The Myth of The Chinese Backdoors
During the one of the Cairo Security camps I talked about more than 12 popular, information security Israeli products used in Egypt by home as well as corporate users. Also the US senate issued a report recommending banning the use of Chinese manufactured networking products and technologies mainly from telecommunication giants Huawei and ZTE. The rationale is that its “not wise” to use “untrusted” technology and products as your main communication backbone on a national level as the original country of manufacture “in that case china” can use their technology as a backdoor for espionage, or remotely shutting down the equipment if both countries ever came to a dispute. This makes perfect sense, except its only half of the truth. Before we answer and discuss the full truth, lets discuss what we know about Huawei from the public domain.
Huawei was founded in 1987, by Ren Zhengfei and is a private company owned by its employees “or so it seems”. Its core activities are building telecommunications networks; providing operational and consulting services and equipment to enterprises; and manufacturing communications devices for the consumer market. Huawei has over 110,000 employees. around 46% of whom are engaged in research and development (R&D). That’s a lot of R&D. In 2010, Huawei recorded revenues of USS28 billion “nearly 10 times Suez canal revenue”. Its products and services have been deployed in more than 140 countries and it currently serves 45 of the world’s 50 largest telecoms operators. The company is very competitive globally due to the fact that the price list for Huawei is known to be 30% less than the competition, which is mainly Alcatel-Lucent, and Ericsson.
Being the world’s 2nd largest telecom equipment manufacturer after “Ericsson” there have been questions regarding the fact that a company of this size is still not publicly listed and privately owned. Huawei Technologies Co Ltd itself is a wholly owned subsidiary of Shenzhen Huawei Investment & Holding Co Ltd. Huawei Holding is solely owned by employees of Huawei, without any third parties (including government bodies) holding any of its shares. In other words, Huawei employees own both the company they work for, and the company that owns Huawei itself. Which is just a foolish attempt to appear as a private company. It’s worth noting that despite being established in 1987, the first time Huawei disclosed its board of directors was in 2011.
Meaning of the Brand: The name in Chinese Means: “Splendid Action or Achievement ” Relation with the Chinese People’s Liberation Army (PLA) Huawei’s Founder Mr. Ren Zhengfei is an ex-Chinese Military having served in the PLA from 1978 to 1982 as director of the PLA Information Engineering Academy, which is responsible for telecom research for the Chinese military; he was later nominated by the PLA to join the communist party convention in 1982 in recognition for his outstanding performance.
Huawei is one of very few Chinese technology companies that enjoys a “line of credit” from state banks, which grants them the liquidity and financial backing required to engage in mega projects across he globe. Huawei’s has many Research and Development (R&D) partners in more than 6 countries, including universities .rid commercial companies like Motorola and 3com. he Chinese People’s Liberation Army (PLA) is also .n R&D partner to Huawei. It’s worth noting that several CEO’s around the world have joined the military at some point in their career. A nd several US/UK telecommunication companies are partnering with the US/UK military for R&D related projects including CISCO.
Several governments already banned Huawei rom dealing with the critical national information infrastructure or the national backbone networks; I will try to take the following countries as examples:
In 2010 India’s government blocked China’s Huawei Technologies Co. and ZTE Corp. from selling network equipment to domestic phone carriers because of “security concerns”. Also in 2010 India’s Department of Telecommunications informed Prime Minister Manmohan Singh’s office that requests from Indian companies to import Chinese network equipment are being turned down because of “security concerns”. The two sides reached an agreement by which Huawei would only be allowed to compete in the Indian market if it opens an R&D facility and assembles the devices in India (Bangalore) and for the devices to be vetted by 3rd party examiners like Infoguard from (USA) and ALTAL (ISRAEL).
In 2011 this agreement faced another challenge when reports surfaced that Huawei Technologies’ R&D facility in Bangalore, have certain floors only restricted for Chinese scientists. The official statement from the Indian Government is that it will “closely monitor the situation”.
• http://www.bloomberg.com/news/2010-04- 30/india-said-to-block-china-s-huawei-zte-from-selling -phone-network-gear. html • http://articles.timesofindia.indiatimes.com/2010- 05-06/telecom/28316060 1 huawei-india-security- agencies-r-d-facility
China/India Background: • The two countries (China and India) have unsolved border disputes since 1962 • India’s trade deficit with China widened more than 40 percent to $15.8 billion in 2009.
• In 2003 Cisco sued Huawei over allegations of IP infringements. • In 2010 the US congress blocked Huawei from acquiring a US computer company called 3-leaf over “security concerns”. • In March 2012 security firm Symantec dissolved a technical alliance with Huawei in fear of a negative response to this engagement by the US government security agencies.
• http: / /www. bbc. co. uk/news /business-12575237 • http://www.nytimes.com/2012/03/27/technol-ogy/symantec-dissolves-alliance-with-huawei-of-china .html
In March 2012, the Australian government decided to ban Huawei from supplying any telecommunication equipment’s for the National Broadband Network (NBN) over “security concerns”. The NBN is a $36 Billion project designed to be Australia’s telecommunication network backbone offering services that includes (Fiber to Home) to the country’s residents. The ban on Huawei was imposed despite the company’s participation in similar national broadband networks already installed in eight other countries, including the United Kingdom, Italy and New Zealand It’s also worth mentioning that nearly all of the backbone equipment and Fiber Multiplexers documentation and supporting manuals for Huawei equipment are in “Chinese” and the equipment administration and configuration “know how” is very limited and rare outside of Huawei’s engineers and sub-contractors.
Making the project owner’s very dependent on the vendor for after sale changes or services. To summarize, It’s widely reported in the security domain that Huawei and ZTE devices especially the “Network routers, Backbone switches. Fiber Multiplexers- and other corporate and national level networking equipment have backdoors that “may” be used to grant access to Chinese government upon request. The truth is that this has never been proven by any of the countries above although they have every right to proactively protect their national networks, better than other countries that don’t even bother.
• http: / /www. afr.com / p /technology/ chinagiant_ banned from nbn 9U 9zi1oc3FXBF3BZdRD9mJ
• http://afr.com/p/national/asioforcednbnto_ dumphuaweiFaglE6qWrqd5utgLpROld0
Huawei in Egypt:
Since 2002-2003 the company has enjoyed winning several mega projects covering major components in the national telecommunication infrastructure, this year Huawei announced the opening of the region-al Network Operation Center (NOC) in Cairo’s smart village providing support to all the company customers in North Africa. In a recent statement Mr. Zou Zhilei, president of Huawei Northern Africa region said: To date, Huawei has also launched global NOCs in India and Romania, and will soon in Mexico.” Zhilei added.
The countries hosting the NOCs above might have been selected for many economical reasons but I can also argue that those countries were preferred over others because of their strategic location (Romania is a NATO member and close to Russia, Mexico is USA’s backyard, and Egypt is an important anchor in the middle east)
Technically speaking a backdoor can be introduced to “any network equipment” by a simple firmware upgrade or service patch. regardless of the vendor or the country of manufacturing. For developing countries that are at the end of the day “technology consumers- like Egypt, choosing a particular vendor to run a critical telecom infrastructure is purely a political decision.
Security wise, the threats (Backdoors. eavesdropping, discontinued support…etc.) are exactly the same regardless of the vendor or manufacturer. This is the residual risk when you don’t own the technology or the “know how”. When you buy and use an advanced piece of technology you automatically accept this risk that you really don’t know what’s happening (or can later happen) inside this device. As Mr. Alastair Gibbon, the former Australian Federal Police’s cyber security chief said commenting on the Australian-Huawei ban issue, that the “right question” to ask is: “Between the US and China which government has been more loyal to Australia over time and which would support us in a time of Australian need.”
Recommendations at a national level:
• We should avoid relying on proprietary technologies and use industry wide recognized standards as much as possible
• Avoid Sole and Exclusive dependence on a particular vendor
• Focus on Research and development and knowledge transfer as a matter of survival in the new world
• For critical, strategic and sensitive projects ask for access to product source codes, the Indian government has this clause in its strategic agreements with Microsoft, Symantec and RIM. The Indian government has the full source code of Windows, Symantec AV etc. as a prerequisite before allowing those products to be used in the government
• For critical, strategic and sensitive projects, try to consult the political administration on long term strategic alliances • Consider financially investing in the major vendors or demand that they open R&D centers in Egypt.
• Consider establishing full-fledged security labs for vetting critical products, or seek professional 3rd party vetting.
About The Author
Omar Sherin, Mr. Omar Sherin is the head of critical information infrastructure protection (CIIP) at Qatar Computer Emergency Response Team (Q-CERT), an ictQATAR initiative. In this role he participates in technically assessing critical infrastructure, drafting guidelines such as the Qatari National ICS Security Standard, and conducting Qatar’s national cybersecurity drills. He is also an international partner of the Industrial Control Systems Joint Working Group (ICSJWC) and a certified business continuity professional, certified ethical hacker, and ISO 27001 lead auditor. He has more than 11 years of professional experience in information security and resiliency, and has worked for several multinational firms in the oil and gas sector.