Should United States telecommunications companies consider purchasing -- or even be allowed to purchase -- infrastructure equipment from a major Chinese company that could, maybe, be a significant national security risk?
Some US government officials and security experts are concerned about products from Huawei Technologies Co. Ltd. , which has begun more actively courting US customers.
A letter last month from eight Republican senators asked whether Timothy Geithner, US Secretary of the Treasury, and retired Gen. James Clapper, Jr., Director of National Intelligence, should prohibit Sprint Nextel Corp. (NYSE: S) from purchasing products from Huawei. The letter expressed concern that Huawei products "could create substantial risk for US companies and possibly undermine US national security."
Reasons for the concern include Huawei selling communications equipment to Saddam Hussein, the Taliban, and Iran, including Iran's military. The senators also are concerned that Huawei's CEO, Ren Zhengfei, was an officer in China's military, the People's Liberation Army (PLA). In addition, Motorola Inc. (NYSE: MOT) is suing Huawei and former Motorola employees for allegedly selling proprietary information.
Although the Republicans are no doubt playing politics, the letter serves to highlight legitimate concerns about types of Chinese infiltration in critical US infrastructure. For example, the FBI and other government agencies have been concerned about the possibility of back doors and other potential security problems from counterfeit Cisco routers (not related to Huawei) installed on US government and corporate computer systems.
At least one expert, Gordon Housworth, founder of the management consulting and technology services firm Intellectual Capital Group, characterized the firms that developed the counterfeit routers and the router architectures as “reasonably having a connection to the Chinese military.”
Housworth, who is a former member of the intelligence community, is not alone in considering Huawei, in essence, an arm of the PLA. He says "that risk is highest when purchasing equipment from Chinese or Israeli vendors because of the possibility of hidden firmware, software, or post-installation intervention that could compromise security."
Another security expert concerned about foreign tampering is Bruce Schneier, chief security technology officer at BT and a well known blogger about security. Although he doesn't have any proof, Schneier says it "certainly wouldn't surprise me at all" if Huawei installed software that could endanger US security. He would "think twice" before buying equipment from Huawei.
If Huawei's hardware, such as cellular switches for voice and data, are possible security threats, why would any cellular operators even consider them? One major reason is price. Huawei is extremely price competitive, which could outweigh potential security concerns. However, as Housworth emphasizes, "low cost is not low risk."
In the US, Huawei is working with a Kansas company, Amerilink Telecom, to help win contracts from American companies. Several top Amerilink executives are former Sprint executives, which certainly helps to get their phone calls answered when courting Sprint.
But couldn't cellular operators just employ security experts to tear apart Huawei equipment to search for potential security problems? Schneier says it's possible, but it's like trying to find every insect in your house. It's "very, very hard" to find every bug -- insect or computer-related.
So why not purchase from one of the other top vendors, such as Ericsson AB (Nasdaq: ERIC) or Nokia Siemens Networks ? That's safe, right? Uh, no.
In 2006, one of the most infamous cellular wiretapping cases in the world erupted when more than 100 people in Greece had their conversations monitored, including the Greek prime minister and other officials, military officers, and journalists. An Ericsson switch (or switches) on Vodafone's network was (or were) hacked. Hackers exploited a legitimate software upgrade that was designed -- legally -- to allow Greek law enforcement personnel to tap into conversations.
No one knows (or is saying) who was involved -- Ericsson, Vodafone, contractors servicing the equipment, the CIA, Greek government spies, or a combination thereof. But it highlights Housworth's warning that even if hardware is secure when it's initially installed, it could be compromised in many ways after installation, on-site and/or remotely.
So forget Huawei and Ericsson. Let's pick Nokia Siemens for cellular infrastructure. Don't concern yourself with Nokia Siemens being sued over its telecom hardware used by the Iranian government to persecute political dissidents.
The sad fact is any computer system and telecommunication infrastructure can be hacked to endanger national security. Indeed, governments are increasingly demanding access to secure or relatively secure systems, which creates more potential backdoors for hackers to exploit.
Perhaps all these real and possible infrastructure attacks don't concern you. After all, I'm sure your Huawei Android phone could never be compromised. It's not as if you'd need to take some precautions.
— Alan Reiter, President, Wireless Internet & Mobile Computing