Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Why the United States Is So Afraid of Huawei

The threat may be theoretical—but compromised telecom equipment could quickly cripple a nation’s civilian and military infrastructure.

A Congressional report yesterday warned that Chinese telecommunications companies Huawei and ZTE pose a “threat to U.S. national security interests” and could sell companies equipment rigged to give the Chinese government control over American communications networks.

The report (PDF), issued by the House of Representatives Intelligence Committee, cites no direct evidence that either Huawei or ZTE has acted to compromise the security of any of its clients. However, experts say the possibility is real that surveillance technology could be built into the routers and switches that underlie the Internet and wireless communications systems—and this could be difficult to detect.

Huawei and ZTE’s primary business is selling high-end computer networking switches and other equipment used by cell phone carriers, Internet service providers, and other companies to run communications networks.

“A switch sees all the traffic that passes,” says Fred Schneider, a professor at Cornell University who works on cyber security and policy. This digital data could be anything from phone calls to Internet traffic. “If you control the switch, you could set it up so that any time it handles data, it makes a copy and sends it someplace else, or you could change the data while en route—a yes to a no.”

A back door installed in networking hardware could be very difficult to detect, says Schneider. “If you siphon off lots [of data], then someone who was looking would notice,” he says. But “if it’s a small scale, it would be pretty hard to tell.” That’s because part of the Internet is designed to be fault-tolerant and allow the occasional piece of data to go missing. “It would be hard to distinguish between drops and retries and something nefarious,” says Schneider.

A trigger could be built either into the software that comes installed in switches and network hardware or into the hardware itself, in which case it would be more difficult to detect, says Schneider. The simplest kind of attack, and one very hard to spot, would be to add a chip that waits for a specific signal and then disables or reroutes particular communications at a critical time, he says. This could be useful “if you were waging some other kind of attack and you wanted to make it difficult for the adversary to communicate with their troops,” Schneider says.

Schneider says many of the companies that buy the kind of equipment sold by Huawei lack the resources to exhaustively check every aspect of a device’s design or software for potential back doors. The use of strong end-to-end encryption could help prevent eavesdropping, but nontechnical defenses—such as buying from trusted suppliers or sourcing equipment from multiple vendors to reduce the consequences if one piece of equipment proves untrustworthy—could also be crucial, he says.

This week’s report is not the first time that a government has noted Huawei’s potential as a vector for Chinese espionage. In 2011, the U.S. Commerce Department blocked the company from bidding to build a new wireless network for first responders; in March 2012, the Australian government barred Huawei from bidding for contracts to create part of its new National Broadband Network.

“The telcos are very worried about this,” says Dmitri Alperovitch, a cofounder and CTO of Crowdstrike, a security startup that’s working on ways for companies to protect against cyber attacks and identify the perpetrators. However, Huawei’s prices are so low that any company that wants to remain competitive has to bear its products in mind. “Huawei is pretty much on par with the western manufacturers from a feature-set perspective, but much cheaper,” Alperovitch says. This week’s report reiterates that trade-off, but it does not lay down a hard and fast rule against U.S. companies doing business with Huawei.

Alperovitch says China is known to be interested in carrying out electronic espionage against other governments and companies, and is a major backer of espionage software spread by e-mail and the Web. “The Chinese are the most pervasive actors in terms of cyber espionage,” he says.

This track record, together with the fact that Huawei has refused to explain its relationship with the Chinese government or the role of a Communist Party committee inside the company, means that it’s fair to wonder if Huawei’s products will remain safe, Alperovitch says. “The question is, if the Chinese government comes to Huawei and says would you put this code in your router, would Huawei do it?” he says.

In a statement released yesterday, Huawei said the intelligence committee report “failed to provide clear information or evidence to substantiate the legitimacy of the Committee’s concerns,” and also said that committee members had been given access to the company’s research and manufacturing facilities, as well as extensive documentation. Company executives have previously said in testimony to the committee that Huawei makes about 70 percent of its $32 billion in annual revenue outside China, suggesting that it has little incentive to anger foreign governments.

Both Schneider and Alperovitch note that although this week’s report singles out Huawei, the globalization of supply chains raises wider security concerns about products from many technology companies. Even if equipment is made in the U.S., for example, it almost certainly contains components and chips made by other companies in other countries.

“There is a broader concern about supply chain,” says Alperovitch. “Who knows what’s being put into your product at the factory?”

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.