June 11, 2019

“No smoking gun” but Huawei security threat too great to ignore, warns report

By Robert Scammell

Criminal investigations usually attempt to establish means, motive and opportunity. But what if the case for these criteria is overwhelming yet no crime has been committed? That’s the situation in which embattled Chinese telecommunications giant Huawei currently finds itself in.

The firm has faced sustained allegations of espionage, largely from the United States, stemming from close ties between it and the Chinese state. Huawei denies all allegations and no hard evidence has been provided that it has committed any wrongdoing.

Yet the scale of Huawei’s technological reach – from 5G infrastructure to smartphones to internet sea cables – gives it an unrivalled opportunity to cause problems, making it a “perfect storm of unintended consequences waiting to happen”, according to a report by cybersecurity firm Recorded Future.

The report, titled ‘The New “CyberInsecurity:” Geopolitical and Supply Chain Risks from the Huawei Monoculture’, argues that while Huawei isn’t inherently malign, the Chinese state has a track record that, by extension, makes the Huawei security threat too great for other countries and companies wishing to do business with it.

“A lot of people are looking for a smoking gun,” said Recorded Future third-party risk and supply chain expert Cody Barrow, speaking to Verdict at Infosecurity Europe in London.

“The Huawei founders were associated with the PLA [People’s Liberation Army] and so forth. We’re looking at this from a systematic, holistic angle. It’s not just that they have opportunity, we argue, to be compelled by the Chinese government. We argue that they actually will be obligated to comply.”

Huawei security threat: The means to carry out espionage

While US companies such as Google and Facebook have vast technological reaches that provides them, in theory, with a similar opportunity, the US does not have the same means to compel private companies to carry out espionage or align their goals to match national agendas, Recorded Future argues.

The report points to the 2017 National Intelligence Law, which legal experts say obligates Chinese citizens and corporations to assist the Chinese government.

“Huawei will at some point likely be forced into making decisions that could compromise the integrity or corporate ambitions of their customers,” writes Priscilla Moriuchi, Recorded Future’s director of strategic threat development and the author of the report.

She also highlights Huawei’s expanding network of undersea internet cables. Internet traffic travels fairly randomly through physical infrastructure, influenced by factors such as available capacity, lowest latency and number of exchanges. As this favours dense areas of cables, it means the more cables Huawei lays in Asia and Africa, the more data will pass through its infrastructure. This, says Recorded Future, will provide the opportunity to manipulate and monitor internet traffic.

“Our fear is that they could use this to circumvent free speech, that they have a stated national world-view that is directly in opposition to Western values of free speech,” said Barrow, who has previously worked for US intelligence agencies.

Huawei security threat: Motive

All nation-states have the motive to use technology to maintain an edge over rival countries and China is no different in this respect. But Recorded Future argues that China has consistently demonstrated that its motives go beyond national security and extend into censorship.

China has long had a poor track record on censorship, notably its ‘Great Firewall of China’, which limits access to certain sites and information for its citizens. Then there’s censorship of Western entertainment in China, and pressure placed on United Airlines for recognising Taiwan, among others.

Such inclination for censorship was recently brought into focus by the 30th anniversary of the Tiananmen Square protests. Thousands of Chinese students were killed during the 1989 protests, but discussion of the protest is largely forbidden in China.

“The fear is that their threshold is much lower when they are going to shut things down,” said Barrow, who said that China could use Huawei’s undersea cables to extend censorship beyond Chinese borders.

“And that’s because of this world view, where they don’t want you to be able to discuss Tiananmen Square. They may also not want you in the Middle East to discuss Tiananmen Square, or in Africa.”

There is also China’s social credit system, in which citizens’ actions are monitored and collated into a score – something that Barrow worries could be applied to non-Chinese citizens if Huawei continues to expand its technological reach.

“If you’re buying a Huawei device and you’re sending your data back to Chinese servers, that, we argue, could then be feeding into the social credit system, generating a social credit score for yourself that you may not want to support,” he said.

Huawei’s supply chain risk

In addition to the ideological and legal differences between China and the West, there is the supply chain risk that has already been well documented.

A recent UK government report found “serious vulnerabilities” in Huawei products, but it said these stemmed from poor practice rather than deliberately adding back doors.

The UK was set to take a risk management approach, only using Huawei in “non-core” parts of its 5G infrastructure. But a new prime minister could change the UK’s stance, particularly under pressure from the US.

For businesses wishing to use Huawei, Recorded Future advises a similar approach to that of the UK’s current stance.

“If the risk threshold is low, we recommend that companies minimise the number of Huawei technologies and services within core or critical segments of their networks,” advises Moriuchi.

Read more: Trump’s Huawei warning to UK an empty threat: Former senior British intelligence officer

Verdict deals analysis methodology

This analysis considers only announced and completed artificial intelligence deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,