Huawei Claims Transparency But These Facts Say Otherwise

"(A)s the Deputy Chairman of the Board of Huawei and the Chairman of the Global Cyber Security Committee of Huawei, I would like to make our company’s position clear. We can confirm that we have never received any instructions or requests from any Government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies. 

"Huawei will continue our open and transparent approach and responsible position to its operations and everything we do." 

- Ken Hu (Deputy Chairman of the Board of Huawei and Chairman of the Huawei Global Cyber Security Committee)

 Mr. Hu wrote the above statement in a web posting which announced Huawei's Cyber Security white paper "Cyber Security Perspectives: Making Cyber Security a part of a Company's DNA" (October, 2013).

This PR campaign is clearly mean't to take advantage of the Snowden leaks regarding NSA activities and data collection. Mr. Hu wants to paint a picture that Huawei, unlike U.S. companies named with supporting legal NSA requests, has not received any such requests from the Chinese government.

That's disingenuous at best, and purposefully misleading at worst.

The government of China is one of Huawei's biggest customers; primarily the State-owned telecommunications companies - China Telecom, China Unicom, and China Mobile. Those companies engage in State-mandated monitoring of all telecommunications inside the PRC using in part Huawei's equipment. In fact, China's State Security Law requires that companies and individuals comply with any request for assistance by the MSS or other state security organs up to and including technological means of surveillance.

If the MSS hasn't asked Huawei to provide access, it's because Huawei has already built that access in so that China Telecom can do its job of lawful intercept. And that's not just for telecommunications services. The law was updated in 2010 to include Internet traffic.

Regardless of how Mr. Plummer, Mr. Purdy, Mr. Hu and other Huawei executives try to spin their company's dedication to transparency and security, they work for a company whose equipment is used to surveil the communications of a country of 1.3 billion people, including all of the foreign-owned companies which have offices in China. Their white paper doesn't talk about that, nor does it reveal how Huawei hardware supports MSS collection efforts.

That's not being transparent, gentlemen.

Add to Cart View detail

Who Are The Players in China's Targeting of Foreign Technology IP?

The release of Mandiant's APT1 report claimed that the PLA's Third Directorate (3PLA) is the responsible State organization behind Comment Crew (aka APT1). One of the things that the report's authors didn't do was demonstrate how the other State agencies who engage in this type of activity were excluded in their analysis. For future reference, here's a more complete list of the possible organizations who conduct intelligence activities (including cyber) to consider or rule out in terms of possible Chinese attribution.

Traditional Channels

Civilian

• The Ministry of State Security (MSS) - Counterespionage and Counterintelligence; Foreign Intelligence; Domestic Intelligence
• Ministry of Public Security (MPS) - National Police; Domestic Intelligence

Military

• Second Department of the People's Liberation Army (PLA) General Staff Department (2PLA): engages in foreign intelligence, imagery intelligence, and tactical reconnaissance
• Third Department of the PLA General Staff Department (3PLA); engages in signals intelligence
• Fourth Department of the PLA General Staff Department (4PLA); engages in computer network operations
• Liaison Office of the PLA General Political Department
• Intelligence departments of the PLA Navy, PLA Air Force, and Second Artillery
• State Secrecy Bureau

Non-Traditional Channels

• Commission of Science, Technology and Industry for National Defense (COSTIND)
• Research Institutes
• PRC Military-Industrial Companies
• Organized Chinese hacker groups

Guidelines:

Failed operations. In Amy Elizabeth Brown's paper "Directed or diffuse?: Chinese human intelligence targeting of US defense technology", she makes the same point that I have made multiple times; e.g., that much of the information we have about Chinese espionage cases (cyber and otherwise) comes solely from failed operations - meaning covert operations that have been discovered. Therefore, we have to acknowledge the possibility that China also runs successful covert operations using more effective tradecraft but we don't know the scope or scale.
3PLA's distributed offices. It's important to note that 3PLA, which was identified in the Mandiant APT1 report has, according to Mattis, offices and technical reconnaissance bureaus in each of China’s seven military regions and several major cities (not only Shanghai).
OSINT is insufficient. Another important statement in Mattis' conclusions is that open sources are insufficient to understand the inner workings of these various intelligence agencies.
Lack of sound tradecraft. "One of the defining characteristics of China’s non-traditional techniques for obtaining technology, as observed in many of the cases noted here, is the lack of clandestine tradecraft, or even the most basic elements of operational security, involved in obtaining the information.  In general, it appears that little or no care is used to ensure that the operation goes undetected." - Amy Brown's "Directed or Diffuse" paper as referenced below.
Giving amateur operatives too much credit. "A belief that the Chinese rely on amateur operatives risks leading CI professionals to dismiss or be inattentive to the threat posed by China’s professional services." - Peter Mattis "The Analytic Challenge" paper as referenced below.
Distinguishing economic espionage from Chinese intelligence. "When economic espionage with no connection to the Chinese intelligence services is interpreted as “Chinese intelligence,” less attention will be paid to what those organizations actually do. The Chinese intelligence services and the Chinese defense industries are distinct entities, although they may sometimes work for mutual benefit." - Peter Mattis (Ibid)

Readers of the Mandiant report or any report that purports to reveal the inner workings of Chinese cyber espionage cases are encouraged to familiarize themselves with the papers referenced below as well as the above guidelines that I've extracted from them. 

For example, the lack of tradecraft by the three individuals mentioned in the Mandiant report is palpable, and was pointed out by the report's authors: "These actors have made poor operational security choices, facilitating our research and allowing us to track their activities. They are some of the authors of APT1's digital weapons and the registrants of APT1 FQDNs and email accounts. These actors have expressed interest in China's cyber warfare efforts, disclosed their locations to be the Pudong New Area of Shanghai, and have even used a Shanghai mobile phone number to register email accounts used in spear phishing campaigns." - Mandiant APT1 report, p. 51

Even if one assumes that the Chinese government is the customer for APT1's cyber espionage activities, it's important to consider all of the options before attempting to assign attribution. Such a lack of tradecraft involved deserves at least a mention in the report that non-traditional channels as defined above were considered. As this article points out, those options are plentiful within China, but also include other foreign intelligence services and professional hacker crews who run their operations from China and/or from Chinese servers in order to confound any efforts at attribution.

Reference Material:

The Analytic Challenge of Understanding Chinese Intelligence Services

Directed or diffuse?: Chinese human intelligence targeting of US defense technology

PRC Intelligence Apparatus - Implications for Foreign Firms

Related Posts:

"Mandiant APT1 Report has critical analytic flaws"

Add to Cart View detail

Huawei's Cavernous Cyber Security Credibility Gap

Approximately one month before Huawei officials (along with ZTE officials) are supposed to testify before the House Permanent Select Committee on Intelligence (October 2012), the company's Global Cyber Security Officer and SVP John Suffolk released a white paper entitled "Cyber Security Perspectives: 21st Century Technology and Security - a Difficult Marriage".

I've been monitoring Huawei for several years and have given dozens of briefings on the security risks associated with the company, its management and its products. I've had several Huawei employees contact me privately about issues within the company and I've spoken to at least one of their senior executives last year about my concerns. I just finished reading Mr. Suffolk's white paper, which Andy Purdy, former Director of DHS National Cyber Security Division and now Huawei's Chief Security Officer, helped write. While it covered all of the usual bases regarding Huawei's commitment to security (I'm not going to recap these - read the paper if you must know), it addressed none of the issues that underscore the opinion of myself and others that Huawei is a security threat, such as:

• Madam Sun Yafang's past employment with China's Ministry of State Security and how she helped the young company secure loans form the Chinese government.
• Claims that Huawei benefited from Nortel's IP in 2004 including duplicating its instruction manuals.
• Claims that Huawei stole source code from Cisco and its settlement of those claims in 2004.
• Lack of full disclosure regarding Huawei's obligations to the Chinese government as a national champion firm and a provider of services and products to the State including the Peoples Liberation Army. 
• Lack of full disclosure regarding how many of its executives are members of the powerful Chinese Communist Party (CCP) and therefore bound to comply with directives from the CCP. After all, the CCP plays a dominant role in China's economy.

If Huawei's white paper is an example of how Huawei intends to address the concerns of the House Intelligence Committee, it's not nearly enough - even with Andy Purdy's help.

UPDATE (06SEP12): According to Reuters, Huawei is negotiating terms for its testimony before the House Intelligence committee. The fact that they have to "negotiate terms" says a lot to me about how valid the scope and validity of the concerns that I mentioned above are, not to mention the ones that Huawei doesn't want to have discovered.

Add to Cart View detail

Huawei's Chairwoman Worked For Chinese Intelligence Before Joining Huawei

Much has been made of the fact that Ren Zhengfei, Huawei's founder and CEO used to work as an engineer in the Peoples Liberation Army before he founded Huawei in 1988. However, lots of CEOs around the world are military veterans including me. What's much more significant is the little-known fact that Huawei's Chairwoman Sun Yafang used to work for China's equivalent of the CIA; known as the Ministry of State Security (MSS). The MSS was formed in 1983, about 4 years before Ren founded Huawei (1987). According to the U.S. China Business Council:

MSS conducts covert intelligence gathering operations overseas. It has established intelligence agencies in more than 170 cities and in nearly 50 countries and regions all over the world. These agencies are classified as general branches, branches, and sub-branches. MSS aggressively targets the United States, placing particular emphasis on California's high-tech sector. Cover for Beijing's espionage in the United States includes the 1,500 Chinese diplomats operating out of 70 offices, 15,000 Chinese students who arrive in the United States each year, and 10,000 Chinese who travel in some 2,700 visiting delegations each year.

The Federation of American Scientists (FAS) has a much more detailed description of its history and operations here.

Madame Sun's past with the MSS was first disclosed by a Financial Times article last April. Her Huawei biography neglects to mention that key affiliation, however it is commonly reported in many places on the Chinese Internet. One place in particular is the alumni page for her alma mater; at least it did until just recently when it was mysteriously corrected. Here is a table showing the original time line which included her tenure at MSS and the new "corrected" timeline.

The redaction occurred shortly after I posted two back-to-back articles about Huawei's questionable employee stock loans. Apart from the alumni website, similar information about Madame Sun's time at the MSS also appears in Baidu's version of Wikipedia. Considering how difficult a time Huawei is having convincing the U.S. government that it's just another technology company, I would think that the company would respond by releasing a verifiable resume of their Chairwoman which would end this controversy once and for all; similar to what President Obama did to resolve questions about his birth certificate.

UPDATE: I just learned about the Washington Times article of Oct 11, 2011: "Chinese telecom firm tied to spy ministry", which reports on essentially the same facts mentioned here (sans the attempted cover-up). Bill Gertz references an Oct 5 report by the Open Source Center: “Huawei Annual Report Details Directors, Supervisory Board for First Time,”

UPDATE (12 Oct 2012): Here's an archived copy of the web page that mentions Madame Sun's time with the MSS.

Add to Cart View detail

Here are the Facts about Huawei and the Chinese Government

Yesterday Huawei was blocked by the U.S. Government from participating as an equipment supplier for the Public Safety 700-MHz Demonstration Network, which is a first responders communications network that's part of the Commerce Department. Huawei VP William Plummer wants to know why. According to Plummer:

“Huawei has repeatedly and factually demonstrated its corporate independence,” Plummer said. “No one has ever factually demonstrated otherwise and playing Huawei as a pawn in some geopolitical game of chess is doing nothing more than threatening U.S. jobs, investment, competition and innovation.”

Well, that's not really true. Here are the facts regarding Huawei's affiliation with the Chinese government and why the U.S. as well as other nation states should be cautious about acquiring Huawei equipment.

1. The company's founder Ren Zhengfei was an engineer in the PLA prior to forming his company.
2. The company's chairwoman Sun Yafang worked for the Ministry of State Security and while there helped arrange loans for Huawei before joining the company as an employee.
3. The government of China is Huawei's biggest customer; specifically the State-owned telecommunications services. 
4. Huawei equipment is used to intercept communications in China for state-mandated monitoring.

So to recap, Huawei is considered a national champion telecommunications firm in a nation that monitors all telecommunications networks and engages in cyber-espionage activities using, at least in part, Huawei equipment. The company's Chairwoman used to work for the MSS, China's foreign intelligence service and its founder started the company after serving in the PLA. Those are the facts, and they should be sufficient to justify denying Huawei access to the U.S. market as well as shame U.S. companies like Symantec who have partnered with them.

I'm happy to debate these facts with any representative from Huawei in any venue at any time. My contact information is at my company website.

Add to Cart View detail