• Testing, Testing, Testing.  Conducting an independent analysis of the product will help the identification of an untrustworthy piece of equipment but it is not a foolproof method.  For a large government agency making a substantial purchase of computer equipment, the volume of products would take too long to audit individually and be cost prohibitive.  Devices such as host-based security systems can be used to monitor for uncharacteristic behavior and ensure that the systems are working as they should.  However, this would increase an organization’s cost, requiring additional personnel and technical resources to accomplish this task, which is not guaranteed to catch suspicious behavior.
Figure 1

Figure 1. The potential countries of origin of the common suppliers for various components within a commercially available computer.

China – A Supply Chain Threat Case Study

China has been identified by the U.S. government as well as other foreign governments as an aggressive cyber espionage actor.  According to an October 2011 report from the Office of the National Counterintelligence Executive, cyber espionage activity suspected of originating from China has targeted entities in the following sectors: diplomacy, aerospace, aviation, internet companies, information technology, and the military, to name a few.  Linked to global perception of the China cyber monolith is that Chinese information and communication technology (ICT) companies – specifically Huawei and ZTE – support the Chinese government and use their accesses to create backdoors, steal data, or do whatever is asked of them by the government escalating fear and increasing paranoia. The question is simple:  do these companies pose a legitimate threat?

The House of Representatives Investigative Report

The Committee highlighted twelve national security threats posed by Huawei and five by ZTE.  However, the majority of issues raised by the Committee addressed business practices, decisions, and operations.  No compelling case was made for a “supply chain” threat; nor were there any global incidents or events presented to support the Committee’s contentions.  Although a classified annex was attached to the report that allegedly bolstered the Committee’s claims, there was still no evidence linking Huawei or ZTE to espionage activities.  It appears that the Committee began their investigation with a presumption of guilt, persecuting Huawei and ZTE on the grounds of what “could happen” rather than what did happen or was happening.  Below highlights the Committee’s concerns:

1.      China has the means to use telecommunications companies for malicious purposes.

The Committee made this judgment based on cyber espionage conducted by suspected Chinese actors, as well as the possibility that Chinese intelligence services exploiting the supply chain and use the accesses provided by Huawei and ZTE to insert malware into hardware/software components.  The report fails to cite any specific examples of these companies supporting either cyber espionage activity, or implants found in equipment provided by either ICT vendor.  Furthermore, the argument is hypothetical; any government can use their telecommunications companies for malicious purposes.  Without an example to support this contention, this argument falls short.

2.      Huawei and ZTE failed to satisfactorily explain their relationships with the Chinese government and State Owned Enterprises.

The Committee based its judgments on the understanding that Chinese government often provides financial backing to industries and companies of strategic importance.  Huawei responded that the only connection to the Chinese government was that which is required by Chinese law, and denied any business relationship with Chinese national security organizations such as the Ministry of National Defense, the Ministry of State Security, and the Central military Commission.  The Committee’s objections on this point were that more information was not provided by Huawei officials.  ZTE revealed that it’s a publicly traded company on the Shenzhen stock exchange.  Its largest stockholder at 30% Zhongxinxin is owned in part by two state owned enterprises – an aerospace company and a microelectronics firm, but that the majority of the company – 70% – was held by dispersed public shareholders.  The Committee never indicated the amount of information that would have satisfied their request, only that it wasn’t satisfied.

3.      Huawei and ZTE admit that the Chinese Communist Party maintains a Party Committee within their companies but failed to explain what that Committee does.

Huawei was forthright with offering that the Chinese Communist Party (CCP) maintains a committee in the company, which is required by Chinese law, but that it had no relationship with Huawei’s business activities.  In ZTE’s case, the company acknowledged this as well and provided a sworn affidavit from its independent director that refuted the government, military, or the CCP’s undue influence in ZTE operations.  Again, the Committee did not like this answer, preferring to intimate that relationships existed outside the business sphere and that CCP committees provided a shadow source of power and influence without providing any evidence of such activity.

4.      Huawei’s corporate history suggests ties to the Chinese military.

The Committee pointed out that the founder of Huawei was – but is no longer – a director for the People’s Liberation Army (PLA) Information Engineering Academy, and associated with the Third Department of the PLA.  This is a weak argument as many former military, intelligence, and government officials leave their former positions to assume leadership positions in the private sector, especially in the United States.

5.      Huawei and ZTE refused to provide details on their R&D programs

The Committee requested information on the technologies, equipment, or capabilities that the funding or grants by the Chinese was supporting.  Huawei responded that it only bid on research and development (R&D) open to the rest of the industry, and that while it provided telecommunications products for the Chinese military, it did not provide special services to the Chinese military or Chinese security services. The Committee refuted this claim with a copy of an email from a former Huawei employee that related to Huawei provided special network services to an elite cyber warfare unit in the PLA.  This claim was never substantiated and the credibility of this source was never offered up for debate.  With ZTE the company acknowledged 30% ownership by Zhongxingxin , but did not offer enough details into products produced by Zhongxingxin’s subsidiary – an aerospace research institute.  In this case, the Committee did not like the fact that it was not given access to the products produced by this institute so that it could evaluate those technologies for military or intelligence applications.  This was an unfair request given that the research institute was not the company called into question, nor was it producing telecommunications equipment.

Was this a Fair Report?

From a national security standpoint, the report was not fair as the Committee could not offer any proof or examples of espionage or even suspected espionage activity with Huawei or ZTE.  The majority of their concerns focused on potential business practices and quality of equipment intimates that national security concerns were used as a smokescreen to perhaps protect U.S. economic interests.  The U.S. has several companies with U.S. government ties (such as Boeing, Motorola, and Oshkosh Corporation) operating in China without fear from the Chinese government or exclusion from the Chinese marketplace.

Further supporting the imbalanced nature of the House report is seen in the October 2012 White House  announcement that it had carried out its own review of security risks posed by Huawei and stated publicly that there was no clear evidence that Huawei had spied for the Chinese government.  The most significant risks were the presence of vulnerabilities in Huawei’s equipment, a danger found in almost all information technology hardware and software devices and applications.  While the company should be required to fix as many vulnerabilities as possible – as should any IT vendor selling technological solutions – sloppy equipment does not an espionage effort make.  If so, then Microsoft would be singled out as the single greatest facilitator of espionage activity on the planet.