It's definitely about more than just national security. BT was explicitly pressured to remove "dumb" components that were thoroughly vetted after they'd started removing smart components where surveillance risk was higher.
At no point was any surveillance detected on any kit.
Removing it all (as opposed to just the "smart" kit) is extremely costly and if security was the real concern, not worth it.
They did bug the african congress but they were invited to set everything up in that building and nobody paid attention to anything they installed.
I suspect it's an attempt to wage "economic" warfare. Under WTO rules national security is a virtual get out of jail free card for protectionism. Huawei had just recently proven that China can overtake western technological capabilities in a key industry. That's the point when America flinched.
It also explains why they bullied all their allies into taking out all the tech all at the same time after years of seeminglh not being concerned about their own networks (let alone their allies) and without any evidence of a breach or anything.
I'm not following here. If they bug high-stakes customers when given freedom to operate, why should any country trust anything they build to operate as described? "We'll behave as long as you're looking over our shoulder" doesn't inspire confidence.
It's not really a question of trust though is it? Did you really think we blindly trusted every piece of kit they sold us until the US government kicked up a stink?
It's a question of eye watering costs of ripping out ALL of the very expensive hardware vs. simply vetting it & ripping out some of the more complex stuff that cant be vetted.
Nope. Scorched earth.
I have no doubt that they would have already bugged the west if they thought we wouldnt catch them in the act.
Which we likely would have.
Hence, probably economic, not national security (unless its about america wanting to install its own bugs in which case lord help us).
Can you even vet it, really? All you need is one chip with secret logic inside it, in just a handful of boards, and you are hosed. You'd have to physically inspect every single board, in every single piece of equipment, and even then that's not 100%. Often these devices look completely different inside from lot to lot, due to the way component sourcing works.
If it's in the core, to a certain level of confidence, but it's arguably worth ripping it out because of how hard it is to have enough confidence.
likewise anything that can address anything else on a network.
If it's, say, a radio antenna? yeah, you can.
The core was the cheapest and easiest thing to replace. It's the rest - the stuff it would be implausibly difficult to hack while we are watching which is eyewateringly expensive to rip out.
One of the things I have never seen, is an original source that details the type of attack that was done on the African National Congress HQ in Ethiopia. The only original source I have ever seen is a short piece from (of course) Le Monde. I have never seen a CVE, much less writeup of the attack.
We hear that the device was sending uploads to China in the middle of the night. But what type of uploads? And was it firmware based, or OS based? That whole Hussein(-Addis affair just seems very suspect to me.
Having spoken to someone involved in the investigation, it really did happen but like anything this politically sensitive it was quickly hushed up to avoid making it more of a diplomatic incident. The AU had tried to prevent the news from leaking in the first place.
That's quite typical for espionage, where unless there's a desire to publicly burn a few bridges countries would rather have it handled quietly through regular diplomatic channels.
I have no idea why I typed ANC instead of AU. But I'm not going to lie, it [0] does read a lot like Western Propaganda. The Yellow Peril trope, the Magical China-Tech (the Supermicro Magic Chips), the early morning uploads to Shanghai (those Chinese are playing the long game!)etc.
Generally, trusting Western media on Africa reporting is never a good idea. But at the end of the day, this, and Snowden's revelations show - if you don't make it, then you don't own it.
Do you have a source? I only recall the Le Monde [0] article. And was the nature of the breach? You have something uploading to Shanghai for 5 years - and nobody noticed?
According to the person I spoke to on the team that responded, and helped set up the new replacement system and network, there had been warnings for years about the adoption of the system and the lack of any real monitoring, but those were ignored because it was considered politically sensitive to double-check on what the Chinese had provided.
It was a new member of staff who did their own experimentation without authorisation who found it and sent it up the chain, to point where it couldn’t be ignored or hidden anymore. Mostly because that made the delegations aware of how terrible security was, whereas before it seems they’d assumed the organisation had that covered.
> BT was explicitly pressured to remove "dumb" components that were thoroughly vetted after they'd started removing smart components where surveillance risk was higher.
You say that as if there haven't been clever spy techniques using crazy things that took ages to detect:
I think you are correct here that this is a more a economic move than national security. The truth is Huawei networks switches and routers are equal to if not are better than equivalent Cisco devices. Cisco just cannot compete at this price point IMO.
That national security concerns about Huawei equipment has nothing to do with the quality of the equipment. The issue is whether the vendor can be trusted in hypothetical scenarios in the future.
If the US implements all Huawei equipment, and China sanctions the US from receiving support/updates/parts from Huawei (or worse, go to war and use it as a weapon), then the US telecommunication infrastructure is at risk.
I have first hand knowledge of IP theft by Huawei dating back more than 15 years. It's not surprising they can outclass competitors on price over the long term. Perhaps this behavior should not be rewarded?
We don't have jurisdiction over China. There is no such thing as IP theft across state lines without both states agreeing to recognize it as such. Even among countries that do recognize it, it's an insane kludge of treaty and the independent operation of fundamentally incompatible legal systems which can only reach within states themselves and tend to bump into serious obstacles whenever they try to reach across state lines.
Most major corporations deal with this by just registering IP in multiple jurisdictions simultaneously and litigating internationally, which can also be done in China just as you would do it in France or the UK. Redundancy is easier to manage than cross-border cooperation with foreign court orders.
>There is no such thing as IP theft across state lines
That may be true in the strictest legal sense when a Chinese company is the one doing the stealing from a Western corporation. But in reality, that's so laughably incorrect that it makes me question why you said it.
Exactly. And to put it in clearer terms, they have been continuously hacking into Western companies for 20 years and stealing design schematics and counterfeiting them. I'm sure you'd be cool with a Chinese APT rooting your servers and stealing all that you have in your company?
It's a simple statement of fact that the United States has no jurisdictional authority over the actions Chinese citizens take in China against American citizens and vice versa. This is a serious problem for reasons such as this, but you cannot refute it as a basic statement of reality.
Put simply, American courts have no authority over Chinese in China, Chinese courts have no authority over Americans in the US, and our courts do not cooperate reciprocally as they do in other countries with alternative diplomatic and legal relations.
> Put simply, American courts have no authority over Chinese in China
Fortunately, this is of no significant barrier.
It is not a barrier because we, in the US, can ban their hardware anyways, and cause serious economic damage to them anyway.
So it doesn't particularly matter if we use IP law itself, in the courts, against china, when we have other options, such as simply banning their products in this other way.
To do this the US would have to reset its entire diplomatic and trade posture with China. Despite all the rhetoric this isn't happening; the diplobureaucrats will be kicking that can for as long as they possibly can.
> To do this the US would have to reset its entire diplomatic and trade posture with China
No we wouldn't. Literally we are commenting in an article, about what I am suggesting is happening.
So the stuff that the article says is already happening, is what I suggested.
Could it go faster? Maybe. But like I said, we are literally commenting on an article, about how US telecoms are being required to replace certain equipment.
The US has jurisdiction over things imported to the US, and apparently over network equipment used in exchanges.
To my knowledge this has not previously been used as punishment for theft of trade secrets (Hwawei was sanctioned for doing business in Iran), but the legal mechanism is there.
My understanding is that many Western firms had willingly entered into business agreements with Chinese firms, primarily for manufacturing but also for access to the Chinese market. It was always understood that such agreements included technology transfer, even if that wasn't always communicated to e.g. shareholders of Western firms. Not all Western firms entered such agreements, but those who did can't very well start crying about "hacking" now. When you tell someone a way to make money, they're going to remember that.
Because the two countries do not share definitions on what that even means. They both have to agree and both need a set procedure for adjudicating such disputes for it to be real. If the US says it's "IP theft" and China disagrees, there is a dispute on the legality of the act in question.
So for example, in France, there are many acts which are trademark infringement in France that are not trademark infringement in the US. A Frenchman can accuse an American of trademark infringement for an act that is not trademark infringement in the United States, but is infringement in France. They can bring a lawsuit in France, win, and potentially enforce that judgment on assets in the US with the cooperation of an American court despite the fact that the American did not, by the definitions of American law, infringe on anyone's intellectual property.
There are no such cooperative arrangements between the US and China despite recent attempts to set them up. There are also only limited agreements on what is and what isn't permitted.
So if it is true that this is economics not security, what was offered or threatened to coordinate action across all the countries sending Huawei away?
Mass population is moved by fear, but is that how concordance is manufactured across the executives of a set of countries: a few terrifying top-secret presentations, and IC has successfully reputation-assassinated a foreign company? Why would these countries agree if there was no breach and a cheaper price? What offer or threat besides a more expensive but more secure infra? I suppose if you view telcoinfra as defense assets then it's a no-brainer, but was this the calculus? Blackmail/Mafioso-tactics would be a good one, maybe: You have to buy from us, or we will reveal/do such-and-such horrible thing.
But if it's true this is economic, not security, and also that Huawei has superior value for money, then is it not just these countries accelerating their already decaying infrastructure, for the sake of pride?
"The phones are down." "Yeah, whaddayagonnado? At least we're not paying the Chinese to make them work."
Replace phones with other critical things China makes better for a better price, and the future of these countries may look like the past of the former-Soviet ones: a whole bunch of weird anachronistic tech resulting from an (in this case self-imposed) embargo. But at least it will be 100% built by subjects of approved countries. I suppose that is one strategy to fight back against the dominance of Chinese industry: just outlaw it.
The hilarious thing is, probably all these "approved suppliers" will have to purchase significant inventory from what is essentially Huawei's supply chain anyway. Seems much more like the tail wagging the dog, with corporate dishonesty dictating so-called natsec policy. Could it really be so twisted?
> coordinate action across all the countries sending Huawei away?
It should be noted that up until early 2020, US campaign against Huawei had spanned 10+ years long, and only secured a few committments to ban Huawei, not even all of FVEYS. It was a spectacular failure. It wasn't until successive US sanctions against Huawei access to semiconductors that countries relented, not due to security concerns but Huawei's ability to supply hardware long term due to sanctions.
> Mass population is moved by fear, but is that how concordance is manufactured across the executives of a set of countries: a few terrifying top-secret presentations, and IC has successfully reputation-assassinated a foreign company? Why would these countries agree if there was no breach and a cheaper price? What offer or threat besides a more expensive but more secure infra? I suppose if you view telcoinfra as defense assets then it's a no-brainer, but was this the calculus? Blackmail/Mafioso-tactics would be a good one, maybe: You have to buy from us, or we will reveal/do such-and-such horrible thing.
Governments don't operate exclusively through sticks. The US has plenty of carrots to give out.
As of March 2019 [1] this vetting was not going very well in the UK. Only one piece of Huawei firmware was even able to achieve "binary equivalence" where the agency could determine that verified source was actually the source for specific firmware running on the device.
Reproducible builds are incredibly hard to achieve and require a significant amount of resources. Debian has been on this path for ages in a fully open ecosystem and still hasn't fully achieved it. Nobody could doubt their resolve.
All it takes is one tiny bit of proprietary software in the build chain that behaves non-deterministically (and they probably have several) and that's it. No equivalence until you rip it out and replace it. That's an expensive ask.
I'd be surprised if any vendors have achieved this. Hell, Cisco source code is probably riddled with spyware that they could spot at a glance, but "American IP considerations" 100% trump UK national security so I doubt they'd even get to see the source code.
I would love it if all of the vendors were made to have source code reviews and reproducible builds, but being realistic it's a standard that's only be demanded of Huawei. Even if they passed this high bar they'd only find some other excuse to rip them out.
Even so, unless you're talking about firmware for complex devices attached to the internet (what BT calls "the core", e.g. routers that they ripped out without much protest) you can still develop reasonable confidence that the firmware isn't exfiltrating sensitive data.
If it is simple and it is tightly scoped (e.g. firmware for an aerial) the spyware would have to be very clever and probably pretty obvious, assuming it was even possible. These kinds of devices are where the costs to rip out and replace every bit of hardware also became eye watering.
> I suspect it's an attempt to wage "economic" warfare. Under WTO rules national security is a virtual get out of jail free card for protectionism.
It's not like the US has to care too much about the WTO as the WTO has effectively been out of business for these past years due to the US blocking the appointment of new appeal judges [0]
So even if the WTO rules in favor of China, which it actually did on the steel tariffs [1], all the US needs to do is to appeal the decision and the WTO ruling will be stuck for all eternity in the appeals court, as that can't rule on the appeal without at least three judges.
I personally feel it is a pro-rated cost. I completely understand in China doesn't want to add US technology to their critical infrastructure and I hope China understands the practicality of it. It's a one time sunk cost, we would have to do it at some point. We aren't waging economic warfare as this is a tiny amount of trade that happens between the USA and China, if your theory was correct we would be doing it in all industries.
> At no point was any surveillance detected on any kit.
That's not proof of absence...
> I suspect it's an attempt to wage "economic" warfare. Under WTO rules national security is a virtual get out of jail free card for protectionism. Huawei had just recently proven that China can overtake western technological capabilities in a key industry. That's the point when America flinched.
> Huawei had just recently proven that China can overtake western technological capabilities in a key industry. That's the point when America flinched.
Here I was thinking it was because Tony Podesta et al were involved with keeping them clean in the first place!
At no point was any surveillance detected on any kit.
Removing it all (as opposed to just the "smart" kit) is extremely costly and if security was the real concern, not worth it.
They did bug the african congress but they were invited to set everything up in that building and nobody paid attention to anything they installed.
I suspect it's an attempt to wage "economic" warfare. Under WTO rules national security is a virtual get out of jail free card for protectionism. Huawei had just recently proven that China can overtake western technological capabilities in a key industry. That's the point when America flinched.
It also explains why they bullied all their allies into taking out all the tech all at the same time after years of seeminglh not being concerned about their own networks (let alone their allies) and without any evidence of a breach or anything.