For years, Chinese telecom giant Huawei has been dogged by allegations that its products contain backdoors designed to facilitate Chinese espionage operations abroad. In the U.S., long-simmering tensions came to a head this May, when the Trump administration banned the use of Huawei equipment in U.S. telecom networks. Now, the future of Huawei’s relationship with the West is in doubt as policymakers attempt to determine whether the company poses a threat to national security interests. Can Huawei products threaten your business? It really doesn’t matter. Here’s why.
But for global business leaders, answers to the Huawei questions may not come soon enough.
While the outlook for Huawei’s network business is uncertain, the company continues to be the largest telecommunications equipment manufacturer in the world, and the second-largest maker of smartphones. For better or worse, any business that operates outside of the U.S. likely stores or processes some of its data on Huawei products. The company was responsible for nearly one in five smartphone shipments and one in twenty global server shipments in Q1 2019.
Much of the Huawei conversation has focused on security surrounding the rollout of 5G infrastructure. However, if even a fraction of the company’s products were found to be vulnerable to state hackers, the data security of thousands of businesses around the world would also be thrown into question. Corporate leaders must decide now whether Huawei products pose a threat to their cybersecurity. Unfortunately, that’s just the tip of the iceberg when it comes to assessing vulnerabilities in the global IT hardware and software supply chain.
Evaluating the Huawei Threat
Huawei representatives have consistently denied allegations of Chinese state interference, and one could argue that such interference would be against the Chinese government’s best interests (particularly in the U.S., which is China’s largest trading partner by far). Any definitive evidence proving that the Chinese state is leveraging consumer electronics to spy on American citizens would be disastrous for the Chinese economy.
Huawei’s relationship with the Chinese security state apparatus.
Then again, definitive proof is a rarity in cyber espionage, and while it remains elusive in the Huawei case, circumstantial evidence abounds. A report submitted to the Senate Intelligence Committee found that China was involved in over 90% of all economic espionage cases handled by the Department of Justice over the preceding seven years. Huawei’s report card isn’t much better
It will likely be years before we understand the full scope of Huawei’s relationship with the Chinese security state apparatus. For now, these questions miss the bigger point. As Law Professor William Snyder argues in The Verge, the greatest threat to global cybersecurity is not any single corporate or government entity, but rather, the entire supply chain of IT hardware and software.
Yanking The Supply Chain
A January story from The Intercept cites multiple classified reports that identify supply chain vulnerabilities as “central aspects of the cyber threat,” also noting that the intelligence community does not have “the access or technology in place necessary for reliable detection of such operations.” Last May, Wired published a story on the hacker collective Barium, which has accessed hundreds of thousands of users’ computers by exploiting software distribution channels.
China is far from the only country suspected of supply chain attacks.
Evidence indicates that the Barium hackers are Chinese-speakers, but China is far from the only country suspected of supply chain attacks. Many will recall journalist Glenn Greenwald’s 2014 accusations against the NSA, which alleged that the U.S. intelligence agency regularly intercepts IT network devices being exported by U.S. companies, and implants the products with backdoor surveillance tools. The fundamental disconnect between state-level interests and a globalized economy means national intelligence agencies will always be motivated to engage in supply chain interference.
Protecting Your Business
Ultimately, it doesn’t matter whether Huawei products have been tampered with by the Chinese state. As of 2011, China was responsible for manufacturing 90% of all personal computers worldwide, and 70% of all mobile phones. Remove Huawei from the equation, and Chinese intelligence agencies would still have ample targets for supply chain interference. Remove China from the equation, and we’ll still be contending with supply chain attacks from state-sponsored and black hat hackers.
Supply chain attacks have always been difficult to detect.
Detecting supply chain attacks at the source will always be difficult. Modern IT hardware can consist of millions of microscopic components; software often contains billions of lines of code. However, business leaders can still take action to protect their companies. These include:
- Taking inventory of sensitive data, users, and devices—as well as third party vendors that may be vulnerable to attack.
- Eliminating overly permissive default access control and deploying a least privileged access model.
- Leveraging digital forensics technology to monitor network traffic and investigate potential security breaches.
- Toughening up Bring Your Own Device (BYOD) policies and deploying mobile device management (MDM).