You probably haven’t heard of Huawei, and if you have, you haven’t heard good things. Huawei is the second largest producer of telecommunications equipment in the world—it makes the stuff that connects digital networks, and there’s a good chance this article traveled over Huawei’s equipment to get to you. Huawei is based in Shenzen, China, but the company argues that it is only nominally Chinese. In corporate documents, Huawei describes itself as a “global” company, and there’s some truth to that. Like most tech giants, Huawei has offices, production facilities, employees, and customers all over the world. Huawei generates more than two-thirds of its revenue outside China, and the firm says that 70 percent of its components are purchased from non-Chinese companies. Its largest supplier is the United States.
To the American government, though, the location of Huawei’s headquarters is damning. In a report released this week, a congressional investigative committee alleged that Huawei may have connections to the Chinese Communist Party. The report, which is the product of an investigation by the House Permanent Select Committee on Intelligence, warns American government agencies and private companies against doing business with Huawei and ZTE, another Chinese telecom firm. Equipment made by these companies could allow China to “maliciously modify or steal information from government and corporate entities” and conduct cyberattacks against the United States, the report states.
Call it the Manchurian Network. The fear is that if Huawei’s equipment becomes embedded in American infrastructure, China will one day be able to flip a switch and take control of our resources. The report warns that, through Huawei and ZTE, China could wreak havoc on American “electric power grids; banking and finance systems; natural gas, oil, and water systems; and rail and shipping channels,” ultimately imposing “devastating effects on all aspects of modern American living.”
All of this would be pretty terrifying if investigators cited any substantive evidence for their fantastical scenarios. They don’t. There isn’t a single finding that any Huawei product has ever been infiltrated by the Chinese government. (At least, there isn’t in the public version; the committee also produced a classified version of the report.) Instead, the report just assumes that Huawei is up to something sketchy because the company declined to provide investigators with a few extremely technical details about its corporate structure and its history. I didn’t find many of these omissions damning; Huawei did provide extensive documentation to the committee, and it also made executives available for interviews.
But even if Huawei’s apparent opacity does bother you, it’s ridiculous to judge its technology according to its corporate structure or hometown. There’s a much more effective, fairer, and more orderly way of assessing the security of its products, a method that should be applied to all telecom equipment, including stuff made by companies based in America: Experts—the government and Huawei’s customers—should be scouring its tech, including an inspection of the products’ source code. If we want to eliminate the potential for built-in “backdoors,” let’s set up a formal regulatory system to search for them rather than assuming that Chinese technologies are somehow evil, while the flag-draped routers made by American firms are not.
The biggest problem with the committee’s report is that it is based on a convenient fiction—that complex technology has a “nationality,” and that we can distinguish safe technologies from unsafe ones based on their nation of origin. In reality, most devices are from everywhere. Your Android smartphone was designed in Korea, assembled in China, runs an operating system created in California, and works on a cellular carrier owned by a firm based in Germany. If you’re worried about a certain company’s connections to China, you should be worried about pretty much every company in the tech industry—they all have large operations there, and, as a result of those operations, they’ve all cut certain less-than-transparent deals with Chinese authorities.
This is true even of Cisco, the American telecom firm that, according to the Washington Post, has been leading the lobbying charge against Huawei. Cisco has invested billions in its own plants in China, as well as in other Chinese companies and Chinese universities. Many, if not most, of Cisco’s devices are made in China, and the company has been trying to woo Chinese authorities for many years. In 2002, according to a leaked sales presentation, the company marketed its routers to Chinese authorities as a way to bolster the country’s Internet blocking system (known as the Great Firewall of China). Among the sales presentations’ claims was that Cisco’s technology might help Chinese authorities “Combat ‘Falun Gong’ evil religion and other hostiles.” While visiting Beijing in 2005, John Chambers, Cisco’s CEO, told journalists, “If I wasn’t American, I would be Chinese.” He has also said that “what we’re trying to do is outline an entire strategy of becoming a Chinese company.”
There’s profound hypocrisy buried in the House report on Huawei. It notes, accurately, that China is a leading sponsor of cyberattacks, and of course it’s also true that the Chinese regime routinely monitors and blocks its own citizens’ use of the Internet. But the report elides that fact that the American government and American tech companies don’t have clean hands when it comes to cyberattacks or spying. In the aftermath of 9/11, the Bush administration launched a program to wiretap Americans’ phone calls without court approval; telecom companies carried out the plan at the request of the government, and they were later granted immunity from civil suits for violating Americans’ privacy. The most effective cyberattack in history was carried out by the United States and Israel: It was the Stuxnet worm, which was aimed at Iranian nuclear facilities but escaped to computers around the world. The program was approved by President Obama himself.
You may argue that none of this is relevant to the Huawei case. If the point is to keep Americans safe from China, the fact the American government has carried out cyberattacks and marshaled telecom companies into spying on people isn’t relevant. But these incidents illustrate that we can’t look to the national origin of our technology to keep us safe. They also paint the House investigation as a crass exercise in protectionism—and one that could easily backfire: Chinese authorities can now ban American telecom equipment on the basis of the U.S. government’s involvement in cyberwarfare and espionage.
In response to the alleged threat posed by Huawei, the British government adopted a much more sensible plan than simply advising companies to stop doing business with the firm. It created an independent testing center that inspects all of Huawei’s equipment for potential threats; Huawei is only allowed to sell products that have passed this inspection. The company called for a similar scheme in the United States, but the House committee rejected the plan.
The reasoning behind this decision was bizarre. Independent evaluations, the report said, would never work because inspectors could never replicate all of the various ways Huawei’s products could be used in the real world. Well, maybe—but couldn’t we at least try implementing testing that mimics real-world conditions? No, said the report. Even trying to evaluate network equipment would be dangerous, because it would create a false sense of security that the equipment was safe.
So if testing wouldn’t work—if testing would actually make networks unsafe—then how should we determine if a particular networking company’s equipment is secure? Only if that firm produces a “convincing set of diverse evidence that a system is worthy of our trust.” That’s a pretty slippery standard. If we’re just going on what we “trust,” without any actual evidence of wrongdoing, then every government will have reason to distrust network technologies made by anyone else. And if that happened, the whole networking thing wouldn’t quite work.