(U) With the expanded use of Huawei Technologies Inc. equipment and services in US telecommunications service provider networks, the Chinese Government’s potential access to US business communications is dramatically increasing. China’s intelligence services and Chinese cyber actors could exploit Chinese Government-supported telecommunication equipment on US networks operating as an advanced persistent threat. China makes no secret that its cyber warfare strategy is predicated on controlling global communications network infrastructure.
(U) Since Huawei’s inception in 1987, the company continues to receive open support from senior Chinese Communist Party officials and People’s Liberation Army (PLA) Commanders. Bolstered by Chinese Government subsidization and direct financing, Huawei is able to offer unsuspecting US businesses low-cost offers in exchange for access to US networks.
(U) The purpose of this SPIN is to provide summaries of recent US investigative findings, private industry reporting, and news articles on Huawei Technology Inc.
(U) INVESTIGATIVE REPORT ON THE US NATIONAL SECURITY ISSUES POSED BY CHINESE TELECOMMUNICATIONS COMPANY HUAWEI
(U) Huawei and another China-based entity, ZTE, were both previously highlighted as concerns in a 2012 House Permanent Select Committee on Intelligence (HPSCI) report. The report noted, “the protection of intellectual property and compliance with United States export control laws are a core concern for U.S. interests. The ability of a company to comply with these laws provide a useful test of that company’s ability to follow international codes of business conduct and remain free of undue state influence.”
(U) UPDATES SINCE HPSCI
(U//FOUO) FBI Director Wray’s Senate testimony at the Senate Intelligence Committee in February 2018 demonstrates that the US government remains concerned about the security risks posed by Chinese telecommunications companies.
(U) In January 2018, daft bill HR4747, also known as the “Defending US Government Communications Act,” was introduced in the US House of Representatives. The bill cites reporting indicating that PRC companies Huawei and ZTE are “subject to state influence.” It would prevent the use or procurement of any telecommunications equipment or services from Huawei or ZTE as a “substantial or essential component of any system, or as critical technology as part of any system” as related to USG contracts.
(U) The draft Senate version of the bill, S.2391, would prohibit USG agencies from purchasing and leasing hardware and services made by ZTE, Huawei and any affiliates and subsidiaries.
(U//FOUO) PRC LAWS APPLICABLE TO CHINESE COMPANIES IN THE US
(U) Cybersecurity Law of 2017 requires telecommunication network operators and ISPs to store data within China and allows Chinese authorities to conduct spot-checks on company network operations.
(U) PRC National Security Law of 2015 calls for citizens and organizations to provide information or other assistance for Chinese national security works.
(U) 2015 Chinese Counterterrorism Law requires that internet service providers (ISPs) provide technical means of support in terrorism and other national security cases.
(U) 1996 Chinese Archive Law requires all Chinese state organizations, armed forces, political parties, social organizations, state-owned enterprises, establishments, and citizens to regularly transfer information to the Chinese government in China for record keeping and archiving. Subsidiary companies of Chinese companies are included.
(U) BACKDOORS AND UNDISCLOSED FEATURES
(U) Modern telecommunications are a complex ecosystem with multiple interoperable parts fulfilling different rules but all cooperating through shared standards. Any one of these parts could be a potential asset to a hostile foreign power. These inherent vulnerabilities are potentially in any equipment servicing and maintenance contracts. Additionally, manufactures regularly update most complex telecom products so even if there are no deliberate vulnerabilities now, some future update could install them. While some risks can be mitigated, it is highly unlikely that even careful inspections could identify all vulnerabilities.
(U) DISRUPTION AND DATA EXFILTRATION
(U//FOUO) Huawei and ZTE provide finished equipment, components, and services to network routers. Routers are used to connect users between networks, and network customers typically subscribe to an Internet service provider (ISP) to transport data between networks. If the routers were disabled, it could severely disrupt the internet, as traffic would no longer be routed between networks, except where carriers had their own private peering arrangements. Additionally, routers are comprised of integrated circuits and may include backdoors or other vulnerabilities that would allow for remote, unauthorized, and undetected access by the manufacturer or a malicious actor. These vulnerabilities could potentially allow for exfiltration of data to Chinese-based servers.
(U) 5G TECHNOLOGIES
(U//FOUO) Huawei could insert backdoors into current, 4G LTE, critical telecommunications infrastructure equipment it provides such as routers, switches, and phones. This could give Beijing potential access to national communications. If Huawei partners with telecommunications carriers to develop the next generation wireless network, 5G, then the backdoors could end up on far more telecommunications equipment to include cell phone towers.
(U) HUAWEI THEFT OF US PROPRIETARY INFORMATION
(U) T-Mobile created a phone-testing robot called Tappy that in a matter of days could test daily phone use and everyday functionality, compared to the weeks this testing used to take. As a handset supplier to T-Mobile in 2012, Huawei was granted access to the testing lab and the Tappy Robot after signing a clean room letter and non-disclosure agreements that prohibited photography, copying of source code, or any other theft of the technology.
(U) Despite T-Mobile taking significant steps to protect its robot intellectual property, in May 2013 Huawei employees took photographs and stole T-Mobiles trade secrets including the robot finger. In 2017, T-Mobile won its civil lawsuit against Huawei, who was found to have misappropriated trade secrets belonging to T-Mobile, who was awarded $4.8 million by a jury. This shows the lengths that Huawei went to steal T-Mobile’s proprietary information and how it treats its business partners, despite having signed legal agreements.
(U) OUTLOOK AND IMPLICATIONS:
(U) US assets are largely in the hands of the private sector, not the government. If your company or agency has information or assets that could help our adversaries advance their interests, then your company or agency is almost certainly being targeted. You must identify and protect your priority information and assets, and you should engage with your local FBI office to exchange intelligence and report suspicious activity. Prevention of harm is essential. Once a foreign country has acquired U.S. information or assets, the damage cannot be undone by punishing those who were responsible.