House report on Huawei, ZTE raises real concerns, experts say

A House committee report that found telecom equipment manufacturers Huawei and ZTE pose a cyber-espionage threat to U.S. communications has legitimate concerns and signals a more aggressive approach towards China, experts say.

The House Intelligence Committee recommended Monday that the U.S. government and corporations not do business with the companies, saying they could not guarantee that their products would be free from spyware. Experts believe China is a hotbed of cyber-espionage activity.

Huawei and ZTE denied the allegations, with the former claiming the panel's findings were based on "rumors and speculations." Huawei, the world's second largest supplier of telecom networking gear, said the committee's 11-month investigation "provided no clear information to substantiate the legitimacy of the committee's concerns."

However, experts believe the report raised important points. "I don't think there's an immediate threat to the level that as soon as Huawei equipment is installed in the U.S., American data will begin to be harvested," John Grady, an analyst for IDC, said in an email. "Rather it's the longer view towards what could potentially happen, which I think is a valid concern."

[See also:China not to blame for backdoor in US military chip]

Dave Aitel, chief executive of penetration testing company Immunity and a former research scientist for the National Security Agency, said the committee indicated that the government was taking a stronger stand against cyber-espionage emanating from China.

"You're starting to see the United States government get much more activist with this," he said. "I'd say software vendors are next. If they catch a software vendor doing similar things, then they're going to blackball them."

The committee report claimed that Huawei and ZTE did not provide enough detailed information or internal documentation to convince the panel that their relationship with Chinese authorities did not pose a threat to the nation's communications infrastructure.

"Based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems," the report said.

The Defense Department has claimed that China is home to "the world's most active and persistent perpetrators of economic espionage."

"Chinese attempts to collect U.S. technological and economic information will continue at a high level and will represent a growing and persistent threat to U.S. economic security," the Defense Department said in a report to Congress this year.Ã'Â

China has denied he allegations, and Huawei said there was no proof of its involvement in cyber-espionage. "The report released by the Committee today employs many rumors and speculations to prove non-existent accusations," the company said.

Huawei claimed the report was an excuse to prevent the companies from competing in the U.S. market. "We have to suspect that the only purpose of such a report is to impede competition and obstruct Chinese ICT companies from entering the U.S. market," the company said.

Grady acknowledged that competition between U.S. and Chinese tech companies couldn't be discounted.

"I do think that a lot of this is driven by the fact that it's China," he said. "We can point to many examples of ties between network or security companies and militaries and governments around the world, but those militaries and governments aren't China, so reports like this haven't been written."

ZTE, the world's fourth largest mobile phone maker, said the committee's finding that it may not be "free of state influence" could apply to any company operating in China.

Nevertheless, The risk posed by companies like Huawei and ZTE is that a government plant could insert spyware within firmware that would still pass regression testing by a quality assurance team, Aitel said.

"In this case, the American government is worried about Chinese major manufacturers from the top down targeting particular segments of the United States infrastructure," he said.

Huawei has significant portions of the worldwide enterprise and carrier markets for networking equipment. The company is strongest in Asia and Europe, but is not an important player in the U.S., Gartner analyst Kathie Hackler said.

The committee report could damage efforts the company has made recently to increase U.S. sales, if the classified evidence the panel has is made public and is proven to be true.

"It will definitely impair great success in the market, because there's going to be that fear, uncertainty and doubt, and certainly within verticals that are very sensitive about security," Hackler said, citing government and financial institutions as examples.

Rep. Frank Wolf, who chairs the House Appropriations subcommittee, has inserted language in an appropriations bill pending in Congress that would prohibit the purchase of telecom equipment produced by Chinese state-owned or state-directed companies.

"I was pleased the report's first recommendation directs all federal agencies to similarly prohibit these risky products moving forward," Wolf said in a statement published by Fairfax News.

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place