Huawei, Korea, Pots and Kettles

Yesterday, the U.S. Administration and Senate leadership tag-teamed a stab at undermining the legitimate commercial activities of a China-based multinational in South Korea in order – seemingly (maybe?) – to give the Biden delegation visiting China some sort of additional leverage in bilateral talks, perhaps related to the increasingly-contentious “Air Defense Identification Zone” around the Diaoyu/Sanaku Islands.  

That’s how I see it.  

That, at least, would be a marginally rational explanation.  

The purported explanation defies logic.

Yesterday, the Wall Street Journal and The Daily Beast broke the story of a letter from the Chairs of the Senate Foreign Relations and Select Intelligence Committees calling on the Secretaries of State and Defense, as well as the Director of National Intelligence, to look into “the potential threats and security concerns” presented by Huawei’s involvement in a commercial wireless network deal...in South Korea.   

The Journal reported further that “the Obama administration is privately raising concerns with officials in South Korea about their plans to let a Chinese telecommunications giant develop the country's advanced wireless network, expanding a quiet campaign to warn key allies against integrating the Chinese technology into their systems.”

Okay.  C'mon already.  There should be zero possibility that anyone in the U.S. Government is legitimately concerned about unique network security or data integrity vulnerabilities associated with Huawei gear.  The facts are all too clear to the contrary.  Consider:

The Information Communications Technology (ICT) industry is transnational, essentially borderless. Whether you are Huawei, Cisco, Alcatel-Lucent or Ericsson you are operating world-wide, equally vulnerable to penetration or compromise, whether by the now-world-renowned experts at the NSA, or whoever their counterparts may be in China, Russia or Israel.   Knocking Huawei out of the market – any market – does precisely squat to secure networks and data.   And the U.S. Government knows all of this.

But (you might ask), hold on, wait a second, if the NSA compromised U.S. companies, then certainly the Chinese Government can compromise Huawei? 

That analogy holds no water.  Let’s review:

The penetrations and compromises thus far unveiled by Edward Snowden were primarily achieved by U.S. intelligence agencies either compromising unwitting innocent companies or forcing unwilling (also innocent) companies into unfortunate complicity.  

In terms of the latter, from what we have learned to date, the bulk of the data syphoned off by the NSA, et al was primarily extracted from service operators or data managers under “legal” pretense.  Knowledge of such witting but unwilling compromise of these companies was almost certainly limited to a small few within the companies, perhaps just C-level and legal.

Huawei is a different kind of company.  

Think of the companies referenced above as water companies.  

Think of Huawei as a company that builds the pipes for the plumbing systems used by the water companies.  

The U.S. intelligence agencies went to the legal departments at the water companies and forced a spigot into their reservoirs, virtually draining them.  Again, it is quite likely that very few people within the water companies were even aware of the quiet conspiracy. 

Contrast that with a company like Huawei.  

A quiet conspiratorial visit to the legal department or C-level arm-twisting won't do the job.

In order to compromise Huawei’s gear, you would have to infect each and every pipe (router, switch, etc.) which, given the volume of product we produce and the thousands of researchers, coders and builders involved – all around the world - would require an absurdly unbelievable and unsustainable conspiracy of countless employees spanning far-flung countries where research, coding and assembly take place.

But (you might ask), what about after-market “software upgrades” or “patches” or some other digital or magical manipulation of the gear after it’s been sold and deployed? 

These are legitimate concerns, though sadly, unfortunately, somewhat de-legitimized by the canned quotes from the Center for Strategic and International Studies’ persistently-resident cyber-gasbag that were featured in the Daily Beast article. 

Per The Daily Beast, the aforementioned “expert” said that “Huawei’s routers and switches may be clean at first. But the potential for back doors, or exploits within the software and hardware of the equipment, could be slipped into the gear through routine maintenance such as software updates.”  “They can pump out a software update and you have no idea what is in the software.”

Such hyperbolic paranoia (or perhaps just utter ignorance of the business realities in the ICT industry) borders on mind-numbing.

Huawei is not some <insert government name here>-directed operation in some non-descript building in Shanghai or Silicon Valley.  Huawei is a $35 billion company operating in 150 markets doing 70% of its business outside China, with state-of-the-art R&D and software facilities scattered across the globe. 

Huawei “software updates” don’t just get “pumped out” willy-nilly.  

They are deployed in close coordination with network operator customers and according to the security procedures defined by those customers. 

Moreover, within Huawei, every line of code – wherever developed - is tracked and traced by “many eyes and many hands” (human and virtual) which, again, would mean that for Huawei to wittingly “pump out” “back doors” or “exploits” would again require a conspiracy of thousands of our employees, not to mention the additional complicity of employees of our network operator customers.

Absurd.

Could a rogue employee or group of employees plot cyber-shenanigans within the company? Yes.  This could happen at any ICT company - we are all vulnerable.  Yet, like any other world-leading ICT company with a reputation and business to protect, Huawei has employed robust disciplines to detect and quash such anomalies. 

But a grand conspiracy?  Hogwash.

And the U.S. Government knows this.  

Which brings us back to the quest for a rational explanation for the odd concert of Administration officials and Senate Chairs attempting to interfere in the Korean commercial wireless marketplace.  I posited one such explanation at the outset of this post.  A placeholder of sorts.  Far-fetched?  

Maybe. 

But one thing we do know, it has nothing to do with network security or data integrity.  Indeed, that fig leaf is growing frightfully thin...