It's been a week since revelations that the National Security Agency infiltrated the systems of Huawei, and the Chinese technology company is still trying to determine the extent of the attacks and whether they are still going on.
In an interview with Ars yesterday, Huawei VP of external affairs Bill Plummer said, "We're very early in the process of determining what has happened… The goal is 'let's find out what, if anything, happened, and let's make sure it's not still happening, and let's take the appropriate measures to make sure it can't happen in the future."
What is certain is that Huawei argues that the US government's actions are unacceptable.
"A government penetrating a private company's corporate network, monitoring private confidential communications, and stealing proprietary product information in order to exploit that information in the field—that's unacceptable and someone should be held accountable," Plummer told Ars. "It would seem to me that if a foreign government did this to an American company—broke into networks and listened to private communications and stole technical and proprietary information—we would be outraged."
Of course, foreign countries have attacked US companies, including China's "Operation Aurora" waged against Google and other US firms in 2009, and such attacks continue today.
Huawei, a maker of telecommunications and networking equipment with customers in more than 140 countries, has met criticism in countries including the US, Australia, and the UK. A House Permanent Select Committee on Intelligence report in October 2012 said Huawei and another Chinese company, ZTE, "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." Huawei has denied providing backdoors to the Chinese government or any other government.
"One of the intents [of the NSA spying on Huawei] was to monitor our communications to determine whether we were somehow inappropriately tied to the Chinese government, which one would assume after seven years of trying and not coming up with any proof, seems to me that's a pretty good report card, because if they found something, I'm sure we would have heard about it," Plummer said.
Plummer said that as of now, "we know as much as you know" and that the company was unaware of the NSA's infiltration until last week's news reports.
Based on those reports, "the second objective apparently was to steal proprietary information that could be used to exploit our product where deployed in other markets," Plummer said. "We're still in the process of determining whether and to what extent that actually happened."
NSA: We’re not as bad as the other guys
When Ars contacted the NSA yesterday, the agency provided this statement: "We are not commenting on specific, alleged foreign intelligence activities, but as we have previously stated, NSA’s activities are focused and specifically deployed against—and only against—valid foreign intelligence targets in response to intelligence requirements. In addition, we do not use foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of—or give intelligence we collect to—US companies to enhance their international competitiveness or increase their bottom line. It is important to note the overlay of law, regulation, policy, procedure, technical safeguards, training, culture, and ethos in the use of such tools; all of these things govern how NSA deploys various foreign intelligence techniques to help defend the nation."
White House spokespeople have also stressed that the US does not provide intelligence it collects to US companies "to enhance their international competitiveness or increase their bottom line," claiming that "many countries cannot claim the same."
That's "an interesting deflection," Plummer said. "But it's kind of like, you get caught with your hand in the cookie jar and you say, 'Well I didn't give any of the cookies to the kids, I just re-baked them, turned them into concrete, and threw them through the neighbor's window so I could ransack their house.' I'm not sure that's appropriate behavior. As a matter of fact, we condemn that sort of behavior."
After the House report in 2012, Huawei said it would allow independent examinations of its source code to relieve security concerns. The UK's cyber security evaluation center has examined Huawei equipment. "We have a very mature process there in the cyber security evaluation center where Huawei gear, hardware, firmware, software, goes through a rigorous review," Plummer said. "We are not privy to all the parameters of the review."
As for the US, "to the best of my knowledge, the US government is not in the business of doing security reviews of any equipment going into commercial networks," Plummer said. However, a company called Electronic Warfare Associates has evaluated Huawei equipment.
Those reviews tested equipment "deployed with Bell and Telus in Canada as well as some of the product that's been deployed in the US," Plummer said. "We put that process in place in anticipation of the Sprint RFP in 2010, and, oddly enough, the model we put in place, it is our understanding that Sprint is employing that model with the alternate vendors that were chosen as a result of the US government interference in the commercial decision-making process."
When Sprint was purchased by Softbank last year, the new owner agreed to limit its use of Huawei technology.
Huawei, like other big companies, under constant attack
Plummer did not offer specific details of the evaluation Huawei is conducting to determine the extent of the NSA infiltration.
"It's a living process. When you're a $40 billion company, you've got a whole lot of servers, you have a whole lot of corporate network, and you have a whole lot of people trying to break into it," he said. "It's a very dynamic approach to monitoring the traffic and the behavior of traffic in and around our networks. We regularly detect and quash activity, and you know, you have to be vigilant. It's not just state actors, it's non-state actors."
It's hard to say which is more concerning, but "I would say that as a given, state actors probably have a heck of a lot better resources than non-state," he said.
Huawei probably won't reveal a lot of detail publicly, even after finishing its evaluation. "We're not going to publicize the types of threats and incursions that we have addressed for concern of suggesting to someone that there's something that we haven't found," Plummer said.
Huawei said last year that it would reduce its focus on the US market. "It's unfortunate that the narrative about Huawei in the United States has been dominated by a few loud and politically motivated voices," Plummer said. "It's prevented us from helping people understand that yes, it's a $40 billion company, it does 70 percent of its business outside of China. We have networks deployed... by over 500 operators, including major network operators in every NATO country, in every OECD country, and across the developing world. The company is trusted and proven, and it's our anticipation that we will remain trusted and proven and continue to work with our customers to ensure the integrity of our solutions."
Defending against government hackers isn't a Huawei-specific issue, he noted. "We're now at a point where companies like Huawei and others, our global industry peers, we need to come together now and around a common cause… to restore trust, to restore confidence," he said. "As an industry, we can work together to define some standards and disciplines and best practices that are third-party certifiable, that raise the security assurance bar for the entire industry, so that it makes it more challenging for those with malicious intent to exploit networks and data."
"In parallel, I think there is an equal imperative to government now, which is to come together and agree on what are acceptable norms of behavior, state behavior in cyberspace," Plummer continued. "Without that, the restoration of trust is going to be a much slower process."
reader comments
97