Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
US Intensifies Pressure on Allies to Avoid Huawei, ZTE
Secretary of State Pompeo Tours Europe to Discuss Countering China, RussiaThe Trump administration is leading a broadside against Chinese telecommunications giants Huawei and ZTE. But concerns that Chinese networking gear could be used as backdoors for facilitating state-sponsored surveillance or disrupting critical infrastructure are not limited to America. Multiple countries have banned Chinese equipment from their 5G rollouts or government networks, and more countries are weighing whether they should do so.
See Also: Gartner Guide for Digital Forensics and Incident Response
U.S. diplomats have already been meeting European leaders in Brussels, warning them that using Huawei or ZTE would pose a risk to their critical infrastructure, militaries and national security.
"We are saying you need to be very, very cautious, and we are urging folks not to rush ahead and sign contracts with untrusted suppliers from countries like China," an unnamed U.S. official told Reuters last week.
This week, U.S. Secretary of State Mike Pompeo is visiting Hungary, Slovakia and Poland. The State Department has signaled that Huawei and ZTE will feature in the discussions as Pompeo advocates working together to "counter Russian and Chinese influence."
Poland has already signaled that it plans to block Huawei from its 5G rollout.
Last month, officials in Poland arrested a Chinese employee of Huawei as well as a Polish security official on spying charges. In response, Huawei has offered to build a cybersecurity center in Poland, Reuters reported.
Five Eyes' Response
Australia and New Zealand have blocked Huawei and ZTE from networking projects or 5G rollout plans. Both are members of the "Five Eyes" intelligence alliance, together with the U.S., Canada and the U.K.
Last August, a U.S. bill signed into law by President Donald Trump as part of the Defense Authorization Act banned the U.S. government from using Huawei and ZTE equipment. The bill is due to take full effect over the next two years.
President Trump is now reportedly weighing using emergency powers to completely ban Huawei and ZTE from all U.S. telecommunications networks (see: Report: Trump Weighs Executive Order Banning Huawei, ZTE).
The White House has been upping its pressure on Huawei in particular. In late January, the U.S. Justice Department unsealed two indictments against Huawei, charging it with bypassing U.S. sanctions that prohibit sales to North Korea and Iran as well as economic espionage.
Huawei continues to deny that it ever has or ever would aid any country's intelligence establishment.
But the charges show the U.S. is continuing to accuse Chinese firms, including Huawei, of systemically stealing intellectual property via online hack attacks and espionage.
"These charges lay bare Huawei's blatant disregard for the laws of our country and standard global business practices," said FBI Director Christopher Wray. "Companies like Huawei pose a dual threat to both our economic and national security, and the magnitude of these charges make clear just how seriously the FBI takes this threat."
Many Countries Undecided
Canada remains undecided about using Chinese-built equipment in critical networks. Last month, a Canadian official told Reuters that a decision on whether to allow Huawei and ZTE equipment to be used as part of the nation's 5G networks remains "some ways off into the future yet."
Many European countries have said they are seeking consensus on whether Huawei and ZTE should be allowed or banned. During a visit last week to Japan, German Chancellor Angela Merkel said her country would require guarantees from Huawei that it would not steal data as a precondition of using the equipment, Reuters reported.
But in December 2018, the Czech Republic's National Cyber and Information Security Agency warned that Huawei and ZTE software and hardware posed a security threat. Such warnings trigger legal requirements. The Czech Republic is part of the EU as well as NATO.
"A warning means that system administrators in the critical information infrastructure, important information systems or essential service providers are obliged to acknowledge the threat and issue adequate measures," said Dusan Navratil, director of NCISA. "We do not differentiate between state-owned or privately owned systems. Our criterion is whether or not the intrusion of a specific system would have an impact on the functioning of the Czech Republic as a sovereign state."
Already, the Czech Republic's tax authority blocked Huawei from being considered to supply technology for a new tax portal, and the government has signaled that it may fully block Huawei and ZTE from government contracts.
In response, Huawei has threatened to sue.
Many other countries remain on the fence. Last year, India's Department of Telecommunications excluded Huawei and ZTE from its list of companies asked to participate in 5G trials. But many security experts, noting the lack of domestic alternatives, the long-term relationships that Chinese manufacturers have fostered with Indian firms and the affordability of Chinese wares, expect the Indian government to revise its opinion (see: Will Huawei Play a Key Role in 5G Network Development?).
UK Demands Improvements
The U.K. has not officially banned Huawei. But Alex Younger, the head of MI6, Britain's foreign intelligence service, said in a speech delivered last December in St. Andrews, Scotland, that serious questions have yet to be answered.
"We need to decide the extent to which we are going to be comfortable with Chinese ownership of these technologies and these platforms in an environment where some of our allies have taken a quite definite position," Younger said in a response to an audience question about 5G, the BBC reported. "We need to have a conversation. It's not wholly straightforward."
In December 2018, British telecommunications giant BT announced that it will not use Huawei as part of its 5G network. BT says it is removing Huawei equipment from its 3G and 4G networks as well.
'A Difficult Balance'
The choice of whether to exclude Chinese manufacturers is not an easy one to make, especially when attempting to balance espionage and surveillance concerns with innovation and other business imperatives.
"The U.K., like much of the west, struggles to know whether to see China as threat or opportunity," Robert Hannigan, former director of the British intelligence agency GCHQ and now European chairman of the cybersecurity company BlueVoyant, told the Guardian (see: Cybercrime Groups and Nation-State Attackers Blur Together).
"It's a difficult balance," Hannigan said. "My view is that we want the benefits of Chinese technology and inward investment, and we should find ways of managing the risks, pushing back where necessary."
In the U.K., Huawei's operations are monitored by the Huawei Cyber Security Evaluation Center, run by GCHQ. The government launched the center in 2010, which according to the Guardian is "staffed by 35 heavily vetted analysts."
In July 2018, they issued a report warning of serious concerns with Huawei's technology and engineering processes.
"Huawei's processes continue to fall short of industry good practice and make it difficult to provide long-term assurance," they said.
MP Norman Lamb, a Liberal Democrat who chairs the House of Commons science and technology committee, asked Huawei (PDF) how it planned to respond.
In response, Huawei defended itself against suggestions that it was a tool of Chinese state espionage agencies. It also pledged to spend $2 billion to improve its processes.
But in a letter to Lamb last month, the president of Huawei's carrier business group, Ryan Ding, warned that such efforts might take three to five years to come to fruition and said it would be "like replacing components on a high-speed train in motion."
'Trust But Verify' Has Limits
Alan Woodward, a visiting professor of computer science at the U.K.'s University of Surrey, last October told a Parliament joint committee that the country would do itself a disserve by restricting itself to only U.K. companies with U.K.-vetted supply lines.
"There is a spectrum, from 'implicitly trust, come what may' to 'implicitly distrust,' as some of our colleagues in the United States and Australia have said of 5G networks," he testified before the Joint Committee on the National Security Strategy. "I think there is a third way, which is 'trust but verify.' That is the approach we have taken so far in the U.K. For example, when Huawei was supplying the 21st century network, an evaluation cell was set up with vetted people from the government who were able to look at the devices, etc."
Woodward warned that "trust but verify" requires having complete visibility into every aspect of equipment design, production and delivery.
Yet GCHQ's Huawei Cyber Security Evaluation Center found that Huawei was not able to provide required verification for each process.
"As I understand it, Huawei was not able to guarantee, and did not have a process in place to show, that what was coming off the production line and going into the networks was what had been evaluated, which drives a bit of a coach and horses through the evaluation process," Woodward testified.