Sunday, October 20, 2013

Huawei Claims Transparency But These Facts Say Otherwise

"(A)s the Deputy Chairman of the Board of Huawei and the Chairman of the Global Cyber Security Committee of Huawei, I would like to make our company’s position clear. We can confirm that we have never received any instructions or requests from any Government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies. 
"Huawei will continue our open and transparent approach and responsible position to its operations and everything we do." 
- Ken Hu (Deputy Chairman of the Board of Huawei and Chairman of the Huawei Global Cyber Security Committee)
 Mr. Hu wrote the above statement in a web posting which announced Huawei's Cyber Security white paper "Cyber Security Perspectives: Making Cyber Security a part of a Company's DNA" (October, 2013).

This PR campaign is clearly mean't to take advantage of the Snowden leaks regarding NSA activities and data collection. Mr. Hu wants to paint a picture that Huawei, unlike U.S. companies named with supporting legal NSA requests, has not received any such requests from the Chinese government.

That's disingenuous at best, and purposefully misleading at worst.

The government of China is one of Huawei's biggest customers; primarily the State-owned telecommunications companies - China Telecom, China Unicom, and China Mobile. Those companies engage in State-mandated monitoring of all telecommunications inside the PRC using in part Huawei's equipment. In fact, China's State Security Law requires that companies and individuals comply with any request for assistance by the MSS or other state security organs up to and including technological means of surveillance.

If the MSS hasn't asked Huawei to provide access, it's because Huawei has already built that access in so that China Telecom can do its job of lawful intercept. And that's not just for telecommunications services. The law was updated in 2010 to include Internet traffic.

Regardless of how Mr. Plummer, Mr. Purdy, Mr. Hu and other Huawei executives try to spin their company's dedication to transparency and security, they work for a company whose equipment is used to surveil the communications of a country of 1.3 billion people, including all of the foreign-owned companies which have offices in China. Their white paper doesn't talk about that, nor does it reveal how Huawei hardware supports MSS collection efforts.

That's not being transparent, gentlemen.

3 comments:

  1. With all due respect Jeff, while we may differ in terms of the definition of being transparent, I think we should at least agree on the definition of untruths and misleading blog posts.

    Your post makes reference to a number of state-owned telecoms in China that you state engage in State-mandated monitoring of telecommunications. As you are well-aware, every government around the world requires some sort of lawful intercept cooperation from telecommunications operators and Internet service providers. As a result, all vendors of the equipment that service providers operate are required to provide an interface for lawful intercept.

    Huawei, like, for instance, Cisco – which provides much of the network equipment for Chinese telecommunications operators and Internet service providers - build equipment to the same specs, but it is the telecommunications operators or Internet Service Providers that respond to government lawful intercept requests, whether in China or the U.S. To accuse Huawei of some sort of nefarious activity in this context would be to accuse Cisco, Ericsson, Alcatel-Lucent and countless other telecom infrastructure vendors of the same.

    And I know you know these facts Jeff. Your post is willfully misleading.

    As for your reference to China’s State Security Law, I’ll be gracious and imagine that you are mis-informed by the likes of the House Intelligence Committee which willfully misrepresented that Law in last year’s hearing and report, despite having received legal analyses that explained the facts.

    To the extent you welcome a briefing on actual facts, consider the following:

    At last year’s House Intelligence Committee hearing, Rep Adam Schiff quoted Article 11 of the State Security Law of the People's Republic of China that provides "Where state security requires, a state security organ may inspect the electronic communication instruments and appliances and other similar equipment and installations belonging to any organization or individual."

    In point of fact, Article 11 is intended to prevent the intelligence agencies or other forces outside of China from eavesdropping, photographing, or stealing China's state secrets using electronic communication equipment or other similar equipment or other sophisticated information transmission modes in a manner that would jeopardize China's national security.

    The "organization and individual" to be inspected as specified in Article 11 cover a wide range:

    “Organizations” include Chinese institutions and organizations as well as the institutions and organizations set up by foreign countries and regions in China, including Chinese-funded enterprises, joint ventures, and foreign-funded enterprises.

    “Individuals” include Chinese citizens as well as foreigners and stateless people within the Chinese territory.

    As for the word "inspect," it refers to the examination of the electronic communication equipment or other similar equipment. The inspection is intended to identify whether the equipment possesses functionality that would disclose, steal secrets and/or interfere with the normal communications of the Chinese government.

    Finally, China's state security organ may only use Article 11 in strict accordance with the law for the purpose of safeguarding China's national security. The Chinese government may not use Article 11 beyond the scope of its authority to infringe on the legitimate rights of other countries, organizations, or individuals.

    All of this was explained to the House Intelligence Committee after the hearing, but to no avail. Their agenda was not to be derailed by facts.

    I have never been certain what drives your agenda with Huawei Jeff. Your past references to Huawei have been universally aggressive and regularly mis- or not fully-informed, and in the case of the post I am commenting on, seemingly willfully, at least in terms of the intercept references.

    That said, I’m happy to continue the dialogue, but, preferably, in the context of facts.

    Best,

    Bill Plummer

    ReplyDelete
  2. Hi Bill, thanks for engaging. I'm not sure why you chose to elaborate on Article 11. I said that Huawei would be required to comply with a request from the State under that law. You simply added the additional context that such a request would be made when national security was involved. That doesn't change anything b/c all surveillance by any foreign intelligence service or LEO is done under the purview of national security as determined by the respective State.

    You correctly point out that Huawei like any other hardware provider builds equipment to specs that allow for lawful intercept. I didn't claim otherwise. My question to you is does Huawei reveal those specs to its customers so that they know the design in Huawei hardware which enables intelligence agencies to conduct their surveillance? I would think such a disclosure would be important since the perception in the U.S. and other countries is that Huawei has backdoors in their hardware. Why not document it?

    Huawei, in the above release, appears to try to take the moral high ground against Verizon, Google, Yahoo, Microsoft or any other U.S. company who complied with a legal request from the NSA but that's misleading and disingenuous because it's not a provider of Internet or telecommunications services. The Chinese gov't would make that request of China Telecom, etc., not Huawei. Huawei equipment would, however, have to support that request.

    And I use the word "request" loosely. As I'm sure you know, the MSS, the CCP, and the State Council don't make requests. They expect compliance. Which brings me to a question that I asked Mr. Purdy on Twitter and for which I did not receive a reply. If Huawei should ever be ordered by a Chinese intelligence service to provide access to their hardware for surveillance purposes or any purpose which legally falls within China's State Security law, would Huawei be truly transparent and reveal it? Would Huawei be permitted to reveal it? Because if the answer to that question is no, then how could anyone believe Mr. Hu's statement as quoted in my post?

    For the record, I thought that the House Intelligence Committee hearing on your company was unfair. There are reasons for the U.S. government to be concerned about using Huawei equipment but Rep. Rogers missed those in favor of ones that had little or no merit.

    Also, in the interests of fairness and an accurate airing and depiction of the facts, I'd be happy to put together a panel at Suits and Spooks DC which includes you or others from Huawei along with some opposing experts to debate this subject. It would certainly fall within the focus of the conference which you can view here: http://www.suitsandspooks.com/2014/01/dc-2014/

    I'm sure that there'd be great interest among the attendees. Let me know if you'd like to discuss. I have no agenda other than to continue to depict the entirety of the threat landscape in information security fairly to the best of my ability.

    ReplyDelete
  3. Thanks Jeff.

    Quick responses:

    Does Huawei reveal specs to our customers in terms of lawful intercept interface? Well, um, duh. Those specs are defined by the global standards that all vendors build to. They are completely and publicly documented. We build to standard commercial specs. Period. Nothing more. There's nothing misleading or "moral high ground" about any of this. The facts are the facts.

    As for the question about any requests from any government. What we have said is quite clear. Hasn't happened. Moreover, what we have additionally said is that should such a request be made, we would decline.

    If your agenda is truly to depict the entirety of the threat landscape in information security fairly, than perhaps you could start by acknowledging that every vendor relies on common global supply chains and is subject to common global vulnerabilities and that geography-based exclusions do little more than create a dangerously false sense of security. The only real solutions are global and industry-wide solutions, period.

    Finally, schedule permitting, happy to sit on such a panel as you describe.

    Bill

    ReplyDelete