Tag Archives: U.S. Congress

Five points on the deeply flawed U.S. Congress Huawei report

6 Replies

A U.S. Congressional committee released a broadside attack on the Chinese telecommunications firms Huawei and ZTE this week, charging that their products represent a security risk to the United States and recommending that U.S. government and private sector organizations avoid their products. The report followed about a year of investigation that included hearings and a fair amount of press coverage. Here, I offer some points on the report, which I believe is deeply flawed both in its analysis and in its positioning.

Communication infrastructure is definitely an important area for national security, and it is entirely possible that these firms and the Chinese government coordinate efforts to accomplish espionage or other activities. But I argue this report doesn’t get there, and that it seems designed to distract readers from its thin evidence (at least in the non-classified version we get to see). What it is not is a balanced examination of a risk. Five points and a conclusion follow.

Huawei seems to have decided not to provide much detailed information. This furthers the trust problem, and raises questions about government control of disclosures. 

The report charges: “One of the companies [Huawei] asserted clearly both verbally and in writing that it could not provide internal documentation that was not first approved by the Chinese government. The fact that Chinese companies believe that their internal documentation or information remains a ‘state secret,’ only heightens concerns about Chinese government control over these firms and their operations” (12). This is a legitimate point, though concerns about state secret disclosure are hardly unique to telecom firms, and the suggestion that the companies consider their internal documents state secrets is laughable: they are either afraid of bringing the wrath of their government, or this is a handy way to avoid disclosure. Given Huawei’s apparently ham-fisted and ever-changing attitude with the U.S. investigators, either seems possible to me.

A drastic rebuild of most public- and private-sector information infrastructure would be necessary to achieve the standard of security allegedly threatened by Huawei and ZTE.

Warning: tech-speak in this section. The problem with buying communications infrastructure rather than building it from scratch yourself is that you cannot, ever, be sure there is not a software backdoor baked into the machine. The report cites a classic speech by Ken Thompson in 1987 that outlines the fundamental challenge of backdoors in software: They can be detected in the source code, but our computers don’t run source code; they run compiled code, which can almost never be reverse engineered to reveal the underlying code. So all one needs for a backdoor is to insert it before the code is compiled for deployment. [update] Or, in Thompson’s example, the determined engineer could pack the vulnerability into the compiler itself. [/update] This means it’s entirely possible that I am typing on a compromised machine right now, that someone at Google has inserted something into Chrome, that someone at Cisco has compromised my VPN client, or that Apple’s operating system is vulnerable in secret ways. (I’m sure the U.S. government would never try to gain this kind of access.)

The report correctly notes that you don’t even need cooperation at the highest level to insert backdoors. “Even if the company’s leadership refused [a government] request, Chinese intelligence services need only recruit working-level technicians or managers in these companies” (3). So what would be necessary to build secure infrastructure? The report has it right, saying that monitoring would be needed “from design to retirement [including] aspects such as discrete technology components, their interactions, the human environment, and threats from the full spectrum of adversaries” (6–7). Great. How can we get this done? First, one would build a redundant monitoring system under a trusted hierarchy. Then, every piece of telecommunications infrastructure, from hardware and software at the user level to infrastructure at the network level, including both private and public sector machines, would need to be redesigned from the lowest level to the highest, then everyone using machines would need to be monitored—clearly not a realistic option. But without this level of effort, anything we do now will at best prevent new vulnerabilities.

The essence is this: No system will in itself ever be completely secure.

Committee staff either do not understand the Chinese business environment or actively seek to mislead others by suggesting that good loan terms and Communist Party committees are unusual.

For some reason, the report repeatedly cites what is essentially an opinion article reprinted by an Australian business magazine to make its case about Chinese state and Communist Party penetration in business. Though they also offer a couple of footnotes to Richard MacGregor’s excellent The Party, they for some reason quote this opinion piece by an adjunct professor at the University of Sydney named John Lee.

Lee’s article is not an evidence-based analysis, but an argument against Huawei being involved in Australian broadband projects. That’s just fine, but he is not an unbiased observer, and his expertise is not in business-government relations in China. A look at his publications suggests he is an analyst of international geopolitics, and he has a U.S. affiliation at a conservative-leaning think tank—again, fine, but hardly the source that an honest inquiry would seek for fine points of Chinese politics.

As another example, the report notes that the reclusive CEO of Huawei, Ren Zhengfei, was invited to be a member of of the National Congress of of the CPC in 1982 before he founded the company (23), and goes on to build a case that Huawei gets better-than-market loan terms. The report complains: “Huawei refuses to provide answers to direct questions about how this support was secured, nor does it provide internal documentation or auditable financial records to evaluate its claims that the terms of these agreements comply with standard practice and international trade agreements” (29).

There are two things going on in this quote. First, a reader unfamiliar with the Chinese business environment might think that good loan terms are rare for big Chinese companies, rather than easily available at various times. Second, we see a shift from implying that the “support was secured” through some murky method, over to an essentially unrelated complaint that they might not comply with international trade agreements—hardly the job of the House Intelligence Committee. This leads to my next point.

The committee spends much of the report on issues unrelated to intelligence or national security.

Entire sections of the report focus on claims that Huawei may have stolen intellectual property from Cisco, or that its affiliates may be working illegally in the United States, or that it may not be operating in full compliance with international economic agreements. These may be legitimate points, and they may be cause for litigation or regulatory penalties under U.S. law, but these points are all a distraction from the duties and purview of the House Intelligence Committee.

Further, they open up the report to charges of playing politics with national security. Such charges would hardly be avoidable in a campaign season or when dealing with the high-profile U.S.–China business relationship, but confusing the matter with these unrelated charges undermines the idea that the committee’s investigation and report are motivated by good-faith execution of its duties. The committee could even have referred these findings to the executive branch as a courtesy, without including them in the report.

This is perhaps the most frustrating element of the entire endeavor. It is entirely possible that there are very real concerns about using Huawei, ZTE, or other foreign-produced telecommunications equipment in sensitive roles in U.S. networks. The committee’s recommendation that “U.S. government systems, particularly sensitive systems, should not include Huawei or ZTE equipment, including component parts” is probably good policy, precisely because of uncertainty (vi).

But putting that recommendation next to (and indeed, below) a recommendation that the Committee on Foreign Investment in the United States (CFIUS) prevent these companies from acquiring or merging with U.S. firms—a major point of concern in U.S.–China business ties—undermines the security case by clouding motivations. It leads the reader to suspect ulterior motives, and it makes the committee’s recommendations less trustworthy even within the United States.

The report is seemingly written in an imaginary world where U.S. companies would readily disclose to the Chinese government their modes of cooperation with the U.S. government on surveillance efforts. 

Imagine this: “U.S. telecommunications companies provide an opportunity for the U.S. government to tamper with the Chinese telecommunications supply chain. That said, understanding the level and means of state influence and control of economic entities in the United States remains difficult. As U.S. analysts explain, state control or influence of purportedly private-sector entities in the United States is neither clear nor disclosed.” This statement is true, but all I did to write it was reverse the country names (11).

Perhaps the most gaping hole in this report, if it is to be viewed as any kind of overview of the situation, is the offensive side of U.S. intelligence efforts. The report elsewhere notes that analysts say China is responsible for the most cyber attacks of any country; I wonder what analysts without U.S. security clearance and therefore not subject to disclosure restrictions would say.

The point is that espionage is never exclusive to the other party. As a rule, every government is trying to gain information about the every other, and private companies that work with governments are likely to hide their efforts. Frustrated by what the committee saw as insufficient response to questions about government ties, the report remarks, “Any company operating in the United States could very easily describe and produce evidence of the federal entities with which it must interact, including which government officials are their main points of contact at those regulatory agencies” (22). Would Boeing or Northrop or Lockheed describe in detail their interactions with government? Perhaps the weasel word above is “must.” Sure, a U.S. defense contractor might happily describe its required interactions, but what about optional ones that lead to more business? How does candor work out when warrantless wiretaps are executed with the assistance of phone providers?

Conclusion: This report seeks to paint Huawei, ZTE, and China as shady, and asks the reader to trust that the classified portion of the report contains evidence of wrongdoing. 

It does not score highly for its analysis of Chinese business structures, nor realistic priorities for maintaining and improving security, nor for avoiding the perception of political bias and ulterior motives. This is a frustrating report, because the underlying issue is serious. It is frustrating because it could do damage to U.S.–China business ties that benefit both countries. And it is ultimately unrevealing except as an indicator of this committee’s agenda.

For better (if still largely one-sided) analysis from the U.S. government, see Northrop Grumman’s report to the U.S.–China Economic and Security Review Commission on China and cybersecurity. While this work still lacks introspection, it uses a broad source base and outlines potential threats without the name calling.

Daily Update, June 22, 2012

Leave a reply

Daily Update, June 21, 2012

Leave a reply

This is an experiment. In my new position, I need to keep close track of news developments. Perhaps a good way to do this is to build a daily briefing, in the tradition of Bill Bishop’s update at Sinocism or Politico’s morning e-mail, or indeed of this blog’s former practice of posting Del.icio.us links. Only time will tell just how daily this actually is, and here goes a first shot. Of course, this is far from comprehensive.

South China Sea

  • China has raised the status of three island groups from county- to prefecture-level. This raises the level of the Hainan Province administrative body with purported jurisdiction over the Paracels and the Spratlys.
  • “Chinese Vice Foreign Minister Zhang Zhijun summoned Vietnamese Ambassador to China Nguyen Van Tho on Thursday to lodge a solemn representation to the Vietnamese side on passing a national law of the sea.” The law reportedly asserted sovereignty over the islands.
  • A South China Morning Post article considers the potential for the Philippines to bring China to international arbitration or tribunal unilaterally, despite the convention that both parties need to agree to such a resolution.
  • The Philippines will conduct a flyover of the Scarborough Shoal, and its ships will return if foreign vessels are present in the region, President Aquino said.
  • Both the Philippines and China had previously reportedly pulled out their vessels from the area surrounding the Scarborough shoal, a land feature in the South China Sea claimed in various ways by each country. The reason? Supposedly, bad weather.
  • Chinese Defense Minister Liang Guanglie and Singaporean counterpart Ng Eng Hen met on June 18and discussed the South China Sea, among other issues.

Air-Sea Battle Concept

  • U.S. Chief of Naval Operations Adm. Jonathan Greenert spoke on the Air-Sea Battle “concept”/”doctrine” at Brookings May 16. No mention of China, but the opening of the Arctic is noted, as is electronic warfare.

Scientific Collaboration With China

  • A U.S. Congressional committee chairman may or may not have called China “the enemy.” While a colleague questioned White House advisor John Holdren—previously a key figure in the Harvard environmental politics world—House Science Committee Chairman Ralph Hall (R-Tex.) had something to add. “I don’t think you’re gonna get the answer that you expected to get, Mr. Rohrabacher,” Hall said, referring to his colleage. “I too have seen our president bow and scrape to the enemy on many occasions.” The line of questioning was on scientific collaborations with China.

China–U.S. and China–World Investment

  • A Missouri man has been stuck in China over a business dispute for several months, the Associated Press reported. I think Dan Harris of China Law Blog would offer a  forehead-slapping motion over the following: “Because of the unpaid debt to Chinese suppliers, and citing Fleischli’s status as NorthPole’s legal representative in China, a court in Xiamen ordered Fleischli detained. … Fleischli hadn’t even realized he was NorthPole’s legal representative, a role that makes Fleischli the point of contact for the company.” Why you pay attention to business laws.
  • In my first contribution to Fortune Magazine, I explore what’s behind some sizable investments apparently by Chinese individuals in Toledo, Ohio. The article will run in super-short form in the magazine, but this version is more complete.
  • Foreign investment in China may get a bit simpler, reports the Wall Street Journal: “the China Securities Regulatory Commission said it would lower entry requirements and simplify the approval process for applicants under the Qualified Foreign Institutional Investors program, the primary program for foreign investors to enter China’s capital markets. It also will allow qualified foreign investors to hold more shares in domestically listed companies and enter the country’s interbank bond market.”

Daily Translation (another experiment)

  • Beijing has a new bike sharing system, but a long-time Beijing resident with an out-of-town ID has sued the company for discrimination. So far, only Beijing residents with new Beijing IDs can use the system. I translated part of a Caixin story for fun. If you read Chinese, just go read it.

Links: Net Filtering, Uncertain Green Beijing, and U.S.–China Business

1 Reply

I’ve been busy recently in Beijing and watching a lot of good stories go right by. You’ll forgive a Colorado native for using a baseball analogy: It’s time to make sure I don’t strike out looking. Here’s a quick summary of transpacific pitches I wish I’d had time to swing at.

    Greener Beijing?

  • Will Beijing’s air be ready for the Olympics? The Worldwatch Institute has a good summary of what’s being done, who’s doing it, and what the challenges are, from Yongfeng Feng, a journalist for China Guangming Daily.
  • Alex Pasternack picks up on a Christian Science Monitor story on the emergence of short-term bike rental service in Beijing. Perhaps the most interesting thing I learned here is that folding bikes, trendy here despite being a pain to ride, have been banned on the subway recently to prevent overcrowding. Razor scooter, anyone?
    Internet Filtering and Reactions

  • Blogspot is blocked, again. It came back online along with Flickr, which I have just noticed is also blocked. Firefox users in the P.R.C. can use “Access Flickr!” to get those photo feeds back working.
  • The U.S. House Committee on Foreign Affairs voted the Global Online Freedom Act (H.R. 275) out of committee. The law, according to Forbes.com, would “penalize U.S. companies up to $2 million if they cooperate with the technological surveillance of political dissidents or share technology and information used for ‘Internet-restricting’ purposes.”
  • Rebecca MacKinnon has smart commentary as usual on this issue. Go read what she writes, but here’s her bottom line:

    GOFA’s intentions are honorable in many ways. I think many of the people who support it certainly have honorable intentions. I know and respect many of them, despite having had some pretty heated arguments with some members of the human rights groups who say they support it for strategic reasons. But from where I sit in Hong Kong, this proposed legislation comes off as something that my Chinese friends who hate censorship and surveillance would find arrogant, patronizing, and interventionist, with the likely result that it would kill U.S. tech companies’ ability to do business in China in the first place – a result which by the way they don’t think would enhance their freedom.

  • Also from the House Foreign Affairs Committee, I haven’t mentioned yet that Chairman Tom Lantos is calling Yahoo’s Jerry Yang back to Congress under suspicion of misleading Congress in previous testimony. Go check with MacKinnon on this, too. She’s been on the story since a civil society group published a document that contradicted Yahoo’s statement that they did not know the nature of the investigation when they turned over information on reporter Shi Tao to Chinese authorities.
  • At Wired, a writer with firsthand experience being monitored on a reporting trip in China declares that the “Great Firewall” is futile. Maybe, but I had to enable Tor to get the full article to load. The article is a good read though for those interested in Oliver August’s experiences talking to Chinese dissidents.
  • Wikipedia‘s Chinese-language service was crippled by the mainland’s block, reports Eva Woo at BusinessWeek.com.
    In other news…

  • From the Tokyo Auto Show, Michael J. Dunne who works on China for J.D. Power and Associates, writing in the Detroit News, notes that the talk is about China, not Japan. My favorite is the writer’s casual contextual note about when his cohort got interested in China: “Fascination with the China market started when the Middle Kingdom first challenged Japan for sales leadership. Two years ago, Chinese bought 5.3 million vehicles, just shy of the 5.7 million cars and trucks sold in Japan.”
  • U.S. Trade Representative Susan Schwab said she sees protectionism in both countries as a threat to U.S.–China trade.
  • Relatedly, Andy Scott at China Briefing Blog ventures a coinage for China’s WTO practices: “Compliance With Chinese Characteristics.”
  • It’s not just the United States hosting the Dalai Lama. Japan’s doing it too.
  • The questionably hyphenated Trans-Pacific Express will for the first time link the China and the United States with an undersea telecommunications cable.

Olympic Threats, Bush's China Crutch, North Korea, and the Environment (U.S.–China Links)

Leave a reply

Olympic threats: really dumb. China: Bush’s diplomatic savior? The North Korea deal: not what the White House hoped. And China meets the U.S. Congress to plan for a post-Bush climate reality. Recent China–U.S. relations news.

  • Steve Clemons agrees with me (OK, he agrees with James Fallows, whom I agree with) that “Boycotting the Olympics today or trying to preempt China’s hosting the games as Perle suggested in 2001 are hollow threats that perpetuate the mistaken notion that America is in a serious position to isolate China.” Clemons’ post today on China and his comments in the item below are worth attention.
  • In a New York Times Week In Review piece today Steven Lee Meyers argues that George W. Bush is using China’s influence in Iran, North Korea, and Burma as a “diplomatic crutch”—that having spent much of his country’s international political capital, Bush is lucky to have China to turn to. Myers quotes U.S Assistant Secretary of State Christopher Hill as saying “China has become the first stop for any American diplomacy.”
  • Not that the result in North Korea has been exactly what the Bush administration was hoping for, writes Richard Bernstein.
  • I’m a bit late posting this, but Der Speigel reported a “secret” meeting between members of the U.S. Congress and Chinese National Development Reform Commission (NDRC) Deputy Chief Xie Zhenhue. The White House was reportedly left out of this meeting addressing post-Bush administration environmental policy. According to Speigel:

    High-ranking sources close to the participants of the meeting between the Chinese delgation and Congress said the Chinese sought to find out how determined Congress is to push through rigorous climate protection laws in the future. During the discussion, members of Congress made clear that they would soon like to vote on legislation that would set binding emissions limits. However, the members of Congress said they didn’t provide the Chinese with a firm timeline for when this might happen.