A U.S. Congressional committee released a broadside attack on the Chinese telecommunications firms Huawei and ZTE this week, charging that their products represent a security risk to the United States and recommending that U.S. government and private sector organizations avoid their products. The report followed about a year of investigation that included hearings and a fair amount of press coverage. Here, I offer some points on the report, which I believe is deeply flawed both in its analysis and in its positioning.
Communication infrastructure is definitely an important area for national security, and it is entirely possible that these firms and the Chinese government coordinate efforts to accomplish espionage or other activities. But I argue this report doesn’t get there, and that it seems designed to distract readers from its thin evidence (at least in the non-classified version we get to see). What it is not is a balanced examination of a risk. Five points and a conclusion follow.
Huawei seems to have decided not to provide much detailed information. This furthers the trust problem, and raises questions about government control of disclosures.
The report charges: “One of the companies [Huawei] asserted clearly both verbally and in writing that it could not provide internal documentation that was not first approved by the Chinese government. The fact that Chinese companies believe that their internal documentation or information remains a ‘state secret,’ only heightens concerns about Chinese government control over these firms and their operations” (12). This is a legitimate point, though concerns about state secret disclosure are hardly unique to telecom firms, and the suggestion that the companies consider their internal documents state secrets is laughable: they are either afraid of bringing the wrath of their government, or this is a handy way to avoid disclosure. Given Huawei’s apparently ham-fisted and ever-changing attitude with the U.S. investigators, either seems possible to me.
A drastic rebuild of most public- and private-sector information infrastructure would be necessary to achieve the standard of security allegedly threatened by Huawei and ZTE.
Warning: tech-speak in this section. The problem with buying communications infrastructure rather than building it from scratch yourself is that you cannot, ever, be sure there is not a software backdoor baked into the machine. The report cites a classic speech by Ken Thompson in 1987 that outlines the fundamental challenge of backdoors in software: They can be detected in the source code, but our computers don’t run source code; they run compiled code, which can almost never be reverse engineered to reveal the underlying code. So all one needs for a backdoor is to insert it before the code is compiled for deployment. [update] Or, in Thompson’s example, the determined engineer could pack the vulnerability into the compiler itself. [/update] This means it’s entirely possible that I am typing on a compromised machine right now, that someone at Google has inserted something into Chrome, that someone at Cisco has compromised my VPN client, or that Apple’s operating system is vulnerable in secret ways. (I’m sure the U.S. government would never try to gain this kind of access.)
The report correctly notes that you don’t even need cooperation at the highest level to insert backdoors. “Even if the company’s leadership refused [a government] request, Chinese intelligence services need only recruit working-level technicians or managers in these companies” (3). So what would be necessary to build secure infrastructure? The report has it right, saying that monitoring would be needed “from design to retirement [including] aspects such as discrete technology components, their interactions, the human environment, and threats from the full spectrum of adversaries” (6–7). Great. How can we get this done? First, one would build a redundant monitoring system under a trusted hierarchy. Then, every piece of telecommunications infrastructure, from hardware and software at the user level to infrastructure at the network level, including both private and public sector machines, would need to be redesigned from the lowest level to the highest, then everyone using machines would need to be monitored—clearly not a realistic option. But without this level of effort, anything we do now will at best prevent new vulnerabilities.
The essence is this: No system will in itself ever be completely secure.
Committee staff either do not understand the Chinese business environment or actively seek to mislead others by suggesting that good loan terms and Communist Party committees are unusual.
For some reason, the report repeatedly cites what is essentially an opinion article reprinted by an Australian business magazine to make its case about Chinese state and Communist Party penetration in business. Though they also offer a couple of footnotes to Richard MacGregor’s excellent The Party, they for some reason quote this opinion piece by an adjunct professor at the University of Sydney named John Lee.
Lee’s article is not an evidence-based analysis, but an argument against Huawei being involved in Australian broadband projects. That’s just fine, but he is not an unbiased observer, and his expertise is not in business-government relations in China. A look at his publications suggests he is an analyst of international geopolitics, and he has a U.S. affiliation at a conservative-leaning think tank—again, fine, but hardly the source that an honest inquiry would seek for fine points of Chinese politics.
As another example, the report notes that the reclusive CEO of Huawei, Ren Zhengfei, was invited to be a member of of the National Congress of of the CPC in 1982 before he founded the company (23), and goes on to build a case that Huawei gets better-than-market loan terms. The report complains: “Huawei refuses to provide answers to direct questions about how this support was secured, nor does it provide internal documentation or auditable financial records to evaluate its claims that the terms of these agreements comply with standard practice and international trade agreements” (29).
There are two things going on in this quote. First, a reader unfamiliar with the Chinese business environment might think that good loan terms are rare for big Chinese companies, rather than easily available at various times. Second, we see a shift from implying that the “support was secured” through some murky method, over to an essentially unrelated complaint that they might not comply with international trade agreements—hardly the job of the House Intelligence Committee. This leads to my next point.
The committee spends much of the report on issues unrelated to intelligence or national security.
Entire sections of the report focus on claims that Huawei may have stolen intellectual property from Cisco, or that its affiliates may be working illegally in the United States, or that it may not be operating in full compliance with international economic agreements. These may be legitimate points, and they may be cause for litigation or regulatory penalties under U.S. law, but these points are all a distraction from the duties and purview of the House Intelligence Committee.
Further, they open up the report to charges of playing politics with national security. Such charges would hardly be avoidable in a campaign season or when dealing with the high-profile U.S.–China business relationship, but confusing the matter with these unrelated charges undermines the idea that the committee’s investigation and report are motivated by good-faith execution of its duties. The committee could even have referred these findings to the executive branch as a courtesy, without including them in the report.
This is perhaps the most frustrating element of the entire endeavor. It is entirely possible that there are very real concerns about using Huawei, ZTE, or other foreign-produced telecommunications equipment in sensitive roles in U.S. networks. The committee’s recommendation that “U.S. government systems, particularly sensitive systems, should not include Huawei or ZTE equipment, including component parts” is probably good policy, precisely because of uncertainty (vi).
But putting that recommendation next to (and indeed, below) a recommendation that the Committee on Foreign Investment in the United States (CFIUS) prevent these companies from acquiring or merging with U.S. firms—a major point of concern in U.S.–China business ties—undermines the security case by clouding motivations. It leads the reader to suspect ulterior motives, and it makes the committee’s recommendations less trustworthy even within the United States.
The report is seemingly written in an imaginary world where U.S. companies would readily disclose to the Chinese government their modes of cooperation with the U.S. government on surveillance efforts.
Imagine this: “U.S. telecommunications companies provide an opportunity for the U.S. government to tamper with the Chinese telecommunications supply chain. That said, understanding the level and means of state influence and control of economic entities in the United States remains difficult. As U.S. analysts explain, state control or influence of purportedly private-sector entities in the United States is neither clear nor disclosed.” This statement is true, but all I did to write it was reverse the country names (11).
Perhaps the most gaping hole in this report, if it is to be viewed as any kind of overview of the situation, is the offensive side of U.S. intelligence efforts. The report elsewhere notes that analysts say China is responsible for the most cyber attacks of any country; I wonder what analysts without U.S. security clearance and therefore not subject to disclosure restrictions would say.
The point is that espionage is never exclusive to the other party. As a rule, every government is trying to gain information about the every other, and private companies that work with governments are likely to hide their efforts. Frustrated by what the committee saw as insufficient response to questions about government ties, the report remarks, “Any company operating in the United States could very easily describe and produce evidence of the federal entities with which it must interact, including which government officials are their main points of contact at those regulatory agencies” (22). Would Boeing or Northrop or Lockheed describe in detail their interactions with government? Perhaps the weasel word above is “must.” Sure, a U.S. defense contractor might happily describe its required interactions, but what about optional ones that lead to more business? How does candor work out when warrantless wiretaps are executed with the assistance of phone providers?
Conclusion: This report seeks to paint Huawei, ZTE, and China as shady, and asks the reader to trust that the classified portion of the report contains evidence of wrongdoing.
It does not score highly for its analysis of Chinese business structures, nor realistic priorities for maintaining and improving security, nor for avoiding the perception of political bias and ulterior motives. This is a frustrating report, because the underlying issue is serious. It is frustrating because it could do damage to U.S.–China business ties that benefit both countries. And it is ultimately unrevealing except as an indicator of this committee’s agenda.
For better (if still largely one-sided) analysis from the U.S. government, see Northrop Grumman’s report to the U.S.–China Economic and Security Review Commission on China and cybersecurity. While this work still lacks introspection, it uses a broad source base and outlines potential threats without the name calling.