What Huawei And ZTE Could Actually Do To Your Company

Any company that's using components made by Huawei and ZTE ought to "be very concerned." according to one U.S. cyber-security expert who's familiar with past Chinese efforts to infiltrate private and government IT operations.

No Transparency About Even Basic Details

"They should be very concerned that there is little transparency and [the companies] avoid answering questions about the most basic details, such as who is on the board of directors," said Dmitri Alperovitch, CTO of security firm Crowdstrike, referring to any end users of Huawei or ZTE products.

The two Chinese firms were specifically mentioned by yesterday's report from the U.S. House of Representatives Permanent Select Committee on Intelligence that recommended that businesses and individuals should avoid doing business with ZTE, Huawei and other Chinese firms due to a potential national security threat. (See How U.S.-China Tensions Could Affect Your Next Smartphone.)

Alperovitch highlighted Huawei's diverse product line as one particular example of how far reaching the potential threat could be. Huawei makes and sells smartphones used by various carriers here in the U.S, such as AT&T, MetroPCS and Cricket. Huawei also makes high-grade and high-capacity network switching gear, which is where the bigger risk lies, Alperovitch explained.

Specific risks could include

  • Smartphone remote access - though the individual risks are small, this could present pesonal threats to high-value individuals
  • Firewall breaches
  • Remote access to servers, which could lead to data breaches
  • Remote access and re-routing of network switches and routers - with unknown implications
  • As yet unknown cyber attacks
  • Backdoors to automatically send information back to China - where it would presumably be shared with competitors and/or the Chinese government

Backdoors Are The Big Problem

That kind of equipment, which handles high-volume voice and Internet traffic, would be especially vulnerable to backdoors that would enable malicious organizations to intercept and re-route traffic at will.

This is not exactly a new position for Huawei and ZTE. Alperovitch related an incident a few years ago when Sprint reached out to possibly partner with Huawei on networking infrastructure. "The U.S. government called them up and said 'no.' Their efforts to get into the U.S. market have been stymied for years."

The U.S. is not the only nation concerned. In March, Australia announced that was blocking Huawei from bidding on a national high-speed Internet project because of concerns about cyber-attacks from China, Alperovitch said.

Not The Same As Google And Apple

As news about the House Committee's report percolated through the wires yesterday, many commenters, including me, pointed out the irony of complaining about information "phoning home" to China when U.S.-based Google and Apple have been doing just that for years.

But Alperovitch asserts its not at all the same thing. "Google and Apple are not beholden to any Western government," he indicated. In the past, both companies have made it a point to tell the government to take a hike. But, given its suspected ties to the People's Republic of China government, "do we think Huawei would ever say no?"

So what would it take for ZTE and Huawei to reestablish trust? Alperovitch said the companies should be willing to be forthright and unevasive about the most basic aspects of its infrastructure and governance, such as who is on the boards of directors and when were the companies even founded? Such transparency would not be the only thing needed to completely establish trust.

"But it's a start," Alperovitch concluded.

Lead image courtesy of Shutterstock.