The pressure to restrict Huawei from telecom networks is driven not by governments, but the many companies which have experienced hacking, IP theft, or espionage
There is an increased focus on security threats from equipment made by companies owned or affiliated with the Chinese government, for example the restrictions placed on Huawei, various providers of video surveillance cameras, and some 50 other Chinese companies identified for security threats. Some interpret this as a political project waged to increase leverage during an intense trade negotiation between the US and China. This research note explains why the security concerns from companies and measures to deter theft, espionage, and sabotage are justified.
Strand Consult´s analysis shows that the concerns about Chinese made network equipment is not limited to national governments and the military intelligence operations. Nor is the concern confined to telecom operators which build and run networks. It is the small, medium, and large enterprises that use networks which fear that their valuable data will be surveilled, sabotaged, or stolen by actors associated with the Chinese government and military. Consequently, it is the clients of telecom operators which push to restrict Chinese-made equipment from networks.
The Chinese government expects to win global domination in 10 strategic industries by 2025 including information communications technologies, energy, pharmaceuticals, and aerospace. All options are on the table to achieve these goals. While many Chinese firms are sophisticated and innovative.
Strand Consult finds in its consultation with telecom operators that their customers demand greater security. Some of these companies compete with Chinese firms for global markets, and they have experienced their trade secrets, designs, plans, ideas, movies, molecules, and other intellectual property have been stolen via telecom networks.
In 2017, China implemented a National Intelligence Law which compels any Chinese subject to conduct espionage on behalf of the government. While ordinary citizens can be compelled to spy, operationalizing passive surveillance within networks through backdoors and other means is more effective. Given the increasing integration of software in network equipment, these backdoors are increasingly difficult to detect, as they can be shipped in subsequent software upgrades or activated after security clearances are concluded.
Intellectual Property Theft
The theft of intellectual property (IP) theft by Chinese actors is well-documented; the question is whether policymakers care.
As the Wall Street Journal reported, at the conclusion of the 2004 Supercomm conference in Chicago, a Huawei engineer was apprehended while opening networking equipment and photographing the circuit boards inside. His memory sticks with the photos, a notebook with diagrams and data belonging to AT&T, and a list of six companies including Fujitsu Network Communications Inc. and Nortel Networks Corp were confiscated by security personnel. The man claimed that it his first time in the U.S., and that he wasn’t familiar with Supercomm rules forbidding photography.
A 2017 report by the bipartisan US IP Commission concluded that Chinese theft of American intellectual property currently costs between $225 billion and $600 billion each year. Earlier this year the US Department of Justice indicted Huawei for stealing designs for T-Mobile’s testing robot, “Tappy,” which imitates a person using a phone and monitors phone metrics. Huawei was already found guilty in a civil lawsuit in 2017.
IP theft has been a major issue for years, and while theft has been conducted by various rogue states, China is by far the leading perpetrator. While China has taken some steps to protect intellectual property in China, it still has a long way to meet the standards of the USA and most European countries. Companies spend tens of billions of dollars annually in security measures, both cyber and physical. While companies can and should take it upon themselves to secure their property via their own means and resources, when the theft is conducted by nation states and state-funded actors, the issue becomes one of national defense and the obligation of government to protect the property of its people and enterprises.
Systematic Industry espionage
While security analysts and military intelligence officials have described for over a decade supply chains vulnerability in various industires, policymakers are finally paying attention. Last year, the Department of Homeland Security in USA formed an Information and Communications Technology supply chain task force filled with representatives from both the public and the private sectors. A law passed last December led to the creation of the new Federal Acquisition Security Council, which held its first meeting last month. And the White House recently released an executive order prohibiting the acquisition or use of any information and communications technology or service coming from a company deemed a national security threat.
Although American politicians have just started to pay attention, China has been engaged in a decades long, systematic, state-sponsored effort to steal U.S. technology. Beijing has relied heavily on stolen trade secrets and intellectual property to build its own indigenous manufacturing and technology base. Recent U.S. intelligence community estimates suggest that China employs 30,000 military cyber spies and 100,000 private sector cyber experts whose job is to steal foreign secrets and technology.
The launch of China’s new stealth fighter J20 has some components that are believed to have been stolen from Lockheed Martin and some of its subcontractors. Is it a coincidence that China’s J20 (which first flew in 2011) looks very close to an the USA’s F35 (which first flew in 2006)?
The 5G wireless technology now being introduced by mobile operators promises to bring a world of innovation to mobile service, from connected appliances to self-driving cars. Just as cable transformed TV generations ago with hundreds of new channels, it also promises to bring a new global round of technology competition, one that overlaps with arguments over security that have pitted various countries against China and have raised tensions in the industry, to the dismay of telecom executives who fear that 5G’s rollout could be delayed.
Earlier this year, the US Central Intelligence Agency informed its counterparts in Australia, Canada, New Zealand, and the UK that Chinese technology company Huawei has received funding from the Central National Security Commission of the Communist Party of China, the People’s Liberation Army, and a “third branch of the Chinese state intelligence network.”
The legal system has tools to challenge corporate actors which steal property, but what about nation states which spy, or which direct non-governmental actors to do so on their behalf?
Chinese hackers attack foreign compagnies every day.
What advanced technology China has not been able to develop itself, it appropriates through other methods, whether forced technology transfer or theft. U.S. cybersecurity vendor Cybereason issued a report describing “an ongoing global attack against telecommunications providers that has been active since at least 2017.” The report concludes the perpetrator is the APT10, an “advanced persistent threat,” and a state-supported Chinese espionage group. In December 2018, the U.S. government has indicted APT10 members with conspiracy to commit computer intrusion, conspiracy to commit wire fraud, and aggravated identity theft. The indictment noted the hackers worked in tandem to steal intellectual and technological information from dozens of commercial and defense technology companies throughout the continental United States. Additionally, APT 10 is also responsible for the theft of personnel information for 100,000 U.S. Navy personnel.
In 2018 in Norway, Visma, a supplier of cloud-based financial systems discovered that Chinese hackers tried to steal client data, a treasure trove of information for state-sponsored Chinese companies which want to sell to clients whose data was exposed. Also in 2018 Germany’s Bayer withstood a Chinese hacker attack.
Australian intelligence officials claimed China may have accessed thousands of files and 19 years’ worth of data – to include tax and banking records – on Australian National University’ students and staff. Many of ANU’s graduates serve in the country’s intelligence and security agencies. Symantec unveiled in June how Chinese hackers have attacked satellite and telecommunications infrastructure outside of China.
Breaches like these are not new. The Center for Strategic and International Studies identified China as responsible for the greatest number of cyberattacks by any nation over the past dozen years. It reached this conclusion from examining public. The true depth of China’s efforts, and successes, in penetrating western networks is probably still unknown. Foreign Policy also described China’s Hacker Army in 2010.
Telecommunications network equipment is one means to conducting hacking, but devices attached to networks also present a risk. Consider the hack of the financial and customer data of 1,800 Target stores via a digital scale in the deli department. This should give one pause about empowering the Internet of Things with millions, if not billions, of cheap Chinese made devices. The Chinese-government affiliated Lenovo, the world’s largest maker of personal computers and a leading supplier to governments, confirmed the security vulnerability of more than 5000 of its internet connected devices. While many observe that devices can be isolated in the network, devices also contain malware which can infiltrate networks in addition to the software collecting data for nefarious purposes, as was experience by the Chinese-made Safe-KID-One smartwatch sold by Enox Group, now recalled by the European Union. It is naïve to think that just keeping Huawei out is sufficient to ensure safety and security.
With the dawn of the internet and the growth of networks, many policymakers downplayed security concerns. Afterall, the internet started as a project amongst trusted users who knew each other. However, now that connected networks underpin so many aspects of the economy, society, and government, we need to be more concerned not just about who runs the networks, but also who supplies them, their subcontractors, and the products they use. The days of just doing things on the cheap are over. We have learned that cutting corners on price and accountability entails a risk that’s too high to take. That is, if policymakers truly care about their obligations in national defense and whether they see the nation’s information, technology, and secrets just something to be traded away for access to China’s markets and cheap financing.
It is understandable and justified that companies should scrutinize the choice of network provider and equipment. Telecommunications networks bind people, employees, companies and machines together, and data in large quantities flows through the networks. Given many negative experiences with Chinese theft of intellectual property, systematic industry espionage and hacking, it is only reasonable that companies would request a non-Chinese vendor. This is no different than the many regulations imposed by governments on companies to protect data. If governments care so much about protecting data, they should be doing more to protect people ad enterprise from the many tech threats posed by the military and government of China and its affiliates.
Governments around the world will, increasing responsibility on telecommunications companies
Strand Consult is confident that governments around the world will, in the future, impose increasing responsibility on telecommunications companies to protect their clients against cyberattacks in the same way as the financial sector has been assigned a number of compliance tasks. We also believe that the obligations that the telecommunications companies can be imposed are very similar to those social platforms such as Facebook, Instagram etc. have been imposed in relation to stopping fake news and content that does not meet certain standards.
Strand Consult believes that this debate is more complex than the role of a single company or technology and published this research note The story behind the Huawei story and this note: The debate about network security is more complex than Huawei. Look at Lenovo laptops and servers and the many other devices connected to the internet. Strand Consult’s goal is to create transparency so that telecommunications companies and their customers make decisions on an informed basis.
It is the clients of the telecommunications companies that are putting pressure on operators to restrict network elements of dubious origin. This is based on their real world experience and the many negative experiences of theft of intellectual property, espionage, and hacking perpetrated by actors and firms associated with the Chinese government and military. Let’s hope that policymakers can wake up and do their jobs.
If you would like to learn more about our Next gen telecom policy and regulation: Workshop for leaders in the telecommunications industry concept, please do not hesitate to contact us.