UC Insights Logo
UCI Bannner

Other insights into UC>>

It’s My Way or the Huawei

The Security Implications of Sourcing Critical Communications Infrastructure in a Globalized World


by Russell Bennett, UC Insights

October, 2012

Leave a comment

A few months ago, I read a cover page article in the Economist, “Who’s afraid of Huawei?”, that highlighted the fact that Huawei had just surpassed Ericsson to become the world’s largest telecom equipment manufacturer.  A few weeks later, the Gartner Magic Quadrant for Unified Communications 2012 showed that Huawei had moved from the Niche to the Challengers quadrant: the only positive quadrant movement for this year and putting them alongside NEC, Alcatel-Lucent and IBM.  These gains have been attributed to the provision of high quality equipment at a low price.  However, the Economist article also highlighted the concerns of various governments related to cyber espionage, which appeared to be predicated on xenophobia and paranoia, rather than any substantive basis.

Another “shot heard ‘round the world”?

Despite being prepped by the Economist article, no-one was more surprised than I that on October 8th the US House Permanent Select Committee on Intelligence (HSCI) published a report recommending that Huawei and ZTE (H&Z) equipment be boycotted in the US.

It turns out that the US has had concerns about these companies for some time, and that in February 2011, Huawei had published an open letter to the government asking for an investigation; presumably with the expectation that they would be exonerated. Apparently an initial investigation raised concerns about ‘information gaps’ and the report of the full investigation states that the HSCI was dissatisfied with the degree of cooperation provided by H&Z.  The outcome was that the HSCI made the following recommendations:

  • “U.S. government systems, particularly sensitive systems, should not include Huawei or ZTE equipment, including component parts.   Similarly, government contractors – particularly those working on contracts for sensitive U.S. programs – should exclude ZTE or Huawei equipment in their systems.”

  • “Private-sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE or Huawei for equipment or services.   U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects.  Based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems.“

By any standards, this is pretty strong language, even for an election season.  Given other statements being made in the larger political debate about US competitiveness with the People’s Republic of China (PRC) and other low-wage economies, it is hard to imagine how this report could be viewed as anything other than protectionist by the Chinese government and the two companies in question.

It remains to be seen what the Chinese response will be, other than fervent denial by H&Z.  I am not a computer/network security expert, nor am I privy to the classified information to which the HSCI darkly alludes regarding various espionage and cyber warfare exploits that are allegedly embedded in the products of H&Z.   However, this issue raises larger questions about the security of networks and the information contained therein, so I thought it was worth taking a look at these wider issues.

Cyber-warfare: the new, not-so-Cold War

Anyone that is paying attention to the threats to network security will already be aware that cyber warfare is an ongoing conflict.   Threats are perpetrated daily by various actors ranging from nihilist teenage ‘script kiddies’, through organized crime syndicates to national intelligence agencies.  If you want first hand evidence of the scale of the problem, take a look at your firewall log to see how many times you were ‘port scanned’ in the last 24 hours.

Anti-China hawks allege that many cyber assaults emanate from mainland China and even from the PRC military/intelligence agencies.   Given the propensity of the Chinese government to control its own national cyber-space to the greatest extent possible, it is not unfair to assume that if, in fact, these attacks emanate from China, then the Chinese government is at least aware of them, if not complicit in them.

However, let’s not fool ourselves that this is a one-sided effort.   One cyber-attack that was actually celebrated was the insertion of the ‘Stuxnet virus’ into the Iranian nuclear development program that caused physical damage to the equipment that was being used to process nuclear fuel.  At a recent ‘Black Hatconference, General Michael Hayden, former director of the US National Security Agency (NSA) and of the CIA, while not admitting awareness of the origin of the virus, said of Stuxnet:

"Given the issue of Iranian nuclear weapons, slowing them down, destroying a thousand centrifuges is just about as pure a good as I can think of."

However, General Hayden also admitted in a separate interview on '60 Minutes' that:

“The rest of the world is looking at this and saying, ‘Clearly someone has legitimated this kind of activity as acceptable international conduct.’"

So the developed world is now officially on notice that, as with nuclear weapons, we can’t ‘put the genie back in the bottle’; and the potential and actual threats to our networks are only going to escalate.

The Stuxnet virus was initially propagated by USB flash drives being used both outside and inside the Iranian R&D facility’s firewall, presumably by a careless, but unwitting, employee.  So the takeaway here is that the notion of excluding Chinese switches from service provider and enterprise networks is going to reduce the risk of cyber-attack is naïve (and that is the kindest word I could come up with).  While limiting the sources and vectors of propagation of a cyber-attack is a prudent measure, the goal of securing our networks is actually much more complex than the banning of certain vendors' equipment.

Opportunities for intellectual property egress

One of the concerns of the HSCI regarding H&Z technology is that it could be (or is being) a gateway for the extraction of intellectual property (IP) from Western companies which is then used to develop competing industries with very low cost structures (i.e. free R&D).  The belief is that such an espionage program would enable China to pull its economy up by its bootstraps (or, more exactly, by our bootstraps) as well as simultaneously inflicting damage on our economic prosperity and world dominance.  Frankly, this is laughable: and here is why.

First of all, any electronic surveillance or espionage is an expensive and low yield undertaking that could only be conducted productively in certain very high stakes operations (e.g. bugging the Oval Office).  Just imagine how many emails, documents, office conversations and formal meetings would have to be harvested from your workplace before an eavesdropper gained anything of value.  Then imagine how many fluent English speakers and readers (who must be at an absolute premium in China) would be required to sift the intellectual property secrets from the dross of banal emails, conversations about last weekend’s ‘big game’ and other office trivia.  Then multiply that by the number of companies and government agencies in which the Chinese might reasonably be interested.  Even with 1.3 billion people, they would waste so much time, energy and money on such activities that I suspect that they would never be able to take advantage of what they learned.

This is not to say that Western IP is not being (nor has not been for decades) harvested by Asian companies.  The decade-long battle between Cisco and Huawei related to allegations of Huawei shipping whole chunks of copied Cisco code seems as if it will never end and there is apparently some merit to these claims.  However, gaining access to such IP does not require the existence of a Huawei switch in the enterprise network; I think that it is safe to assume that there are no Huawei switches in Cisco’s corporate network.  There are, however, many cheaper, more scalable and much more easily targeted ways to access corporate IP.

Let’s examine some that I can think of right away.

The patent system

The patent system is predicated on the concept of exchanging disclosure of the invention in exchange for the exclusive right to that use that invention for a period of time (e.g. 20 years in the US).  I think that we all understand that the patent system is flawed in a variety of ways and that recent attempts to reform the patent system in the US have only scratched the surface.  However, with regard to IP protection and the patent system, let’s be honest with ourselves.  Those who respect patent law may be deterred from using patented intellectual property within the jurisdiction of the patent.  However, outside the jurisdiction of the patent (which could be filed in multiple jurisdictions) or for those who do not respect patent law, the patent system provides free access to a plethora of IP worth literally trillions of dollars to anyone with an Internet browser.

As an example, let’s take a look at my one and only patent: US patent 7,995,737.  Laid out before you is the product of several man-years worth of work by a group of very smart guys (plus me) that cost Microsoft a lot of money to create and to file as a patent.   Gaining access to it cost you nothing and you are now free to implement that in a competing product in a foreign country and to sell it in markets that have no bilateral IP treaties with the US.   You are now certain to get rich and to crush the unified communications market.  Or maybe not…

The competitive employment environment

Only some corporate IP is filed as patents – the remainder is retained as trade secrets.  However, those trade secrets are developed by creative people and their knowledge forms part of their personal stock-in-trade and competitive differentiation in the job market.  There is a significant grey area between the ownership of IP by the inventing company and the personal knowledge, expertise and experience of the inventor.  However, it cannot be denied that otherwise ethical and innovative ex-employees are able to accept work from competing companies and create new IP.  This would not be based on the former employer’s IP, but would be a product of the knowledge and experience that they have retained as they progressed through their careers.  Bottom line, as we all know: when an employee leaves one employer, a large chunk of experience and corporate memory goes with her; and that precisely is why the new employer hired her.  And all it cost the new employer was a slightly higher salary, better benefits / conditions / prospects or a better sounding job title.

Immigration and education of foreign students

Most countries actively recruit highly creative people from overseas as an explicit and legitimate immigration and economic development policy.  Some of these people are experienced workers, others are students attracted by education opportunities that don’t exist in their own country.  Even if the education is not subsidized by the host country or institution (but it often is) the student clearly sees a personal growth benefit from the transaction.  It turns out that, despite restrictions on H1B and other visas, the employment of foreign workers in science and engineering disciplines has grown significantly in the US over the last decade or so:

Estimates of US foreign-born Science & Engineering workers (% of total workforce):

Educational Attainment 1999 NSF 2000 Census 2003 NSF 2003 Census
Bachelor’s Degree 11.3% 16.5% 16.3% 18.8%
Master’s Degree 19.4% 29.0% 29.0% 32.0%
Doctorate 28.7% 37.6% 35.6% 39.5%

[Indeed, anyone personally acquainted with the co-inventors on the patent discussed above will know that group comprises (by birth, if not by current nationality): four Indians, an Israeli, a Russian, a Chinese, a Brit (me) and one American.]

We know that China and India have experienced some of the fastest economic growth in the world over the last decade.  So it is counter-intuitive that the Chinese and Indian-born population of the US increased by nearly 40% in just 8 years:

US foreign-born population by country of origin:

Country of Origin 2000 2008 % growth
China 1,519,000 1,913,000 26%
India 1,023,000 1,623,000 59%

In fact, this situation is a conscious part of macro and micro economic policy.  In recent weeks, Gov. Mitt Romney and John Chambers (CEO of Cisco) have both been quoted as saying: “Staple the green card to the diploma” (I guess that they must have been comparing notes).  Although the fact that both Gov. Romney and Mr. Chambers  and Cisco have recently also been among those complaining most about China, Huawei & ZTE is strangely contradictory.

Note that I am not saying that many, or even any, foreign workers are spying for their country of birth.  The idea of ‘moles’ or ‘sleeper agents’ is entertaining in spy novels and movies; but running such a program is actually spectacularly inefficient.   There are much cheaper and more effective ways to harvest IP from overseas.

Reverse immigration and emigration

While the education and employment of foreign talent is viewed as a positive thing, it should not be assumed that the brain drain only works in one direction.  One interesting quote I found was:

“Significant numbers of high quality economic class immigrants are being gleaned from this territory: this office regularly engages in promotion and recruitment efforts to exploit this talent.”

This came from a report written by the Canadian Consulate in Los Angeles, regarding US college graduates (and we always thought that those nice Canadians were our friends).  Yet, with the recent explosive growth of the Chinese and Indian economies, there is an emerging trend for the best educated Indian and Chinese immigrants to repatriate to their home countries.  A survey of US immigrants repatriating to India and China showed the educational attainment to be:

Country of Origin Master’s Degree Doctorate
China 51% 40.8%
India 65.6% 12.1%

Joint ventures

The difficulties of entering an emerging market, combined with the attractions of doing so, often result in Western companies entering into joint ventures with local companies.  However, inherent in this undertaking is the significant risk (or actually, near certainty) of the unintended transfer of the Western company’s IP to the local partner.  Regarding this issue, a McKinsey Quarterly article “Past lessons for China’s new joint ventures” stated:

“Multinational companies still struggle to protect their intellectual property in China, and joint ventures are particularly vulnerable.”

The end of this tale of woe is usually that the local partner later competes with the Western partner in global markets using the subsumed IP.

Supply chain risk

The western vendors who stand to benefit from a boycott of H&Z include the following:

  • IP routing and service provider switches:

    • Ericsson, Alcatel-Lucent, Nokia Siemens Networks, Cisco Systems, Juniper Networks, Ciena, Tellabs

  • Enterprise telephony and unified communications:

    • Cisco Systems, Microsoft, Avaya, Siemens Enterprise, NEC, Alcatel-Lucent, IBM, Shoretel, Aastra Technologies, Interactive Intelligence, Digium, Toshiba

Ironically, every one of these companies outsources a proportion of its product manufacturing to China.  (That piece of research took me about 5 minutes, so you can do it too.)  Of particular note is the investment of $16Bn by Cisco in PRC-based manufacturing facilities in 2007.  So this raises a much larger question: how safe or secure is any product, regardless of the domicile of the vendor, or the country of origin of the product or its component parts?  In a globalized economy, there are no easy answers based merely on an examination of the logo on the product.

In fact, the issues related to the security of a company’s supply chain and the management of the risk of a potentially compromised supply chain is a very real concern.  Furthermore, those concerns increase exponentially with the additional complexity of post-delivery updates being applied to software-based products.  (It is interesting to note that Stuxnet only came to light because a post-release update designed to improve its propagation contained a programming error.)

As you might expect, better minds than mine have already been applied to this problem.  Given the degree of pain that Microsoft has gone through in this regard, we can assume that they are probably the world leaders in this domain; so a pair of papers published over a year ago by that company's Trustworthy Computing group are worthy of mention:

The first of these papers articulates the problem:

“Governments worldwide have begun to express concerns about the threat to their Information and Communications Technology (ICT) systems from the global supply chain for ICT products.  These concerns are based on the risk that an adversary might tamper with products during their development, manufacture, production or delivery.”

It then goes on to explain how various governments have responded to the issue and makes recommendations on the principles and practice of supply chain risk management.  The second paper defines the framework for a technology security model that vendors can apply internally and externally.  Having participated in the Microsoft process, I can vouch for its rigor and painstaking approach.

Of particular relevance to the H&Z situation is the creation in the UK of a Huawei Cyber Security Evaluation Center that is aimed at: “…building mutual trust in the area of cyber security and to continuously delivering high-quality and reliable communications networks to our customers in the UK."  That goal appears to have been achieved, with the UK government recently responding to the HSCI report that H&Z posed no security threat to UK networks.  There is apparently a separate investigation being conducted by a UK parliamentary select committee and a report is due by the end of this year.  This approach is gaining favor and a similar facility to the UK lab is being proposed in Australia.

With the advent of globalization, the transparency and verification approach is the only way forward in a world that is increasingly dependent on computer technology.  It is completely unrealistic for any country, large or small, to expect be able to deploy only domestic technology in critical infrastructure.  However, the requirements of transparency and verification are at odds with vendors’ competition and differentiation strategies and governments’ security requirements.   General Hayden (former NSA & CIA director) has stated:

"Business, for reasons of competitive advantage and liability, is reluctant to share; government, for reasons of classification, is reluctant to share.  We probably have to recalibrate openness and sharing between a government and the private sector."

The basis of such an arrangement is already in place in most governments.  In the US, JITC (a department of DISA) already defines standards and conducts testing of vendors’ equipment for military purposes.  As with the UK approach, it seems a short step from that to a more generalized verification process that, combined with the Microsoft proposal, would provide assurance for critical infrastructure in both the public networks and enterprise networks.

Standard security measures

The existing threats of network intrusion, cyber-vandalism and information theft ensure that enterprises and network operators have already put a raft of security measures in place.  So it is not clear to me how the alleged threats in H&Z technology can operate unrestricted in a secure environment.  Furthermore, every incident only serves to strengthen our capability and resolve to protect our networks.  Of course, this is often a reactive process, but not always.  US Secretary of Defense, Leon Panetta in a speech on October 12th stated:

“Our cyber adversaries will be far less likely to hit us if they know we will be able to link them to the attack, or that their effort will fail against our strong defenses.  The Department has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of an attack… Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests,”

So, clearly, cyber-security has evolved into a technology cold war, similar to the ‘arms race’ and the ‘space race’.  But this isn’t a bad thing, in my opinion: the space race got us to the moon in less than 10 years (and helped us invent critical technology such as powdered orange juice!).  So as long as perceived threats are managed, they also spur progress: humans are competitive creatures.

Summary

It can be seen that neither the PRC nor H&Z need to conduct elaborate conspiracies to harvest Western IP.  Indeed, IP, like water, could be said to naturally ‘flow downhill’ via a range of different mechanisms until the ‘water’ finds a new level.  Rather than wasting excessive time and resources in protecting IP, or harvesting the IP of others, companies would arguably do better by innovating as fast as they can.  Being first to market with the best technology is the only sure way of maintaining a sustainable competitive advantage.  Copying what others have already done is well understood to be a losing business strategy.

As for the possibility that there are ‘kill switches’, spyware, Trojan horses or other cyber-warfare exploits in the products of any company: the Stuxnet episode tells us that it is hard to be sure of the security of any product at any given moment in time.   To mitigate these risks, the application of the highest levels of network security should be standard practice.  However, a policy of verifying before trusting is also prudent and this can only be done economically by developing multi-lateral protocols for ensuring the security of our increasingly pervasive technology infrastructure.

It is not for me to say whether the HSCI recommendations on H&Z were justified.  But while all vendors must be able to assert the security of their products if they are to be trusted by customers, the boycott of specific companies doesn’t eliminate cyber threats.  It does, however, raise the specter of protectionism and only serves as an impediment to the much admired capitalist process of ‘creative destruction’.

The longer term impact of the HSCI report remains to be seen – but appropriate responses to it will ensure that it does more good than harm.


If you liked this article, please comment, share and/or rate it below.   If you didn't like it, please comment!

Comments powered by Disqus+