Lawmakers to U.S. companies: Don't buy Huawei, ZTE

In a 52-page report, the House Intelligence committee raises concerns about the two Chinese telecommunications gear makers' ability to aid Chinese espionage.

Jay Greene Former Staff Writer
Jay Greene, a CNET senior writer, works from Seattle and focuses on investigations and analysis. He's a former Seattle bureau chief for BusinessWeek and author of the book "Design Is How It Works: How the Smartest Companies Turn Products into Icons" (Penguin/Portfolio).
Shara Tibken Former managing editor
Shara Tibken was a managing editor at CNET News, overseeing a team covering tech policy, EU tech, mobile and the digital divide. She previously covered mobile as a senior reporter at CNET and also wrote for Dow Jones Newswires and The Wall Street Journal. Shara is a native Midwesterner who still prefers "pop" over "soda."
Jay Greene
Shara Tibken
13 min read
Inside Scoop: Lawmakers telling US companies not to buy from Huawei and ZTE
Watch this: Lawmakers telling US companies not to buy from Huawei and ZTE

WASHINGTON, D.C.--The House Intelligence Committee released a report this morning, accusing two Chinese makers of telecommunications gear of posing a national security threat and discouraging American businesses from buying their equipment.

In a 52-page report, the committee said that neither Huawei or ZTE addressed concerns raised repeatedly by lawmakers over their ability to snoop on American companies or individuals. And neither company was able to convince the committee that they could not be persuaded by the Chinese government to aid its espionage efforts if enlisted to do so.

"Neither company was willing to provide sufficient evidence to ameliorate the Committee's concerns," the committee wrote in its report. "Neither company was forthcoming with detailed information about its formal relationships or regulatory interaction with Chinese authorities. Neither company provided specific details about the precise role of each company's Chinese Communist Party Committee."

Because of that, the committee concluded that American companies should consider buying their telecommunications gear from other companies.

"U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects," the committee wrote. "Based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems."

The committee, led by Mike Rogers (R-Mich), released the report today during a press conference at the U.S. Capitol in Washington, D.C. The group is putting the full weight of the federal government behind its effort to squelch perceived spying threats by two companies almost no one in the U.S. has heard of. Rogers noted numerous times that other areas of the government -- like the FBI -- will be following up on criminal claims, and he said the report may be amended to add more information once it's discovered.

But the press conference also took place on a holiday, with the Capitol eerily deserted aside from the packed media room.

The U.S. Capitol is quiet ahead of a press conference about Huawei and ZTE. Shara Tibken/CNET
The Chinese companies, and Huawei in particular, have long been dogged by fears that their equipment and products could potentially be used to spy on companies and individuals, the primary reason why they have been slow to enter the U.S. and win significant businesses. The companies have denied any influence from the Chinese government, and have been working to improve the perception of their businesses in the U.S.

Bill Plummer, Huawei's vice president for external affairs, called the report a "political distraction" when asked if it would impact the company's business in the U.S.

"Huawei is a world-trusted company with products globally proven to be secure," Plummer said. "Those are the facts today, and those will be the facts tomorrow."

Plummer published a blog post on Huawei's Web site today, reiterating the company's commitment to investing in the U.S. and criticizing the report for ignoring reality and failing to produce evidence of a security risk.

Huawei issued an official statement, accusing the committee of having a "predetermined outcome."

ZTE, meanwhile, reiterated its claim that the company poses no threat to the U.S. telecommunications infrastructure.

Huawei and ZTE both argue that the concerns over their Chinese origins are moot because most networking equipment is manufactured in China, even if the other companies are based in Europe. By that logic, ZTE said the U.S. government should extend its investigation into every company making equipment in China, including Western vendors.

The committee took particular aim at Huawei, the larger of the two companies. In its report, the committee said that "several former and current Huawei employees," who the committee didn't name to protect them from retaliation or dismissal, alleged a pattern of illegal behavior by Huawei officials. They included fraud, bribery, copyright infringement, and immigration violations, among others. The committee said it will refer the allegations of fraud and bribery to the Justice Department.

Plummer, who attended the conference with the press, looked annoyed following the presentation in the Capitol meeting room. Plummer was immediately mobbed by reporters after the official press conference. He took issue with many comments made by the committee, such as claims Huawei hasn't been forthcoming with information.

"It's a dangerous thing to suggest you can solve vulnerabilities by embargoing a company," he said. Plummer said not using Huawei products puts U.S. jobs at risk, and he said that the "real solution" is setting global standards to govern all companies.

"My company should not be held hostage to someone's political agenda," he added.

On a later conference call with reporters, Plummer further lashed out at the report, and said the move to get companies to ban using Huawei products was "little more than an exercise in China-bashing, protectionism, and an egregious example of libel."

Bill Plummer, Huawei vice president for external affairs, responds to questions following a report from Congress. Shara Tibken/CNET

CNET visited Huawei's Chinese headquarters in Shenzhen and a research facility in Shanghai this summer to report on the concerns among lawmakers and the company's response.

During today's press conference, Rogers underscored the threat to national security by allowing the gear of Huawei and ZTE to handle sensitive data over computer networks.

"Are we ready to have these two companies, clearly tied to the Chinese government ... to have access to the most sensitive data we deal with every day?" Rogers asked.

C.A. Dutch Ruppersberger, (D-Md.), the ranking Democrat on the committee, dismissed the notion that the report was merely "trade protectionism masquerading as national security." He cited the persistent efforts within China to hack into sensitive U.S. networks to steal data.

As Huawei's business grows and as it pushes into new markets, it runs headlong into a raft of entrenched rivals, none stronger or more threatened than Cisco Systems. The two companies have clashed for much of the last decade, with Cisco accusing Huawei in 2003 of stealing patented source code. Cisco is likely to be one of the biggest beneficiaries of the investigation, and Huawei has suggested in the past that Cisco is often behind the efforts to besmirch Huawei's reputation.

Cisco, meanwhile, recently ended its partnership with ZTE after it was revealed that ZTE was selling Cisco-branded networking equipment to Iran.

While the committee's report today was heavy on rhetoric, it provided few new specific allegations about alleged spying efforts. There was not a single instance cited, for example, of data theft enabled by the gear of either company.

Instead, lawmakers cited several instances of issues that raised red flags. Some ZTE gear has what the committee views as a "backdoor," a way for snoops to sneak into a network undetected, Rogers said in the press conference. ZTE, though, refers to that as "a bug." He cited other examples of equipment performing oddly with no explanation, such as "numerous examples" of "beaconing" by Huawei technology, which is when routers turn on in the middle of the night and send large data packs to China.

Plummer acknowledged that there was an incident a few months ago in which a Huawei employee's laptop had connected to a customer's network and began transmitting data somewhere outside of the country. But he said the laptop was infected the night before at a hotel in San Antonio, when the employee accessed the facility's shared WiFi network, and didn't come from Huawei.

Plummer pointed to the incident as an example that cyber vulnerabilities were everywhere, and that the only answer is to work together, as opposed to shutting a few companies out.

In the end, Rogers said he hopes the report will signal to the Chinese government that U.S. lawmakers will not let spying threats go ignored.

"We hope this is at least a wake-up call, and we hope this is the first step to ensuring there's a free and open market when it comes to telecommunications," Rogers said.

--Roger Cheng contributed to this story.

Updated at 7:45 a.m., 9 a.m., 11:25 a.m., and 12:17 p.m. PT: to include more details, analysis, and comments from Huawei and ZTE.

Below is Huawei's full statement:

The United States is a country ruled by law, where all charges and allegations should be based on solid evidence and facts. The report conducted by the House Permanent Select Committee on Intelligence (the Committee), which took 11 months to complete, failed to provide clear information or evidence to substantiate the legitimacy of the Committee's concerns.

We had hoped to ensure that the investigation would be fact-based and objective in its review of our business activities and the global issue of cyber-security. Over the past 11 months, Huawei has cooperated with the Committee in an open and transparent manner, and engaged in good faith interaction: our top management team carried out multiple rounds of face-to-face communication with the Committee members in Washington D.C., Hong Kong, and Shenzhen; we opened our R&D area, training center, and manufacturing center to the Committee and offered a wealth of documentation, including the list of members of the Board of Directors and the Supervisory Board over the past 10 years, and the annual sales data since our establishment in 1987; we also made the list of our shareholding employees, the shares they hold, as well as information about our funding resources and financial operations available to the Committee. We adopted a transparent approach in providing this information to ensure the results are fact-based and unbiased, hoping the Committee's objective review of our business activities and the global cyber security issue can clarify the misperception of Huawei.

However, despite our best effort, the Committee appears to have been committed to a predetermined outcome.

The ranking member of the Committee stated at the hearing that the investigation by the committee "is not political jousting or trade protectionism masquerading as national security". Unfortunately, the Committee's report not only ignored our proven track record of network security in the United States and globally, but also paid no attention to the large amount of facts that we have provided. Even before the investigation began, the Chairman of the committee advocated to media that "I stand by my caution to the American business community about engaging Huawei technology until we can fully determine their motives".

The report released by the Committee today employs many rumors and speculations to prove non-existent accusations. This report does not address the challenges faced by the ICT industry. Almost every ICT firm is conducting R&D, software coding and production activities globally; they share the same supply chain, and the challenges on network security is beyond a company or a country. The Committee's report completely ignored this fact. We have to suspect that the only purpose of such a report is to impede competition and obstruct Chinese ICT companies from entering the US market.

Huawei is a global Fortune 500 company owned by its employees. For the past 25 years, we have held an upstanding record. Our customers and partners are fully aware that this report cannot change the fact that the safety and integrity of Huawei's solutions are well-recognized by the industry. Currently, the integrity of Huawei's operations and the quality and security of our products are world-proven across 140 countries around the world. They are deployed by over 500 operators and our products have served almost 3 billion people worldwide. These customers know and trust Huawei and they know our commitment to their company and to their customers who rely on them for their communications service. Huawei has introduced best practices of Western management to construct standardardized and process-oriented operational management systems, including product development, supply chain management, financial management, human resources, and quality control. Huawei's annual financial reports are audited by KPMG.

The United States has become the world's largest economic entity in a short period of time due in large part to the open policy it has been implementing over the past 200 years. We believe that the United States will continue with this spirit. Huawei is no different from any start-up enterprises in Silicon Valley, and our growth and development relies very much on our entrepreneurial spirit, the commitment and hard work of our employees, as well as our unwavering dedication to innovation. Moving forward, we will continue to do the best we can to provide our customers with safe, convenient, and equal access to information and communications services.

Here's the ZTE statement:

ZTE's Equipment is Safe and Poses no Threat to US Telecommunications Infrastructure The Company's Trusted Delivery Model Improves Equipment Safety and National Security

WASHINGTON, D.C. - October 8, 2012 - ZTE today reiterated its support for its Trusted Delivery Model and renewed its commitment to work with the House Permanent Select Committee on Intelligence (Committee), government agencies, and the private sector to address all cybersecurity concerns.

ZTE has set an unprecedented standard for cooperation by any Chinese company with a US congressional inquiry. ZTE has presented the Committee with ample facts that demonstrate ZTE is China's most transparent, independent, globally focused, publicly traded telecom company. ZTE is listed on the Hong Kong and Shenzhen Stock Exchanges. The company already is recognized as a Trusted Delivery Partner by 140 governments and 500 network carriers.

ZTE's equipment is safe for US telecom infrastructure. In its Fourth Recommendation, the Committee encourages companies to offer "more consistent review by independent third-party evaluators of their cybersecurity processes." The Committee has credited ZTE with advocating a solution, based on a Trusted Delivery Model, in which the telecom vendor transfers hardware, software, firmware, and other structural equipment elements to an independent third-party threat assessment laboratory with US government agency oversight.

The Committee has raised technical questions regarding the effectiveness of Trusted Delivery Systems, but the Committee recommends continuing efforts to identify effective mitigation solutions. David Dai Shu, ZTE's director of global public affairs, said "ZTE appreciates the Committee's recognition that ZTE has offered US carriers a Trusted Delivery Model solution. ZTE will work with the Committee, US government agencies, and ZTE's US customers to identify and deploy the most effective equipment cyber-security measures possible. ZTE is committed to assuring US carriers and US government agencies its equipment is safe."

Dai Shu said, "It is noteworthy that, after a year-long investigation, the Committee rests its conclusions on a finding that ZTE may not be 'free of state influence.' This finding would apply to any company operating in China. The Committee has not challenged ZTE's fitness to serve the US market based on any pattern of unethical or illegal behavior."

According to the Committee, ZTE was included in this investigation simply because it is one of "the top two Chinese telecommunications equipment manufacturers." Virtually all of the telecom infrastructure equipment now sold in the US and throughout the world contains components made, in whole or in part, in China. That includes the equipment manufactured and sold by every Western vendor in the United States, much of which is made by Chinese joint venture partners and suppliers.

Dai Shu said, "Particularly given the severity of the Committee's recommendations, ZTE recommends that the Committee's investigation be extended to include every company making equipment in China, including the Western vendors. That is the only way to truly protect US equipment and US national security. National security experts agree that a Trusted Delivery Model will strengthen national security. In fact, major US carriers are increasingly requiring Trusted Delivery Model in their contracts."

ZTE has presented the Committee with the following facts:

-ZTE is China's most transparent, independent, globally focused, publicly traded telecom company. Every business decision and action taken within ZTE serves the Company's 140,000 public shareholders on the Shenzhen and Hong Kong Stock Exchanges, including many of the world's leading institutional investors. As ZTE's Independent Director, an American citizen, has confirmed in a sworn affidavit: ZTE's business decisions and actions are not directed or influenced by China's government.

-ZTE has an unbroken history as a commercial telecom technology innovator for three decades. The company is a leader in international equipment standards-setting organizations, and it is recognized as a Trusted Delivery partner by over 500 network carriers in 140 countries. ZTE was the pioneer among Chinese companies entering into technology licensing agreements with US suppliers, with its first licensing agreement with Qualcomm in 1999. In recent years, ZTE has spent over $14 billion on US chip sets and other US equipment, and has created over 20,000 direct and indirect US jobs. ZTE will continue as a major customer of US telecom equipment suppliers for years to come.

-To assure US supply chain security, ZTE offers US carriers its Trusted Delivery Model, a fully transparent and comprehensive review and monitoring system conducted by a highly respected independent US threat assessment laboratory. ZTE's Trusted Delivery Model provides for a thorough end-to-end security evaluation of ZTE's software, firmware and hardware throughout the equipment life cycle. The Trusted Delivery Model also makes audits available for US Government agency review to facilitate additional assurance and oversight.

-Given ZTE's cooperation and the facts ZTE has presented to the Committee, ZTE is disappointed that the Committee chose to narrowly focus its review on just the two largest Chinese companies and to exclude Western telecom vendors and their Chinese joint venture partners. Given that virtually all US telecom equipment is produced in China, in some measure, the Committee's narrow focus addresses the overall issue of risk to US telecom infrastructure so narrowly that it omits from the Committee's inquiry the suppliers of the vast majority of equipment used in the US market. ZTE is a relatively small US telecom infrastructure equipment supplier in comparison with most of the Western vendors. Sales of ZTE's telecom infrastructure equipment in the US comprised less than $30 million in revenue last year. Two Western vendors, alone, last year provided the US market with $14 billion worth of equipment.

-US carriers and the US Government have come to rely upon the Trusted Delivery Model as the best protection for telecom infrastructure equipment. A Trusted Delivery Model is vendor-neutral. US carriers can trust the equipment and that is the best protection of US national security.

"ZTE recognizes and fully respects the Committee's obligation to protect US national security," said Dai Shu. "ZTE believes the Committee focused its examination too narrowly on vendor locations not on equipment security. The Committee omitted the Western vendors and their Chinese manufacturing partners, which provide most of the US equipment now in use. The Committee also overlooked the opportunity to advance universal application of the Trusted Delivery Model which protects critical telecom networks on a vendor-neutral basis."