Page 1 of
3 US digs in for cyber warfare By Peter Lee
Recently the US House of Representatives
Intelligence Committee took a meat-ax to Huawei,
the Chinese telecommunications giant, and its
little brother ZTE in a 60-page report on
national-security issues posed by the two
companies.
The conclusion:
They're commies.
We can't trust 'em. Or, as the executive
summary put it:
The United States should view with
suspicion the continued penetration of the US
telecommunications market by Chinese
telecommunications companies.
[1]
Specifically, the committee
recommended that the government
not
purchase any Huawei or ZTE equipment.
The
committee rubbed further salt in the wound by
recommending that private companies not buy any
Huawei or ZTE telecommunications equipment either.
It also invited the legislative branch to
expand the jurisdiction of the Committee on
Foreign Investment in the United States (CFIUS) to
enable it to block procurement of Chinese
telecommunication equipment by US customers, in
addition to exercising its traditional powers of
blocking foreign investment deemed harmful to US
security. CFIUS had previously blocked Huawei's
participation in a deal to take 3Com private -
which was brokered by Mitt Romney's Bain Capital -
and recently denied Huawei's attempt to buy 3Leaf,
a California cloud computing company.
Certainly not the clean bill of health
that Huawei was hoping for when it invited the US
government to investigate its operations.
It is clear that the Chinese companies
were given the Saddam Hussein treatment. Just as
the Iraqi despot was put in the impossible
position of proving a negative - that he did not
have any weapons of mass destruction - Huawei and
ZTE executives were called upon to prove their
companies were not untrustworthy.
Mission
unaccomplished, for sure.
The public
committee report is little more than a litany of
complaints about unclear answers, insufficient
disclosure, inadequate clarification, failure to
alleviate concerns, making non-credible
assertions, failure to document assertions,
failure to answer key questions, refusal to be
transparent, and so on and so forth. Huawei, in
particular, was dinged for "a lack of cooperation
shown throughout this investigation".
The
committee's conclusion:
Throughout the months-long
investigation, both Huawei and ZTE sought to
describe, in different terms, why neither
company is a threat to US national-security
interests. Unfortunately, neither ZTE nor Huawei
[has] cooperated fully with the investigation,
and both companies have failed to provide
documents or other evidence that would
substantiate their claims or lend support for
their narratives.
To drive a stake
into the heart of any dreams that Huawei or ZTE
had of providing "mitigation assurances" -
bureaucratese for acceptable measures to allay US
security concerns - the committee made the
interesting decision to dump all over the British
government.
Keen on Chinese investment in
its backbone telecommunications networks, the
British government accepted the reassurance
provided by a cyber-security center, funded by
Huawei and staffed by UK citizens with security
clearances, with the job of vetting Huawei
products for hinky bits.
The US
intelligence committee dismissed these efforts as
futile given the complex, opaque and frequently
updated character of telecommunications software:
The task of finding and eliminating
every significant vulnerability from a complex
product is monumental. If we also consider flaws
intentionally inserted by a determined and
clever insider, the task becomes virtually
impossible.
In terms of specific
evidence of Huawei and ZTE malfeasance, there is
little meat on the bones of the public document.
On the technical side, the evidence
supporting Huawei and ZTE infiltration of the US
telecommunications software presented in the
public report was less than earth-shaking:
Companies around the United States
have experienced odd or alerting incidents using
Huawei or ZTE equipment. Officials with these
companies, however, often expressed concern that
publicly acknowledging these incidents would be
detrimental to their internal investigations and
attribution efforts, undermine their ongoing
efforts to defend their systems, and also put at
risk their ongoing contracts.
Similarly,
statements by former or current employees
describing flaws in the Huawei or ZTE equipment
and other potentially unethical or illegal
behavior by Huawei officials were hindered by
employees' fears of retribution or
retaliation.
Presumably, the
confidential annex to the committee report makes a
more compelling case, but one has to wonder.
According to The Economist:
Years of intense scrutiny by experts
have not produced conclusive public evidence of
deliberate skulduggery, as opposed to mistakes,
in Huawei's wares. BT, a British telecoms
company that buys products vetted in [the
cyber-security center at] Banbury, says it has
not had any security issues with them (though it
rechecks everything itself, just to be sure).
[2]
In a sign that no existential
smoking cyber-guns had been revealed, the worst
punishment for Huawei's lack of cooperation that
the committee could apparently mete out (other
than trying to destroy Huawei's US business) was
threatening to forward information to the Justice
Department concerning possible corporate
malfeasance in the routine areas of immigration
violations, fraud and bribery, discrimination, and
use of pirated software by Huawei in its US
operations.
It can be taken as a given
that the People's Republic of China (PRC) is
intensely interested in cyber-espionage -
diplomatic, military, and commercial - against the
United States and cyber-warfare against US
government, security, and public infrastructure if
and when the need arises.
However, the
case that Huawei is a knowing or even a necessary
participant in these nefarious schemes is
unproved.
Nevertheless, Huawei's attempts
to generate a clean bill of health for itself with
Western critics are pretty much futile.
That's because government weaponization of
communications technology is a given - for
everybody, in the West as well as in China.
Beneath the freedom-of-information
rhetoric, the West is converging with the East and
South when it comes to protecting, monitoring and
controlling its networks.
In the United
States, providing government law enforcement with
back-door access to networks, aka "lawful
intercept", is a legal requirement for digital
telecom, broadband Internet, and voice-over-IP
service and equipment providers under the CALEA
(Communications Assistance to Law Enforcement Act)
law. The Federal Bureau of Investigation (FBI) is
currently lobbying the US administration and the
Federal Communications Commission to require that
social-media providers such as Facebook provide
similar access so that chats and instant messaging
can also be monitored in real time or extracted
from digital storage.
In Europe, similar
law-enforcement access is institutionalized under
the standards of the European Telecommunications
Standards Institute.
Particularly in the
environment after the attacks of September 11,
2001, law enforcement has expressed anxiety about
"going dark" - losing the ability to detect and
monitor communications by bad actors as data and
telecommunications moved from fixed-wire analog
systems to digital, wireless, and band-hopping
protocols.
The situation is aggravated by
the availability of theoretically unbreakable
public/private key 128-bit encryption.
(I
say "theoretically", by the way, because creation
of the private key relies on a random-number
generator on the encrypting computer. A recent
study found that some programs were spitting out
non-random random numbers, raising the possibility
that a certain spook agency of a certain
government had been able to diddle with the
programs to generate certain numbers
preferentially, giving said spook agency a leg up
to crack the private keys through otherwise
ineffective brute-force computing techniques.)
[3]
Head
Office: Unit B, 16/F, Li Dong Building, No. 9 Li Yuen Street East,
Central, Hong Kong Thailand Bureau:
11/13 Petchkasem Road, Hua Hin, Prachuab Kirikhan, Thailand 77110
