US lawmakers list five must-dos to block Huawei and ZTE hack-threat

The US committee calling for ZTE and Huawei to be blackballed as suppliers has released a five-strong list of recommendations to protect against Chinese cyberterrorism, including demanding more government insight into private sector tech deals. The House Intelligence Committee report concludes that American companies should "use another vendor" and highlights the potential for damage when "critical infrastructure" such as the electricity supply, banking, water, and other systems are "incredibly connected." As for the Chinese firms in question, despite their protestations that they have been open and honest, "Huawei and ZTE provided incomplete, contradictory, and evasive responses to the Committee's core concerns" the committee chairman said in a statement today.

 "The report notes that modern critical infrastructure is incredibly connected, everything from electric power grids to banking and finance systems to natural gas, oil, and water systems to rail and shipping channels. All of these entities depend on computerized control systems. The risk is high that a failure or disruption in one system could have a devastating ripple effect throughout many aspects of modern American living" Permanent Select Committee on Intelligence

Among the recommendations are the suggestion that US carriers should look elsewhere for their infrastructure components, as these could potentially allow Chinese government snooping onto the telecommunications backbone, and that new legislation to put firms "with nation-state ties or otherwise not clearly trusted to build critical infrastructure" under the microscope should be considered. The Committee on Foreign Investment in the United States (CFIUS) should take an active role in purchasing agreements, it's proposed.

"Any bug, beacon, or backdoor put into our critical systems could allow for a catastrophic and devastating domino effect of failures throughout our networks.  As this report shows, we have serious concerns about Huawei and ZTE, and their connection to the communist government of China.  China is known to be the major perpetrator of cyber espionage, and Huawei and ZTE failed to alleviate serious concerns throughout this important investigation.  American businesses should use other vendors" Mike Rogers, Chairman, House Intelligence Committee

The committee also saved some scolding for Huawei and ZTE's perceived attempts to block investigations, with Huawei particularly singled out for a tongue-lashing. "Huawei, in particular, must become more transparent and responsive to U.S. legal obligations" the report insists, having "failed to provide thorough information about its corporate structure, history, ownership, operations, financial arrangements, or management."

Chinese responsibility – although often only speculated at – for cyber attacks on US systems is responsible for fueling much of the concern within the report. "Recent cyber-attacks often emanate from China," the committee suggests, "and even though precise attribution is a perennial challenge, the volume, scale, and sophistication often indicate state involvement." Those attacks are often intended "to steal trade secrets and other sensitive proprietary data."

As for security programs in operation elsewhere in the world, such as the Cyber Security Evaluation Centre formed in the UK with Huawei and the UK government, the US team argues that such projects can "create a false sense of security" as they encourage companies to bypass their own checks in deference to a perceived external validation of safety.

In addition, the committee casts doubt onto the usefulness of examining software/hardware in a single "snapshot" at any one point in its lifecycle, given that new functionality can be added at any time. That's even before you get to malicious code that has been purposefully hidden. "If we also consider flaws intentionally inserted by a determined and clever insider," the report argues, "the task becomes virtually impossible."

"The Committee did not expect Huawei to prove that it has "no ties" to the government. Rather, in light of even experts' lack of certainty about the state-run capitalist system in China, the Committee sought greater understanding of its actual relationship with the Chinese government. The Committee requested that Huawei support and prove its statements about its regulatory interaction by providing details and evidence explaining the nature of this formal interaction. Any company operating in the United States could very easily describe and produce evidence of the federal entities with which it must interact, including which government officials are their main points of contact at those regulatory agencies" House Intelligence Committee

The full report is available here [pdf link].

House Intelligence Committee recommendations:

  • US government systems and US government contractors, particularly those working on sensitive systems, should exclude any Huawei or ZTE equipment or component parts. Additionally, the Committee on Foreign Investments in the United States (CFIUS) must block acquisitions, takeovers, or mergers involving Huawei and ZTE given the threat to U.S. national security interests.
  • U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects.
  • Unfair trade practices of the Chinese telecommunications sector should be investigated by committees of jurisdiction in U.S. Congress and enforcement agencies in the Executive Branch. Particular attention should be paid to China's continued financial support of key companies.
  • Chinese companies should quickly become more open and transparent. Huawei, in particular, must become more transparent and responsive to U.S. legal obligations.
  • Committees of jurisdiction in Congress should consider potential legislation to better address the risk posed by telecommunications companies with nation-state ties or otherwise not clearly trusted to build critical infrastructure, including increasing information-sharing among private sector entities and expanding a role for the CFIUS process to include purchasing agreements.