Huawei and the Fear of the Unknown

huawei3

That guy on the left, he’s Ren Zhengfei, founder & CEO of Huawei. In the middle, someone who fits the stereotype of a Chinese hacker in a net cafe, but probably isn’t. The bloke on the right, NRL player Sandor Earl who had a Huawei logo tattooed on his leg. Proper tattooed, none of that henna crap. These three images exemplify Huawei. A very successful businessman, the lurking security threats that hold it back and its weird attempts to fit in with the west.

Imagine you are a world leader in your field, supplying your products at a competitive price all over the world. The marketplace can’t get enough of your gear, business is growing rapidly and you’re becoming the largest player in the sector. But the governments of the west shun you for public sector contracts. They say your products are a threat to national security, yet do not provide any proof of incidents related to your company. You spend billions setting up R&D centres in their countries and meet their politicians who happily talk about job creation and further strengthening Chinese relations, but they still allege you’re spying on them.

This is the bizarre situation Huawei—one the world’s largest telecommunication equipment suppliers, with revenue close to US$30bn—finds itself in.

Huawei (pronounced wahway) started in the mid 80s simply selling Hong Kong made PABX equipment into China. Wanting to do more than simply import someone else’s equipment, founder & CEO, Ren Zhengfei put Huawei onto a course of research and development that has seen it grow into a telecommunications infrastructure powerhouse. It competes with companies like Nokia Solutions and Networks, Ericsson, Alcatel-Lucent, Cisco and Juniper for enterprise and carrier grade network infrastructure. Huawei’s main area of dominance is in carrier network infrastructure. According to its 2012 annual report, Huawei has 500 carriers using its products and has deployed over 170 of its “SingleRAN” networks worldwide.

huawei_gear

In Australia, Huawei has worked with organisations like Ambulance NSW, Federation Square in Melbourne and Telehealth Networks, predominately in video conferencing and core network equipment. RailCorp in NSW use Huawei for their radio communications system. Optus and Vodafone have extremely strong relationships with Huawei, providing all the core radio and network infrastructure for their respective networks. TPG and Primus use Huawei infrastructure in their ADSL DSLAMs and Huawei is also a large part of Powerlink’s, Queensland’s energy operator, networking needs.

Most of us are probably familiar with Huawei’s USB and mi-fi modems, which Optus and Vodafone sell exclusively – even Telstra have begun to selling Huawei 4G data devices. Huawei are the third largest seller of smartphones in the world, recently out-selling LG. Albeit still far behind Apple and Samsung.

With a massive carrier business, together with the growing enterprise and consumer sectors, Huawei look set to be a huge part of the western technology landscape – and this is worrying a lot of people. Particularly the governments of the USA, UK and little ol’ us, Australia.

Why are these governments so concerned about Huawei? Aren’t we all friends with China anyways? Global economy and all that jazz.

Almost everything we buy is made in China anyway, so what’s the big deal?

huawei_office

Some people think it’s pure xenophobia. Other commentators, particularly in America, reckon it’s good old fashioned protectionism cradling local companies like Cisco and Qualcomm.  Huawei’s company structure is secretive and leads to easy conspiracy theories. There’s stories linking Huawei to the Chinese army and that Huawei is just a tool of the Chinese government, operating reconnaissance on western governments and industries in order to advance a Chinese agenda. Even the former head of the CIA has stated that Huawei should be avoided at all costs.

There’s also the view amongst security professionals and networking experts that Huawei stuff just simply isn’t any good and should be avoided because it sucks. This talk from Felix ‘FX’ Lindner at the Hack in the Box security conference in 2012 is a good view at Huawei’s routing product security. Basically, Huawei has a long way to go on making a professional routing product, at least.

But there are two main “events” (I use inverted commas here because while they may be widely believed to be true, Huawei denies it and there’s no public evidence) thrown around as legitimate attacks on Huawei. Their blatant copying of Cisco intellectual property in 2003 and the systemic hacking of Nortel, which was a major proponent to Nortel’s sad demise.

cisco_huaweiCisco decided to sue Huawei in 2003, alleging that significant copyright infringement took place. Huawei copied source code (even down to the same bugs as IOS), technical documentation from user manuals for use in their own products, and even the syntax, dialogs and help screens of the Cisco command line interface. Huawei initially denied everything, but later co-operated with Cisco to resolve the dispute out of court in 2004.

The terms of the agreement between the two were practically unknown until October 2012, when Huawei fired up Cisco by stating they did nothing wrong. The Cisco CEO took to his blog to “clarify” what happened, exposing parts of the agreement and outlining what Huawei copied from Cisco. Briefly put, the independent report said that Huawei cut and paste Cisco code into their own products. How they got it, we don’t know.

nortel_huaweiHuawei’s involvement with Nortel however, is a bit more insidious than the typical lax Chinese approach to copyright. Huawei, it is alleged, systematically hacked into Nortel’s systems, for years, and gleaned information about the company, products and research. Brian Shields, a long term employee at Nortel, points to this systemic hacking as one of the main reasons Nortel died. “When they see what your business plans are, that’s a huge advantage. It’s unfair business practices that really bring down a company of this size” Shields said to CBC News. Whilst there were many, many other issues at Nortel at the time that lead to its demise, your main competitor having access to your internal communications and databases can’t help.

Huawei has been on the front foot in most cases, denying everything. Usually with a line like “Huawei has the highest respect for the intellectual property of others”. Whenever there is a controversy surrounding Huawei, hacking and a western company or government, Huawei denies absolutely. The most prominent example of this strident denial is in the form of an open letter by Huawei’s Deputy Chairman, Ken Hu, penned in Feb 2011. This open letter, amongst denying any involvement with clandestine spying, sucking up to America and denying founder Ren Zhenfei’s current day PLA ties – Huawei asks (yes asks), that if the USA is so concerned about Huawei, to investigate it.

And investigate the US government did. The report, titled “Investigative Report on the US National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE” was released in October 2012. It generally describes Huawei as uncooperative, which is odd for an investigation they themselves asked for and as such, the investigators brand Huawei as having something to hide. The head of the investigation, Mike Rogers summed up the report on the US version of 60 Minutes.

“If I were an American company today, and I’ll tell you this as the chairman of the House Permanent Select Committee on Intelligence, and you are looking at Huawei, I would find another vendor if you care about your intellectual property, if you care about your consumers’ privacy, and you care about the national security of the United States of America.”

After this report was published and the 60 Minutes story went to air, the Chinese Ambassador to the US said in an interview with CBC:

“If you really have the evidence, come [out] with it. If not… shut up”.

Huawei's CEO and founder, Mr. Ren, meets the Prime Minister, David Cameron at Number 10 Downing Street.  London - 11 September 2012

In the UK, a similar report was carried out by the Intelligence and Security Committee, published in June 2013 and titled “Foreign Involvement in the Critical National Infrastructure – The Implications for National Security”. The UK report differs from the US one, as it came about because British Telecom (their equivalent of Telstra) entered a massive deal with Huawei to supply all manner of networking and radio equipment. BT told the government, but the people responsible for that at the time didn’t think anything of it and let BT and Huawei carry on. But later on, something spooked the government about this Anglo-Sino relationship and hence, the report was born.

What the UK’s beef with Huawei is exactly, is still unclear from this report, but the fact that something could happen is reason enough for the government to want to have way more of a heads up next time something like this goes down. The report also launched another investigation into the Cyber Security Evaluation Centre – also known as “The Cell”. It’s a lab set up by Huawei, with Huawei’s money, in 2010, overseen by GCHQ (the UK equivalent of the NSA/DSD) that is to review all the hardware and software produced by Huawei for use in the UK to make sure it’s not full of backdoors or poorly coded that nasty hackers can break in to the UK’s vital infrastructure.

huawei UK

In the report, the Cell was criticised for being totally staffed by Huawei employees and run by Huawei, which might just influence how honest the reporting out of the Cell actually is. Another parliamentary inquiry is going on at the moment into this matter. Meanwhile, Huawei is setting up a $215m R&D centre in the UK, further embedding them into the UK telco ecosystem, alongside their already strong involvements with BT, Everything Everywhere, O2 and TalkTalk – the UK’s largest telcos.

In Australia, Huawei have gone on a mostly PR offensive and attempting to embed themselves in the community via sponsorships and educational programs. Huawei enlisted the services of influential ex-politicians such as John Brumby (former Premier of Victoria) and Alexander Downer (former Foreign Minister of Australia) to serve on the board. CEO of Huawei Australia John Lord, is a former Rear Admiral of the Australian Navy.

huawei_raiders

The 2012 Huawei Australia annual report is full of glossy pictures of Huawei at trade expos, the cool things they sponsor like a Coldplay concert, some cycling race for charity, Macquarie University scholarships, all the neato awards they’ve won and their sponsorship of the Canberra Raiders NRL team – with notoriously media shy chairman & founder Ren Zhengfei wearing a Canberra Raiders cap.

Despite all this integration, investigation and investment in the areas they’re challenged in, Huawei is blacklisted and put through hurdles its competitors are not.

A huge merger between US telco Sprint and Japanese telco Softbank, was approved by the US government on the condition Huawei equipment was removed and not used in the future, which could potentially cost the company up to a billion dollars spent to appease government wishes for little to no technical improvement infrastructure of the entity in the USA.

huaweicanadaCanada has enacted a law that will allow it to veto Huawei’s participation in future telco builds. India has banned Huawei and ZTE from rolling out their equivalent of the NBN too. The UK, as explained earlier, mandates that Huawei (and only Huawei, not Alcatel or Cisco for example) equipment is subject to testing at the Huawei run & funded Cyber Security Evaluation Centre.

In Australia, Attorney-General George Brandis has been reiterating that Huawei is still not in the running to assist in the construction of the National Broadband Network, which was apparently news to Huawei, who still hold hope that the NBN strategic review will suggest they take place in a tender. This decision has come under fire for it’s lack of transparency, with no reasons given besides advice from ASIO, which hasn’t been made public.

The downside of this decision for Australia’s NBN is a less competitive tender process, even if the NBN leadership says otherwise. When Huawei is involved with a tender, the other players tend to reduce their price in order to compete, which, even if Huawei doesn’t win the tender, results in a better outcome for governments and hence, taxpayers.

Ironically, the shoe has also been on the other foot lately, with Cisco, the biggest competitor to Huawei, now facing the same difficulty in China as Huawei faces in America, thanks to its involvement with the US government’s mass surveillance via the NSA.

NSA Phone Records

Whilst there are multitudes of serious incidents with strong evidence of the PLA hacking into western interests, there’s little to no evidence of it relating back to Huawei directly. Whether this is true or not is unknown, as Huawei hasn’t provided evidence to prove otherwise. The most definitive statement from Huawei is via a Cyber Security White Paper published in October 2013, which outlines Huawei’s thoughts on security. The gist of the 50 page document is that Huawei has never been asked to or been involved with state sponsored hacking and that the problems faced by governments and enterprise in regards to computer security are best tackled by the industry and better standards.

The US & UK government reports into Huawei and ZTE are particularly damning, but overall, doesn’t go into specific things Huawei has done. The US government in particular relies on a lack of co-operation from Huawei to prove that their suspicions are true, rather than putting forward events that they have proof of Huawei’s involvement in.

It is naive to think that Huawei isn’t involved with state sponsored surveillance of the west.

If Cisco is involved with the NSA to spy on American allies, surely, the Chinese government is doing the same with Huawei? Maybe China needs an Edward Snowden to bring to light what really goes on within the complex relationship between Huawei and the Chinese authorities.

Western governments have been unwilling to release any evidence relating to hacking directly enabled by Huawei equipment, and private enterprise has no intention to stop purchasing Huawei gear, so this puts Huawei, and the public, in a weird situation. If Huawei equipment is good enough for say, Vodafone and Optus, who handle a large chunk of Australia’s communications infrastructure already, why isn’t it good enough for government projects? And if isn’t good enough for government projects, should we be concerned that businesses which handle our sensitive data such as TPG, Primus, Vodafone, Optus and others do use Huawei equipment?

To Huawei’s credit, they deal with any roadblocks put towards them and ultimately, the decision to use Huawei equipment in our telecommunications infrastructure should boil down to a weighted decision between price, support and technical superiority. In Huawei’s case, it has the issue of nationality to contend with – a fact it’s competitors (besides ZTE…) don’t.

The history of Huawei’s involvement in organised Chinese government hacking is extremely grey. There’s a distinct lack of facts, from both Huawei and governments. The only thing we can be sure of in this ongoing debate, is that it’s not going to get blacker or whiter, anytime soon.

[optin-cat id=5772]