Huawei, the NSA, HPSCI and Lies

Today, Germany's Der Spiegel reported on the latest wave of NSA Revelations (the provenance of which are unclear, but presumably they are Snowden-sourced).

According to the Der Spiegel article (link to GigaOm coverage in English), the most recently unveiled information indicates that the U.S. National Security Agency (NSA) was not only successful at compromising sometimes-witting-but-almost-certainly-unwilling American telecom and Internet service providers, but also at compromising American and non-American telecom and Internet infrastructure hardware and solution providers, without their knowledge.

Through what appears a combination of software hacking and cracking (and, possibly - from my personal perspective - infiltration and tampering with American components, chip-sets, etc. that feed into multinational company supply chains), the NSA has seemingly extended its global surveillance and information dragnet well beyond what had been previously reported, or even imagined.

One of the companies whose gear was reportedly compromised is my employer Huawei.  The irony of this situation could not be richer (Reminder: this is a personal blog reflecting my personal thoughts).

For the last few years, China-headquartered Huawei has been the victim of a U.S. Government-wide (and beyond) conspiratorial witch-hunt.  Vicious and baseless allegations have been made without end, with Huawei accused of being somehow financed, directed, controlled or otherwise uniquely vulnerable to Chinese Government cyber penetration and manipulation.  Wilder and weirder myth and misinformation has been spread, slandering the company and its employees in many and nasty ways.

Never, not once - not once - has there been a shred of substantive evidence presented to support any such allegations.

Now, while to the best of my knowledge Huawei has yet to validate or invalidate the vague suggestions made by Der Spiegel, let's for the moment imagine there is some truth to what's been unveiled.

In that context, let's consider last year's U.S. House of Representatives Permanent Select Committee on Intelligence (HPSCI) "investigation" of Huawei which concluded with the company branded - with zero substantive reason - as some sort of threat to U.S. national security due to being somehow uniquely vulnerable to potential compromise by the Chinese Government.

As much of a circus-like sham as the whole exercise was, it is all the more shameful in light of today's revelations.

Indeed, HPSCI Chairman Rogers - the man charged with overseeing U.S. intelligence activities to prevent abuse, who has instead spent the last six months trying to sugar-coat such abuse - has forever redefined the height of hypocrisy by accusing Huawei of being uniquely vulnerable to compromise by one Government when, as the Chairman of HPSCI, he was almost certainly aware, the U.S. Government had already achieved this feat (at least per Der Spiegel).

You know, in the immediate wake of the initial Snowden Revelations, some joked that the reason the U.S. Government was so hell-bent on keeping Huawei out of the market was because they were uncertain they could penetrate and compromise our solutions as easily as they might the gear of our American or other Western peers.

If Der Spiegel has it right, such lighthearted wit was dead wrong.

Indeed, if Der Spiegel has it right, the whole Huawei embargo and witch-hunt was nothing more than good-old-fashioned protectionism and China-baiting - the NSA has proven that it doesn't matter where a company is headquartered in terms of it's vulnerability to potential malicious penetration and compromise.

These most recent NSA revelations expose past U.S. Government representations about Huawei (and similar opinions from sycophants like my favorite CSIS cyber-gasbag, as well as military-industrial-complex fan-boy groups like the U.S.-China Economic and Security Review Commission) as utterly baseless and equally and maliciously and knowingly duplicitous

Moreover, if Der Spiegel has it right, they have confirmed rather solidly that cyber vulnerabilities are universal, agnostic to geographies, location of headquarters, flags or borders, and demanding of universal industry-wide solutions to address such challenges.

Huawei-related fuming aside, back home, it's time for some serious accountability...

From the Administration.  From the Congress.

U.S. intelligence agencies are now recognized - unequivocally - as the most advanced persistent threat to the integrity of global networks and data.

American standing on the world stage is lessened.

Our ability to project the values we have nourished and cherished for two-plus centuries is diminished.

We are increasingly distrusted abroad.  Such distrust extends to our businesses, and will quite likely yet further adversely impact our economy.

Where will the buck stop?

Enough already with the vacuous HPSCI report on Huawei

Just over a year ago, in October 2012, the U.S.House of Representatives Permanent Select Committee on Intelligence (HPSCI) issued an empty, vacant, slanderous report suggesting that $35 billion dollar multinational Huawei Technologies somehow presents a threat to U.S. national security.

The report - the result of a bad-faith 11-month "investigation" by the Committee - is laughable in terms of its utter lack of substance, and generally dismissed as garbage, and not just by people who actually understand the information and communications technology industry, but within the Beltway as well.

But the damned thing keeps getting referenced in media reports as if it had merit.  Check out the embedded 10 minute video which exposes the Committee's willful misrepresentations, point by point, and further details the costs of their tomfoolery.

Shame on you Associated Press, and you too Rep. Wolf

Just shy of 30 years ago, while a student at Georgetown, a roommate of mine had a professor who's kid played in a local recreational soccer league. His team was in need of coaches.  My friend and I, having both played soccer in high school, volunteered.  Good fun.

About a decade later, in the mid-90’s, when I was a mid-level Foreign Service Officer at the State Department in Washington, I re-encountered the professor, who was consulting in State’s Strategy and Planning Office.

Fast forward to 2010, when I was surprised to learn, after joining Huawei, that the professor – still at Georgetown – was a member of Huawei’s newly-minted International Advisory Committee, comprised of illustrious business, academic and other counselors. 

It is, indeed, a very small world.

Today, the Associated Press, in seeming-cahoots with Virginia Congressman Frank Wolf, did a hatchet job on Professor Moran.

In September of this year, after Congressman Wolf (R-VA) “discovered” that the professor was serving simultaneously on both Huawei’s International Advisory Committee and the U.S. Government National Intelligence Council (a group of private sector analysts and policy experts who advise the Office of the Director of National Intelligence on various matters, including foreign investment in the United States), he put pressure on the Director of National Intelligence and the professor was seemingly compelled to resign.

“Discovered?”  Hardly a feat, given that both advisory positions were prominently listed on the professor’s publicaly-available CV, and referenced in his various publications.

Nevertheless, Wolf is one known to give an Administration headaches, so the Administration, fully aware of the professor’s historical situation, bent over and forced the resignation. 

Now, Wolf himself has some justified concerns with China, but he also has an unfortunate and slightly-mad penchant for using Huawei, an independent $35 billion globally-trusted and proven China-headquartered multinational, as his proxy for China-bashing.  (Indeed, I would encourage you to pause in your reading this post and peruse my April 2012 post featuring one of Rep Wolf’s more lunatic tilts at the Huawei windmill before continuing).

Which brings us back to today’s Associated Press piece titled Chinese Firm Paid US Gov't Intelligence Adviser – a lurid and grossly-misleading headline.

Go on.  Read it.  You’ll see.  Headline and remarkably-intentional journalistic bias aside, the story is not news.   Huawei, like many companies, particularly multinational companies, has an international advisory committee.  And advisors are compensated.  Whoopee.  Go figure. 

But, uh oh, shudder, the professor also serves on a U.S. Government advisory committee.  So, shamelessly carrying Wolf’s dirty water, the AP blithely weaves conspiracy from whole cloth, intentionally misleading readers. 

Perhaps the most obvious example of shameless reporting: “In a policy paper distributed by Huawei, Moran wrote in May that, ‘targeting one or two companies on the basis of their national origins does nothing for U.S. security in a world of global supply chains.’ Moran criticized what he described as ‘a policy of discrimination and distortion that discourages valuable inward investment from overseas, while providing a precedent for highly damaging copycat practices in other countries.’”

Let’s parse this out.

First off, the policy paper being referenced by the AP is intentionally misrepresented by the AP as somehow being a Huawei or Huawei-commissioned product.  It is not.  In fact, it is a paper published by the Petersen Institute of International Economics, a world-respected economics and trade think tank where Professor Moran serves as a Fellow. 

Intentionally misrepresented?  Yes.  When the AP was asked to appropriately label the report, they declined, at the editorial level.

Now, let’s consider Professor Moran’s quotes from the policy paper:

“Targeting one or two companies on the basis of their national origins does nothing for U.S. security in a world of global supply chains.”

Spot.  On.   See below.

“A policy of discrimination and distortion that discourages valuable inward investment from overseas, while providing a precedent for highly damaging copycat practices in other countries.” 

Yes.  Exactly.   

Why on earth would the AP suggest such statements were somehow suspect?  It boggles the mind.  All the more so in the wake of the Snowden revelations that, by all indications, seem to be leading to a situation in which U.S.-based companies will suffer similar discrimination in foreign markets.

Shame on you AP for pandering to shallow, baseless, discriminatory politicians and policy.  Shame on you Rep. Wolf for driving this bullshit.   And shame on those in the U.S. Administration that continue to demonize Huawei by virtue of its heritage in China.

Again (borrowing from my post two days ago):

The Information Communications Technology (ICT) industry is transnational, essentially borderless. Whether you are Huawei, Cisco, Alcatel-Lucent or Ericsson you are operating world-wide, equally vulnerable to penetration or compromise, whether by the now-world-renowned experts at the NSA, or whoever their counterparts may be in China, Russia or Israel.   Knocking Huawei out of the market – any market – does precisely squat to secure networks and data.   And the U.S. Government knows all of this.

But (you might ask), hold on, wait a second, if the NSA compromised U.S. companies, then certainly the Chinese Government can compromise Huawei?

That analogy holds no water.  Let’s review:

The penetrations and compromises thus far unveiled by Edward Snowden were primarily achieved by U.S. intelligence agencies either compromising unwitting innocent companies or forcing unwilling (also innocent) companies into unfortunate complicity. 

In terms of the latter, from what we have learned to date, the bulk of the data syphoned off by the NSA, et al was primarily extracted from service operators or data managers under “legal” pretense.  Knowledge of such witting but unwilling compromise of these companies was almost certainly limited to a small few within the companies, perhaps just C-level and legal.

Huawei is a different kind of company. 

Think of the companies referenced above as water companies. 

Think of Huawei as a company that builds the pipes for the plumbing systems used by the water companies. 

The U.S. intelligence agencies went to the legal departments at the water companies and forced a spigot into their reservoirs, virtually draining them.  Again, it is quite likely that very few people within the water companies were even aware of the quiet conspiracy.

Contrast that with a company like Huawei. 

A quiet conspiratorial visit to the legal department or C-level arm-twisting won't do the job.

In order to compromise Huawei’s gear, you would have to infect each and every pipe (router, switch, etc.) which, given the volume of product we produce and the thousands of researchers, coders and builders involved – all around the world - would require an absurdly unbelievable and unsustainable conspiracy of countless employees spanning far-flung countries where research, coding and assembly take place.

But (you might ask), what about after-market “software upgrades” or “patches” or some other digital or magical manipulation of the gear after it’s been sold and deployed?

These are legitimate concerns.

But Huawei is not some *insert government name here*-directed operation in some non-descript building in Shanghai or Silicon Valley.  Huawei is a $35 billion company operating in 150 markets doing 70% of its business outside China, with state-of-the-art Research and Development and software facilities scattered across the globe.

Huawei “software updates” don’t just get “pumped out” willy-nilly.   They are deployed in close coordination with network operator customers and according to the security procedures defined by those customers.

Moreover, within Huawei, every line of code – wherever developed - is tracked and traced by “many eyes and many hands” (human and virtual) which, again, would mean that for Huawei to wittingly “pump out” “back doors” or “exploits” would again require a conspiracy of thousands of our employees, not to mention the additional complicity of employees of our network operator customers.

Absurd.

Could a rogue employee or group of employees plot cyber-shenanigans within the company? Yes.  This could happen at any ICT company - we are all vulnerable.  Yet, like any other world-leading ICT company with a reputation and business to protect, Huawei has employed robust disciplines to detect and quash such anomalies.

But a grand conspiracy?  Hogwash.

And the U.S. Government knows this.  And so should Rep. Wolf. 

And, as for the AP, we might grace them with not having the experience or bandwidth to understand the issues, but they should certainly have more journalistic integrity than to prostitute themselves to politicians…

Huawei, Korea, Pots and Kettles

Yesterday, the U.S. Administration and Senate leadership tag-teamed a stab at undermining the legitimate commercial activities of a China-based multinational in South Korea in order – seemingly (maybe?) – to give the Biden delegation visiting China some sort of additional leverage in bilateral talks, perhaps related to the increasingly-contentious “Air Defense Identification Zone” around the Diaoyu/Sanaku Islands.  

That’s how I see it.  

That, at least, would be a marginally rational explanation.  

The purported explanation defies logic.

Yesterday, the Wall Street Journal and The Daily Beast broke the story of a letter from the Chairs of the Senate Foreign Relations and Select Intelligence Committees calling on the Secretaries of State and Defense, as well as the Director of National Intelligence, to look into “the potential threats and security concerns” presented by Huawei’s involvement in a commercial wireless network deal...in South Korea.   

The Journal reported further that “the Obama administration is privately raising concerns with officials in South Korea about their plans to let a Chinese telecommunications giant develop the country's advanced wireless network, expanding a quiet campaign to warn key allies against integrating the Chinese technology into their systems.”

Okay.  C'mon already.  There should be zero possibility that anyone in the U.S. Government is legitimately concerned about unique network security or data integrity vulnerabilities associated with Huawei gear.  The facts are all too clear to the contrary.  Consider:

The Information Communications Technology (ICT) industry is transnational, essentially borderless. Whether you are Huawei, Cisco, Alcatel-Lucent or Ericsson you are operating world-wide, equally vulnerable to penetration or compromise, whether by the now-world-renowned experts at the NSA, or whoever their counterparts may be in China, Russia or Israel.   Knocking Huawei out of the market – any market – does precisely squat to secure networks and data.   And the U.S. Government knows all of this.

But (you might ask), hold on, wait a second, if the NSA compromised U.S. companies, then certainly the Chinese Government can compromise Huawei? 

That analogy holds no water.  Let’s review:

The penetrations and compromises thus far unveiled by Edward Snowden were primarily achieved by U.S. intelligence agencies either compromising unwitting innocent companies or forcing unwilling (also innocent) companies into unfortunate complicity.  

In terms of the latter, from what we have learned to date, the bulk of the data syphoned off by the NSA, et al was primarily extracted from service operators or data managers under “legal” pretense.  Knowledge of such witting but unwilling compromise of these companies was almost certainly limited to a small few within the companies, perhaps just C-level and legal.

Huawei is a different kind of company.  

Think of the companies referenced above as water companies.  

Think of Huawei as a company that builds the pipes for the plumbing systems used by the water companies.  

The U.S. intelligence agencies went to the legal departments at the water companies and forced a spigot into their reservoirs, virtually draining them.  Again, it is quite likely that very few people within the water companies were even aware of the quiet conspiracy. 

Contrast that with a company like Huawei.  

A quiet conspiratorial visit to the legal department or C-level arm-twisting won't do the job.

In order to compromise Huawei’s gear, you would have to infect each and every pipe (router, switch, etc.) which, given the volume of product we produce and the thousands of researchers, coders and builders involved – all around the world - would require an absurdly unbelievable and unsustainable conspiracy of countless employees spanning far-flung countries where research, coding and assembly take place.

But (you might ask), what about after-market “software upgrades” or “patches” or some other digital or magical manipulation of the gear after it’s been sold and deployed? 

These are legitimate concerns, though sadly, unfortunately, somewhat de-legitimized by the canned quotes from the Center for Strategic and International Studies’ persistently-resident cyber-gasbag that were featured in the Daily Beast article. 

Per The Daily Beast, the aforementioned “expert” said that “Huawei’s routers and switches may be clean at first. But the potential for back doors, or exploits within the software and hardware of the equipment, could be slipped into the gear through routine maintenance such as software updates.”  “They can pump out a software update and you have no idea what is in the software.”

Such hyperbolic paranoia (or perhaps just utter ignorance of the business realities in the ICT industry) borders on mind-numbing.

Huawei is not some <insert government name here>-directed operation in some non-descript building in Shanghai or Silicon Valley.  Huawei is a $35 billion company operating in 150 markets doing 70% of its business outside China, with state-of-the-art R&D and software facilities scattered across the globe. 

Huawei “software updates” don’t just get “pumped out” willy-nilly.  

They are deployed in close coordination with network operator customers and according to the security procedures defined by those customers. 

Moreover, within Huawei, every line of code – wherever developed - is tracked and traced by “many eyes and many hands” (human and virtual) which, again, would mean that for Huawei to wittingly “pump out” “back doors” or “exploits” would again require a conspiracy of thousands of our employees, not to mention the additional complicity of employees of our network operator customers.

Absurd.

Could a rogue employee or group of employees plot cyber-shenanigans within the company? Yes.  This could happen at any ICT company - we are all vulnerable.  Yet, like any other world-leading ICT company with a reputation and business to protect, Huawei has employed robust disciplines to detect and quash such anomalies. 

But a grand conspiracy?  Hogwash.

And the U.S. Government knows this.  

Which brings us back to the quest for a rational explanation for the odd concert of Administration officials and Senate Chairs attempting to interfere in the Korean commercial wireless marketplace.  I posited one such explanation at the outset of this post.  A placeholder of sorts.  Far-fetched?  

Maybe. 

But one thing we do know, it has nothing to do with network security or data integrity.  Indeed, that fig leaf is growing frightfully thin...