Scoop Election 08: edited by Gordon Campbell

Gordon Campbell on the Huawei security scare

October 9th, 2012

On the face of it, it looks very strange that our government should have jumped to comply with American concerns about the Internet business of about Kim Dotcom – to the extent of a string of illegal search, seizure and surveillance activities – but seems utterly blasé about the Internet activities of the Chinese firm Huawei, which the American House Intelligence committee has fingered as a security risk, and would like to bar from US contracts. New Zealand, by contrast, has signed up Huawei as a key contractor in our ultra fast broadband rollout.

Sorting out the genuine national security and industrial espionage risks that may – or may not – be involved here is difficult, and the Greens and Labour appear to have rushed to judgement on Huawei in much the same way they castigated the government for doing over Dotcom. Is Huawei a genuine concern, or (primarily) a case of US economic protectionism? The House Intelligence committee report is noticeably short of specific evidence against Huawei, but then again, it does have a separate, classified version of its report that may have more flesh on its bones. As this report suggests, the public case against Huawei appears to rest on the evidence of cyber hacking by the Chinese government, the past support that the Chinese government has given the firm, and the existence of former Chinese military officers in its top executive ranks. It is more a cloud of suspicion – reason enough for caution to some – than solid evidence of bad behaviour. Is it quite reason enough though, to bar Huawei from Western contracts? There are arguments either way.

For example, there is this BBC report about the Chinese government allegedly being behind retaliatory hacking attacks on Google. Another report alleges a long running penetration of the US firm Nortel by Chinese agents.

Using seven passwords stolen from top Nortel executives, including the chief executive, the hackers—who appeared to be working in China—penetrated Nortel’s computers at least as far back as 2000 and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents, according to Brian Shields, a former 19-year Nortel veteran who led an internal investigation. The hackers also hid spying software…deeply within some employees’ computers.

The question for New Zealand is whether these actions by Chinese agents should make Huawei guilty by association. On the other side of the ledger, one can readily put the concerns about Huawei down to US economic protectionism.

Both companies are a solid threat to Cisco and Juniper, two U.S. companies that stand to lose if their products are undercut by low-cost Chinese switches and routers. Cisco’s CEO John Chambers is a very active Republican who is vocal on this issue. Plus, both Cisco and Juniper (as well as many U.S. companies) frequently make some of their hardware and even write some of their code in China and other places that the U.S. might consider a threat. Domestic companies point out that they don’t let engineers writing code overseas have full access to the source code, and that the foreign-produced code is reviewed, but there is an element of hypocrisy here.

It’s cheaper to build things in China, be it software or hardware. Plus, executives at U.S. companies tell me that they never buy used networking gear from any vendor because it can have unexplained Chinese software on it. The Chinese don’t necessarily need a company in its pocket to install networking spyware, when it can sell gear on eBay to unsuspecting corporate buyers.

So…is it the US raising security concerns primarily to protect its own economic interests – or, given the prevalence of cyber attacks and industrial espionage, is there a residue of sensible caution in making sure the Chinese are kept at arm’s distance? Presumably, Huawei got the ultra fast broadband contract here because it was the cheapest bidder. How, one wonders, would our Government Communications Security Bureau and SIS go about assessing the risk that this contract may pose to national security and via industrial espionage – which as the above paragraph suggests, could also conceivably be compromised by gear that our corporates buy on Trade Me. The usual GCSB/SIS modus operandi is to ask its brother intelligence agencies (in the US, Australia and elsewhere) what it should think.

With Huawei, that’s not an option. It poses a nightmare for our spooks. The UK is saying one thing (Huawei is OK) and Washington and Canberra are saying the opposite – yet their warnings run counter to our own government’s policy for the rollout of its pet IT project. At crunch, how can New Zealand partake fully in intelligence traffic if its main allies think that we may have witlessly turned ourselves into a listening post for the Chinese? It won’t matter, at that point, if there is any substance to the fears about Huawei. Perception will have become reality. Hard to see though, the Key government backing down, and backing out of its UFB contracts at this point.

The only winner in all this that I can see is Cabinet Secretary Rebecca Kitteridge. Just after she has been appointed to analyse the inner workings of the GCSB, this lands on the agency’s plate. You could hardly get a better, and more difficult test of its evaluative procedures, and analytical ability.

ENDS

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Scoopit
  • Digg
  • del.icio.us
  • Reddit
  • NewsVine
  • Print this post Print this post
    1. 5 Responses to “Gordon Campbell on the Huawei security scare”

    2. By Rich on Oct 9, 2012 | Reply

      1. Seen this:
      http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf
      suggests that if not deliberately broken, Huawei’s midsize gear (which may differ in implementation from their backbone kit) is heinous crap.

      2. The Chinese undoubtedly engage in state-sanctioned, or at least tolerated, cracking and vandalism. Which is antisocial, and they ought to stop. Having their companies lose business might encourage them to do so.

      3. If routers were open source, you wouldn’t have these suspicions. The budget for the fibre network could probably fund a lot of work to improve OSS router tech.

    3. By Phil Stevens on Oct 9, 2012 | Reply

      Industry best practice where data security is at issue involves careful vetting of the proposed solutoin. It would be relatively straightforward to retain a top quality, internationally respected security expert (someone of the calibre of Bruce Schneier) to carry out a rigorous independent assessment of the Huawei devices under consideration and the code that runs on them. Military procurement contracts for IT vendors carry this stipulation as a matter of course. And no updates should be carried out on the equipment once deployed without the new code being subject to the same sort of inspection. Why won’t the government conform to best practice? Are they just amateurs and simply out of their depth here, or is there an agenda we should be concerned about?

    4. By peterlepaysan on Oct 9, 2012 | Reply

      It does not matter whether it is Ericsson, Alcatel or Huawei they are all capable of being compromised (equally).

      The US congressional committee that condemns Huawei is the same one that told us that Iraq had weapons of mass destruction.

      Sigh!

    5. By Jason on Oct 10, 2012 | Reply

      Nice one Rich, I hadn’t seen this.
      On the strength of it peterlepaysan, ah nope Huawei are in a league of their own for poor security practice: 90′s style bugs and exploitation; no security advisories or releases. As Rich says tis broken, deliberately or no.

    6. By Nick on Oct 15, 2012 | Reply

      I was doing some consulting work for 3Com prior to their purchase by Huawei back in the early 2000s. At the time they were marketing the Huawei routers which basically as far as I could see ran on Cisco code (IOS)either copied or reverse engineered etc. The issue was in the US courts as a copyright breach and got settled in Ciscos favour.

      In this case I think it likely that Cisco and Juniper are feathering their own nests with the spectre of something I have no doubt they are just as capable (and likely) of doing themselves (breaching other peoples security). It is the US big boys versus the foreign newcomer.

    Post a Comment