Huawei to pay, as is often the case in intellectual property infringement lawsuits.
Huawei continued to win contracts and grow rapidly, expanding into the market for consumer routing equipment and smartphones, including here in New Zealand where it gained major inroads against existing telecoms equipment providers, initially with Vodafone.
But that Cisco case left a deep impression. In 2012, the House committee concluded that Huawei had “exhibited a pattern of, at the very least, reckless disregard for the intellectual property rights of other entities” and referenced the Cisco case.
It reflected suspicion in Washington of Chinese companies in general. When IBM sold its laptop business to Chinese electronics maker Lenovo in 2005, the US State Department and Pentagon largely banned use of the iconic ThinkPad that had formerly been standard issue in government, but was now a Chinese product. In 2008, the Committee on Foreign Investment in the US blocked Huawei from buying a stake in failing networking company 3Com.
Commerce meets cyber warfare
As all of this was happening, the US Government was engaged in escalating cyber warfare with China. In 2010, Chinese hackers infiltrated the US networks of Google, looking for details of human rights activists using Gmail accounts to hide their communications as well as US government workers who were also using Gmail as a more convenient form of email than their official .gov accounts.
Vint Cerf, a senior Google executive and one of the founding fathers of the internet, told me on his New Zealand visit last month that the Chinese infiltration was a key event in Google ramping up its network security efforts.
“We were upfront about reporting the 2010 Chinese invasion. After that we went and encrypted everything. We introduced two-factor authentication tools to all of our employees and made it available to the general public,” he said.
With the perception of no firewall between Chinese companies and the Communist Party and increasing state-sanctioned cyber warfare activity, the risk posed by companies like Huawei was significant.
“If there was a hot war with China, or even just a nasty regional dispute, Huawei might be the vehicle for shutting down servers or crippling the US telecommunications grid,” writes Sanger.
“Once the telecommunications system was corrupted, other networks would follow.”
Three exploit scenarios
But what sort of technical exploits could lurk in Huawei’s networking boxes and software code?
Arizona-based networking security consultant, Joel Snyder has outlined three - the Magic Kill Packet, intentionally bad software and unintentionally bad software.
The Magic Kill Packet is Sanger’s nightmare scenario for the US. In theory, it could see Chinese operatives sending a command – a string of ones and zeros, to effectively shut down Huawei equipment.
Snyder is highly sceptical it would work, because the control systems of important networking equipment is kept separate from the data traffic carried over it. Hackers would need to have previously infiltrated the network and avoided detection to make the later shutdown happen.
“There’s no way a Magic Kill Packet could shut down an entire network, because each individual device would have to be carefully targeted with a specifically engineered strategy to deliver the payload,” he writes.
More likely is the intentionally bad software scenario – effectively a built-in security flaw that would allow access to the network. Ageing computer and networking equipment is notorious for housing such back doors, which were included for convenience in a simpler time before cyber warfare really reared its head.
This too, Snyder rules out.
“Chinese manufacturers, or their shadowy military puppet masters, couldn’t risk installing a secret backdoor unless they were sure only they could take advantage of it. And as groups like Anonymous and Wikileaks have shown us, even the best-kept secrets can quickly be revealed.”
The final category, unintentional bad software, is a common vector for hacking attacks and network infiltration. Software bugs are so common to IT and telecoms, a whole industry has sprung up to fix them. If there’s a real cause for concern, it is more likely this, writes Snyder.
“Huawei may be a poor bet for buggy software, but that’s not because it’s Chinese; it’s because Huawei behaves more like a bargain-basement, release-and-forget hardware vendor in the routing and switching space than a high-end security-focused networking company like Cisco, Juniper or HP.”
Huawei has won big tenders around the world for supplying networking equipment. It could continue on as a network operator of choice in developing countries, while picking up scraps of non-core infrastructure in developed countries. The latter is still a possibility in New Zealand, where Huawei had preempted the GCSB’s decision by saying that it may not bid for the core 5G infrastructure build.
Will Huawei open up?
But Huawei’s smartphones are finally challenging the might of Samsung in the Android phone business, thanks to impressive design, performance and their built-in cameras. The company’s networking ambitions are the same ‒ it wants to be the top networking company in the world.
To stand any chance of doing that it needs to unlock the US market and win the confidence of other western powers influenced by the US. The United Kingdom is home to extensive Huawei infrastructure and hasn’t gone so far as to ban Huawei from 5G network builds.
But the refrain from officials is similar. In July, a report from an oversight body that monitors Huawei’s telecoms equipment in the UK, highlighted the "repeated discovery of critical shortfalls... in the Huawei engineering practices and processes that will cause long term increased risk in the UK".
Similar noises are being made in Germany, where Huawei has broached a potential solution to the growing mistrust in the west. Later this month Huawei will set up an information security lab in Bonn, where it will reportedly facilitate source-code reviews by government experts. This would allow them to screen for the types of potential vulnerabilities Snyder has outlined.
Germany has close business ties to China and no major telecoms infrastructure players of its own, so has more of an incentive to seek a path forward that involves Huawei, than the US does.
The concern over networking equipment could also extend to Chinese apps and online services. Last week I watched smartphones roll off the conveyor belt at the high-tech Guangdong factory of Oppo, which is a rival to Huawei and also winning growing praise for its handset design. Handset makers have so far avoided the heat of foreign governments’ disapproval, though both companies’ handsets are largely absent from the US market.
But the increasing integration of cloud-based services into smartphones could prove an arguably greater security threat, given that data stored by Chinese companies within China is subject to authorised access by government agencies.
Ultimately, only greater transparency into its structure and operations can help Huawei develop the trust it needs to meet its business aspirations.
But as Sanger points out, the Huawei controversy may be outdated and the US may have a bigger problem on its hands. The state-sanction hacking is likely to continue, but Beijing has a new strategy for dominating its region and beyond, one that is driven by commercial deal making and innovation. On that front, it is often outspending and out-innovating the US. The Chinese are investing billions into artificial intelligence and by the end of Obama’s second term as president, Sanger points out, had moved from hacking their way in, to buying their way in.
“The Chinese weren’t stealing as much. Instead, they were buying into America, perfectly legally. And the United States was struggling to figure out how to stop them without rejecting the principles of a free, global market.”
The lawyer of a woman ordered to pay $28,000 to her likely abuser has urged the justice minister to intervene.Read more
Instead of striving to be disciplined, dedicated and presidential, Trump is flitting between seven characters that have no place in the White House.Read more
Can a chef promote foraging, seasonality and plant-based eating, yet also serve meat and other animal-derived protein products on the same menu?Read more
Artist Bruce Mahalski's museum is the result of a lifetime of collecting.Read more
The backlash against the Gillette ad shows how painfully little distance we as a society have covered since the #MeToo movement.Read more