House Panel: 2 Chinese Firms Pose IT Security RisksCommittee: U.S. Should Stop Doing Business with Huawei, ZTE
Mike Rogers, the chairman of the House Permanent Select Committee on Intelligence, worries that the Chinese government could be using communications products manufactured in China and installed into U.S. government and American corporate IT systems to pilfer classified information and trade secrets.
See Also: Ransomware: The Look at Future Trends
"Any bug, beacon or backdoor put into our critical systems could allow for a catastrophic and devastating domino effect of failures throughout our networks," the Michigan Republican says in a statement accompanying the release of a new panel report that recommends the U.S. government and American businesses stop conducting business with two Chinese telecommunications companies because of long-term IT security risks.
The investigative report, issued Oct. 8, recommends that U.S. government systems, particularly sensitive IT systems, should refrain from using equipment and component parts manufactured by the two companies, Huawei and ZTE, the world's largest and fifth-largest telecom equipment makers, respectively.
Early last year, the committee initiated a preliminary review of the national security threats posed by Chinese telecommunications companies doing business in the United States. The preliminary review suggested that the threat to the supply chain constitutes a rising national security concern of the highest priority. Last Nov. 17, the House Intelligence Committee launched a full investigation, focusing on the two main Chinese telecommunication companies doing business in the United States, Huawei and ZTE.
At a committee hearing last month [see Fear of Tinkering with Wares to Spy, Pilfer American Secrets], officials of Huawei and ZTE strongly denied any suggestion the companies would allow the Chinese government to use its equipment to spy on American institutions.
Impeding Competition Alleged
Huawei, in a statement, says the committee's report contains many rumors and speculation to prove non-existent accusations. "This report does not address the challenges faced by the ICT (information and communications technology) industry," the statement says. "Almost every ICT firm is conducting R&D, software coding and production activities globally; they share the same supply chain, and the challenges on network security is beyond a company or a country. The committee's report completely ignored this fact. We have to suspect that the only purpose of such a report is to impede competition and obstruct Chinese ICT companies from entering the U.S. market."
Rogers isn't convinced by those arguments, and says: "China is known to be the major perpetrator of cyberespionage, and Huawei and ZTE failed to alleviate serious concerns throughout this important investigation," he says. "American businesses should use other vendors."
The report contains five recommendations:
- Federal government systems and contractors, particularly those working on sensitive systems, should exclude any Huawei or ZTE equipment or component parts. Additionally, the Committee on Foreign Investments in the United States must block acquisitions, takeovers or mergers involving Huawei and ZTE given the threat to U.S. national security interests.
- American network providers and systems developers should seek other vendors for their projects.
- Unfair trade practices of the Chinese telecommunications sector should be investigated by the appropriate congressional committees and executive branch agencies with particular attention should be paid to China's continued financial support of key companies.
- Chinese companies should quickly become more open and transparent. Huawei, in particular, must become more transparent and responsive to American legal obligations.
- Appropriate congress committees should consider legislation to better address the risk posed by telecommunications companies with nation-state ties or otherwise not clearly trusted to build critical infrastructure, including increasing information-sharing among private sector entities and expanding a role for the Committee on Foreign Investment in the United States process to include purchasing agreements. The Committee on Foreign Investment in the United States is an inter-agency panel authorized to review transactions that could result in control of a U.S. business by foreigners.
Pervasive Fear of Back-Door Cybertheft Channel
Gavin Long, a contributing expert at SafeGov.org, an industry forum that promotes trusted and responsible public-sector cloud computing, foresaw the committee's report in a blog he posted last month for Information Security Media Group sites, in which he wrote [see Do Chinese Cloud, Mobile Providers Pose a Threat?]:
"Closely correlated to the meteoric rise of these telecommunications and IT providers, however, is a rising tide of speculation and mistrust. Simply put, there is a pervasive fear expressed by government officials and the media that telecommunications infrastructure equipment or consumer devices such as tablets and smartphones could serve as a back-door channel for espionage and cybertheft."
Rep. Jim Langevin, the Rhode Island Democrat who co-founded the Congressional Cybersecurity Caucus, used the insurance of the House committee's report to lobby for passage of comprehensive cybersecurity legislation that has stalled in Congress [see Administration Seeks Cooperation on Infrastructure Safeguards. "We will not be able to appropriately address the efforts by Chinese actors and others who are committing economic espionage or attempting to sabotage our networks unless we pass comprehensive cybersecurity legislation," Langevin says.