Heat without Light
Tuesday, November 27, 2012
It was just a year ago that I completed a study for the American Enterprise Institute on the Chinese telecommunications company Huawei and its efforts to crack the U.S. market. The report chronicled a number of actions by the U.S. government, both public and behind the scenes, to thwart Huawei. At the time, I took note of two investigations that were about to be launched: one by the House Intelligence Committee and one by a White House task force. Early in October, the preliminary findings of the House investigation were published. And on October 18, a Reuters team, headed by reporter Joseph Menn, broke a story on the unpublished findings of the White House probe — which was actually started in 2010 and completed early in 2012, but kept under wraps. What follows is my own analysis of the implications and significance of the two reports, and a review of my own recommendations from last year.
On October 8, two members of the House Intelligence Committee, Chairman Mike Rogers (R-Michigan) and Representative Dutch Ruppersberger (D-Maryland), issued a scathing 52-page report on the activities of two Chinese telecommunications companies, Huawei and its sister firm, ZTE. The report describes the two firms as a threat to U.S. national security, calls for a ban on investments by the two companies in the United States, and advises private companies to find other partners if they care about the national security of the United States. Parts of the document had been leaked a few days earlier to provide background for an alarmist CBS “60 Minutes” report on October 7. (The preliminary report will be followed later by a full version, and sources familiar with the committee process claim that the preliminary document was hurried out to meet the “60 Minutes” schedule and gain nationwide publicity.)
Given the draconian recommendations, the glaring problem with the House report is the lack of supporting evidence in the 50-odd pages. This led The Economist to state, bitingly, that it “appears to have been written for vegetarians. At least, there is not much meat in it.” Though the document refers vaguely to classified information that raises additional “concerns,” it fails to provide evidence that Huawei has spied for China or spiked its equipment with so-called Trojan horses or malware.
At this point, we are into a kind of ‘cloud cuckoo land’ of overreaching extra-territorial dictates.
Instead, much of the report veers off into interesting but largely irrelevant details. A number of pages are devoted to Huawei’s internal operations and opaque corporate decision-making structure. Other pages cover allegations of intellectual property theft by the company and potentially illegal subsidies provided by state-owned banks. Then there is a section complaining that the company did not provide adequate information about a 1999 tax fraud investigation by the Chinese government. In a strange and unconvincing leap, the report argues that because the committee did not receive enough internal documents about Huawei’s use of Western consulting firms such as IBM, Pricewaterhouse Coopers, and Accenture, claims that Huawei profited from these relationships and that they contributed to its worldwide success are not credible — and demonstrate that the real key to the company’s rise was “support by the Chinese government.”
A running theme throughout the House committee’s findings is that Huawei and ZTE were “obstructionist” and refused to cooperate with the committee’s requests for information and important documents. Huawei has strenuously denied these charges. Setting aside the particulars of the present fracas, the back and forth is not untypical of many congressional investigations — both of the U.S. executive branch and of private corporations. It is hard for an outside observer to know when “enough is enough” without combing through the hundreds of pages of documentation and obtaining access (if they exist) to transcripts. What the committee report itself notes is that committee staff visited Huawei headquarters in February 2012 and extensively interviewed top company officials. In May 2012, four House Intelligence committee members (including Ruppersberger) traveled to Hong Kong to meet with top Huawei executives, as well as the notoriously reclusive founder and president of Huawei, Ren Zhengfei. It supplemented these direct interviews with substantial documentary requests, some valid (the role of the Communist party committee housed within the corporation) and some that any company would have resisted (confidential terms with U.S. consulting firms, and pricing information for its sales in the United States). And finally, both Huawei and ZTE testified and answered questions at a September committee hearing. The bottom line: for the most part, as I will spell out below, whatever Huawei’s alleged obduracy, the testimony and the documents requested are not central to the gravamen of the committee’s conclusions regarding the danger to U.S. national security.
Turning to the specific issues of national security, the report is skeptical of Huawei’s efforts to introduce third-party security evaluations to build trust for its products. In Britain, with the blessing of the Cameron government, the company has established a facility, the Cyber Security Evaluation Centre (CSEC), where security-cleared staff (some former British intelligence engineers) vet both the hardware and software supplied to British companies, most particularly British Telecom. While this solution has produced some misgivings in the British intelligence community, the British government has steadfastly defended the program.
Huawei and ZTE have proposed the same approach in the United States, teaming up with companies specializing in cybersecurity defenses such as Electronic Warfare Associates and others. The House investigators acknowledge this option and that the U.K. government has confidence in its own precautions. Without explaining why, they state that “it is not clear yet, however, that such steps would readily transfer to the U.S.”
The fear is that the Chinese government at some point in the future could intervene and force the Chinese companies to introduce backdoors or malware, and the companies would have no recourse but to comply.
The House Intelligence report must also be viewed in light of the Reuters team’s analysis of the findings of an 18-month White House task force cybersecurity probe that focused directly on Huawei. The headline: “White House Review Finds No Evidence of Spying by Huawei.” According to the Reuters article — the main details of which have not been disputed by the administration — the White House enlisted U.S. intelligence agencies and other departments in delving into suspicious activity. These investigators asked detailed questions of almost 1,000 telecoms equipment buyers, and one of them told Reuters: “‘we knew certain parts of government really wanted’ evidence of active spying.... ‘We would have found it if it were there.’” This was a much more comprehensive effort than the congressional staff could mount, though it must be assumed that at least some of the administration’s conclusions were shared privately with the Intelligence Committee.
Despite the exculpatory headline, Huawei did not emerge unscathed in the Reuters report. Even without a “smoking gun,” Reuters reported that many government intelligence officials and contractors believed that Huawei equipment did pose security risks. Outside contractors and security company executives pointed to poor software programming that exposed the equipment to outside hacking; the more conspiracy-minded opined that this sloppiness might be deliberate. Huawei denies that backdoors in its equipment exist now or in the past, and points to its proposals for ongoing third-party security scrub-downs and offers to provide its software codes (in Australia) as evidence that it is serious about achieving trust in its products.
It should also be noted that specific current instances of suspicious activity related to Huawei equipment cited to Reuters by House Intelligence Committee staff both turned out to be “false positives.” When Reuters quizzed the named companies — Cricket networks in San Antonio and Leap Wireless International, Inc. — both denied security problems with Huawei equipment. Cricket stated that there was no evidence that network glitches “were the result of malicious activity on the part of Huawei.”
Though the charges concerning specific instances of technological spying lack substance, critics’ real fears and apprehensions lie deeper. They are summed up in other statements in the House report and by Reps. Rogers and Ruppersberger. First: “China has the means, opportunity, and motive to use telecommunications companies for malicious purposes.” The fear is that the Chinese government at some point in the future could intervene and force the Chinese companies to introduce backdoors or malware, and the companies would have no recourse but to comply. This danger is tied to a second: “the endless, porous telecoms supply chain,” of which I wrote last year. Multiple points of entry exist for a determined foe: chips, routers, switches, hubs, applications software and network control devices, iPhones, Bluetooth, and beyond.
Though there is no evidence that the Chinese government has utilized Huawei as a conduit for spying, given the opacity of government-business relations and continuing instances of authoritarian arbitrariness in the Chinese economy and society, such a fear cannot be dismissed outright. The most important economic argument against such intervention is that, given the dangers and likelihood of ultimate discovery, such a move could be economic suicide for Huawei (and ZTE). Discovery of even one major backdoor trap or any malicious software would almost certainly result in the wholesale cancellation of existing and future contracts in the numerous national systems where Huawei equipment has attained a strong or dominant position. Huawei now competes with Sweden’s Ericsson as the number one provider of structural telecoms equipment in world markets. Would China risk destroying its most significant successful international brand?
Huawei points to its proposals for ongoing third-party security scrub-downs and offers to provide its software codes as evidence that it is serious about achieving trust in its products.
Still, under duress, governments can take wild, even stupid, chances. There are, however, other reasons one should be cautious before assuming that Beijing would jeopardize its own highly successful telecoms. The technological realities inherent in the endless, porous telecoms supply chain loom large here. Every major telecoms equipment provider manufactures components, parts, and finished products in mainland China: Ericsson, Alcatel-Lucent Shanghai Bell, Nokia Siemens Networks, and Cisco. Relevant here is a key point made by the House Intelligence Committee: that even if companies — including Huawei, ZTE, and foreign-owned firms such as those named above — refused to cooperate with spying demands of the Chinese government, “Chinese intelligence services need only recruit working-level technicians or managers in these companies," as "opportunities to tamper with telecommunications components and systems are present throughout product development.” This basic fact cuts both ways. Huawei and ZTE are obvious candidates for subversion. But if the Chinese government wants to penetrate U.S. networks, the equally vulnerable non-Chinese telecoms companies would seem a more tempting choice — not least because these companies already have contracts for a large share of the U.S. network infrastructure.
Here the House committee members hint at a disturbing future course when they note that after Huawei and ZTE, they will review the dangers related to telecoms companies who manufacture infrastructure parts and components in mainland China. According to the logic of the House committee report, the U.S. government could well extend its scrutiny and ultimately veto any equipment with this provenance. At this point, we are into a kind of “cloud cuckoo land” of overreaching extra-territorial dictates.
In defending its skepticism regarding independent, third-party security evaluations, the House committee argues that such a course would produce a false security, “a sense of security but not actual security.” The reverse is also very possible: by excluding Huawei and ZTE, the U.S. government might assume that the gravest threat to cybersecurity had been thwarted.
In conclusion, I would put forward the following observations, based on my own 2011 report and subsequent decisions and events.
First, on the best cybersecurity approach for the United States, the point made by Center for Strategic and International Studies security analyst James Lewis last year remains valid: “we are going to have to think of new defensive strategies that tolerate the fact that the enemy is inside the wire.” So yes, we can exclude Chinese companies from providing any element of the telecoms backbone, but we are not likely to be any more secure from a determined foreign power — China or otherwise — penetrating our outer network defenses.
The House report fails to provide evidence that Huawei has spied for China or spiked its equipment with so-called Trojan horses or malware.
Second, Huawei and ZTE are really pawns in a larger struggle between the United States and China to achieve maximum security without disrupting burgeoning economic, trade, and investment relations. While the U.S. government is not blameless — traducing its own principles through ex parte, behind-the-scenes blocking actions — Beijing has the greater fault and responsibility. As I noted last year, China, fearful that the United States is far ahead in the cybersecurity field, has dragged its heels on international standards and solutions — and on taking any responsibility for thousands of cyberattacks that clearly emanate from the mainland, even if not from the government itself. Lack of action by Beijing may well doom efforts by Chinese telecoms companies to penetrate U.S. markets, possibly with spillover effects among U.S. allies (as we have already witnessed in Australia).
Third, for its part, the Obama administration should resist congressional and interest group efforts to expand our security review process (the CFIUS process) to contracts and joint ventures with Chinese or other foreign multinationals. This expansion would almost certainly hopelessly politicize a wide swath of economic activity and lead to retaliation by other nations. Indeed, tit-for-tat retaliation by Beijing may already have begun: the Financial Times has reported that Cisco’s sales growth in China has “collapsed,” since the company has been identified as a “source” for the House Intelligence Committee report.
Fourth, despite the flaws in the House committee report, Huawei would be well advised to take to heart the non-security analysis and charges: the still-obscure company organization and decision-making process and the existence of huge, public credit subsidies for international contracts. As I recommended last year, listing on a U.S. or EU stock exchange, while not a panacea, would help clear up many mysteries and misconceptions about Huawei internal operations. Huawei has already announced that it will forego deep credit subsidies for future contracts. It should now publicly be in the forefront of pressing Beijing to make a government commitment to the same rules. And not least, the company must provide a clear, precise explanation of the role of the Chinese Communist party committee housed in its corporate structure. Apparently, such committees are common — even mandated by law — for all domestic and foreign companies operating in China. Huawei has stated that the committee has no role in corporate operations: well, then, what does it do?
Fifth, and finally, the Obama administration owes it to the American people to make public the results of its extensive 18-month investigation of Huawei. The White House response to the Reuters report was a carefully worded evasion, stating merely that no classified inquiry had resulted in “clearing any telecom equipment supplier.” But having utilized the entire U.S. intelligence apparatus, and having publicly (if belatedly) proclaimed that it was conducting such a probe, it is incumbent upon President Obama’s administration to clear up the uncertainties. As I wrote earlier: “if these are bad guys, say so. If not, butt out.”
Claude Barfield is a resident scholar at the American Enterprise Institute.
FURTHER READING: Barfield also writes “‘What to Do about Huawei?’” “Telecoms and the Huawei Conundrum,” and “The First Carbon Trade War?” Lara Crouch asks “Is the China Threat Overhyped?” Michael Mazza contributes “I Spy? Not Anymore.” Danielle Pletka discusses “Five Major Threats to the U.S., Our Allies, and Our Interests.”
Claude Barfield, “Telecoms and the Huawei Conundrum: Chinese Foreign Direct Investment in the United States,” AEI Economic Studies, November 2011, AEI, Washington, D.C. http://www.aei.org/files/2011/12/28/-telecoms-and-the-huawei-conundrum-chinese-foreign-direct-investment-in-the-united-states_103528582558.pdf
U.S. House of Representatives, “Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE,” report by Chairman Mike Rogers and Ranking Member C.A. Dutch Ruppersberger of the Permanent Select Committee on Intelligence, U.S. House of Representatives, 112th Congress, October 8, 2012. http://intelligence.house.gov/sites/intelligence.house.gov/files/Huawei-ZTE%20Investigative%20Report%20%28FINAL%29.pdf
Joseph Menn, et al., “White House Review Finds No Evidence of Spying by Huawei — Sources,” Reuters, October 17, 2012. http://www.reuters.com/article/2012/10/17/us-huawei-spying-idUSBRE89G1Q920121017
“Huawei and ZTE: Put on Hold: Two Big Chinese Companies Come under Fire in America,” The Economist, October 13, 2012. http://www.economist.com/node/21564585
Image by Dianna Ingram / Bergman Group