US likely exaggerated Huawei threat, security experts say

Despite a vigorous campaign against the Chinese telecom giant, US security experts report state-sponsored hackers show no preference for any particular manufacturer's technology, and the Chinese don't need secret access to Huawei routers to infiltrate global networks.

First Look

Since last year, the United States has waged a vigorous diplomatic offensive against the Chinese telecommunications giant Huawei, claiming that any nation deploying its gear in next-generation wireless networks is giving Beijing a conduit for espionage or worse.

But security experts say the US government is likely exaggerating that threat. Not only is the US case short on specifics, they say, it glosses over the fact that the Chinese don't need secret access to Huawei routers to infiltrate global networks that already have notoriously poor security.

State-sponsored hackers have shown no preference for one manufacturer's technology over another, these experts say. Kremlin-backed hackers, for instance, adroitly exploit internet routers and other networking equipment made by companies that are not Russian.

If the Chinese want to disrupt global networks, "they will do so regardless of the type of equipment you are using," said Jan-Peter Kleinhans of the Berlin Neue Verantwortung Stiftung think tank.

One of the most common US fears – that Huawei might install software "backdoors" in its equipment that Chinese intelligence could use to tap into, eavesdrop on or interrupt data transmissions – strikes many experts as highly unlikely.

Priscilla Moriuchi, who retired from the US National Security Agency in 2017 after running its Far East operations, said the risk of Huawei backdoors is "almost zero because of the chance that it would be discovered," thus exposing Huawei's complicity.

Ms. Moriuchi, now an analyst at the US cybersecurity firm Recorded Future, said that she and other NSA employees were tasked with searching for Huawei hardware and software backdoors created by Chinese intelligence, but never found any.

She expects nations will exhibit a risk-tolerance threshold, with some excluding Huawei gear from network backbones and core functions while allowing it further out where cell towers and wireless handsets interact.

European allies have been reluctant to embrace a blanket anti-Huawei ban even as US officials continue to cast the world's No. 1 telecom-equipment maker as little more than an untrustworthy surrogate for Beijing's intelligence services.

The top US diplomat for cybersecurity policy, Robert Strayer, says Huawei is obliged to heed Chinese Communist Party orders by a 2017 intelligence law that "compels their citizens and their companies to participate in intelligence activities."

Mr. Strayer provided no specifics when pressed by reporters Tuesday as to how Huawei gear might pose more of a security threat than other manufacturers' switches, routers, and wireless base stations. The diplomat spoke at Mobile World Congress, the world's largest wireless trade show, in Barcelona, Spain.

US officials have also said next-generation wireless networks will be more vulnerable because more traffic will move from the network's core to its edge, a claim the chairman, Anand Prasad, and vice chair, Alf Zugenmaier, of the technology's security 3GPP standard committee both questioned.

The American rhetoric has included threats.

US Secretary of State Mike Pompeo suggested last week any use of Huawei equipment could jeopardize US intelligence sharing and might even be a reason to locate military bases elsewhere. The remarks may have been targeted at NATO allies including Poland and the Czech Republic where Huawei has made significant inroads.

A spokeswoman for the US National Security Council declined to comment or to provide any officials to address specifics. A State Department spokesman referred The Associated Press to a press statement on Strayer's remarks in Barcelona.

Huawei, founded in 1987 by a former military engineer, overtook Sweden's LM Ericsson in 2017 as the lead company in the market for wireless and internet switching gear. It says it supplies 45 of the world's top 50 phone companies and has contracts with 30 carriers to test so-called fifth-generation, or 5G, wireless technology.

US companies are not serious competitors in this market, having pulled back over the years. Huawei's major rivals are European – Ericsson and Finland's Nokia.

The US has provided no evidence of China planting espionage backdoors in Huawei equipment despite a 2012 congressional report that led the US government and top domestic wireless carriers to ban it and other Chinese manufacturers from their networks.

"The backdrop for this is essentially the rise of China as a tech power in a variety of domains" said Paul Triolo, tech lead at the Eurasia Group risk analysis consultancy. Now, he said, "there is a big campaign to paint Huawei as an irresponsible actor."

In January, US prosecutors filed criminal charges against Huawei and one of its top executives, alleging the company stole trade secrets and lied to banks about embargo-busting company dealings with Iran. Canada earlier arrested that Huawei executive – who is also the daughter of the company's founder – at US behest; she is currently awaiting extradition to the US Huawei has denied wrongdoing.

The US has also indicted alleged state-backed Chinese hackers it says are involved in rampant cybertheft of Western trade secrets.
One irony of the situation is that the US has actually done what it accuses Huawei of doing. According to top-secret documents released in 2013 by former NSA contractor Edward Snowden, the US planted surveillance beacons in network devices and shipped them around the world.

The affected equipment included devices from Cisco Systems, a Silicon Valley company whose routers were blacklisted by Chinese authorities after the Snowden revelations.

Washington's closest ally has taken a different approach to any potential threats from Huawei. Britain's National Cyber Security Center (NCSC) long ago placed multiple restrictions on Huawei equipment, including disallowing it in any sensitive networks, agency director Ciaran Martin noted in a speech last week.

According to Kleinhans, who has studied the agency's practices, Huawei can't conduct any direct maintenance on mobile base stations in the United Kingdom, and instead must allow local wireless carriers to handle the work. Those carriers can't use Chinese equipment to conduct any law enforcement wiretapping. The British agency also requires redundancy in critical networks and a variety of equipment suppliers to prevent overreliance on any single manufacturer.

In its annual review of Huawei's engineering practices published in July, the NCSC found "shortcomings" that "exposed new risks in the UK telecommunication networks." But none were deemed of medium or high priority.

Mr. Martin called the problems manageable and not reflective of Chinese hostility.

"With 5G, some equipment needs to be more trustworthy than ever. But probably not all," NCSC technical director Ian Levy wrote in a blog.

Like the British, German officials have indicated they'll reject a blanket Huawei 5G ban.

In December, the head of Germany's cyber-risk agency, Arne Schoenbohm, said "for such serious decisions as a ban, you need evidence."

Last week, the nation's Interior Ministry told The Associated Press "the direct exclusion of a particular manufacturer from the 5G expansion is at the time not legally possible and also not planned."

This story was reported by The Associated Press. Frank Jordans in Berlin; Joe McDonald in Beijing; and Kelvin Chan in Barcelona, Spain, contributed to this report.