House Intelligence says agencies shouldn't buy Huawei or ZTE equipment
Federal agencies should shun telecommunication systems composed of equipment from Chinese firms Huawei and ZTE, even at the component level, says an Oct. 8 report from House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.).
Huawei and ZTE "cannot be trusted to be free of foreign state influence," the report (.pdf) states.
The result of a year-long investigation, it also calls on the Treasury Department-led Committee on Foreign Investment in the United States to block any proposed mergers or acquisitions involving the firms, "given the threat to U.S. national security interests."
The report falls short of accusing Huawei and ZTE directly of engaging in espionage, and executives from the firms in September told a House Intelligence panel that spying on behalf of the Chinese government would jeopardize their business.
But, "even if the company's leadership refused such a request, Chinese intelligence services need only recruit working-level technicians or managers in these companies," the report states. The unclassified report, which often lacks specifics, is accompanied by a classified annex that (obviously) wasn't released to the public, but which report authors say provides significantly more information.
Company statements that their equipment poses no threat and that they would not succumb to any Chinese government pressure to facilitate espionage through their products cannot be relied on, the report adds.
Investigators did not expect Huawei in particular to prove that it has no ties to the Chinese government, the report says, but that it would clarify its relationship with the government and the Chinese Communist Party. Both firms supplied vague or incomplete responses to committee questions and have opaque corporate and ownership structures, according to the report--which also cites ZTE reluctance to provide internal documentation on the basis that doing so could violate China state-secret laws.
"To the extent ZTE cannot provide detailed and supported answers to the Committee because China's laws treat such information important to the security of the Chinese regime, the Committee's core concern that ZTE's presence in the U.S. infrastructure represents a national-security concern is enhanced," the report states.
Proposed mitigation of security concerns proposed by the firms such as having an independent party evaluate products for cybersecurity threats "cannot fully address the threat," it says.
Third party evaluations test a narrow set of configurations, and product development is faster than evaluation can keep up with, it adds. Third party evaluations don't account for patch management and upgrades over the lifecycle of a product, the report says--going on to discount the idea of evaluators' ability to find and eliminate intentional flaws as virtually impossible in the first place.
The report acknowledges that many non-Chinese companies manufacture products in China, but says that factory location isn't the only important risk factor. "It is also ownership, history, and the products being marketed," it says.
- download the report, "Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE" (.pdf)
- go to a House Intelligence Committee statement on the report
- read a Huawei statement on the report
- read a ZTE statement on the report