Is it safe for Americans to buy Huawei-built Nexus phones?

Three years ago, Congress was considering banning Huawei hardware due to concerns over spying. Today, Google has chosen to make a Huawei-built phone into its flagship Nexus 6P. What are the security implications for American users?
Written by David Gewirtz, Senior Contributing Editor
Just three years ago, the U.S. House Permanent Select Committee on Intelligence was conducting investigations into the security threats posed by allowing enterprise-level communications hardware made by Chinese firms Huawei and ZTE into America.

And now, a smartphone made by Huawei is being distributed by Google as the next high-end Nexus device.

How quickly we forget

We actually covered the Huawei controversy in-depth here in ZDNet. We even did a Great Debate on the topic. The issue was whether or not Huawei would spy on Americans at the behest of its national leaders. After all, it's not like China and America have a healthy history when it comes to cyberwar and espionage.

Yes, the two nations have agreed in principle not to wage cyberespionage attacks against each other, but does anyone truly believe that, given the opportunity, either China's intelligence apparatus or America's would not take a peek into the other nation's digital private parts? That's like asking Donald Trump not to brag or Hillary Clinton to avoid using email.

Competition on a global level is a very odd thing. On one hand, companies and nations are in a pitched fight, each participant determined to win. On the other hand, there can be no winning without some cooperation. This is true whether we're talking Apple vs. Google or America vs. China.

In the case of Apple vs. Google, Google has to put its applications on iPhones, because the iPhone owns such a tremendous customer base. And while Apple allows Google's apps, it doesn't give Google full advantage. It ripped out Google's Maps as the main mapping product (not necessarily a smart move), it uses Bing as Siri's search backbone, and you have to specially download the YouTube app. It doesn't come pre-installed.

In the case of America vs. China, we rely on billions of dollars in Chinese loans, and the Chinese rely on having Americans as customers. And yet, many younger Chinese military leaders consider America to be the ultimate enemy.

In technology, this web of international "coopetition" is particularly prevalent. One of the weirder cases is antivirus software, which is often made in the very countries we're particularly concerned about when it comes to malware.

Kaspersky Labs, for example, which produces one of the most popular antimalware products in use here in America, is made by a company with deep ties to Russian intelligence operations. Huawei bought out Symantec's stake in a joint venture -- a joint venture that led to Huawei gaining access to much of Symantec's antivirus code.

This all brings us back to a Huawei-built smartphone sold to America's most ardent Google users.

While ZTE and Huawei deny any charges of enabling backdoors in their networking hardware, even Congressional investigators felt that there was a reasonable suspicion that the Chinese hardware makers are building in easy-access espionage portals into their hardware. In fact, there was rare bipartisan support of a possible ban on Huawei hardware.

What Congress was up in arms about were routers and communications devices used in enterprise systems, not consumer-level smartphones. Even so, we are now considering trusting our most personal information to Huawei-built devices. Smartphones are both incredibly personal and incredibly data-intensive. If anything will be of interest to an organization interested in stealing secrets, it would be the personal data found on a smartphone.

Except for one thing: that's not really China's style. China tends to conduct big-picture espionage. The country seems far more interested in big scores, like the plans for our F-35 multirole and F-22 tactical fighters. China seems more than willing to let US taxpayers foot the bill for stolen R&D, which eventually found its way into its Chengdu J-20 Dragon fighter.

In fact, according to the 2013 edition of the always-excellent Verizon Data Breach Investigations Report, 30 percent of all cyberespionage activities originated in China. By contrast, the former Soviet states are into financial hacking. The same Data Breach Investigations Report attributes 40 percent of all financial hacking to Bulgaria, Romania, and Russia.

One of the issues I am particularly curious about is how we, as a global culture, manage technologies that are supplied by nations we may or may not have cordial relationships with. This is of particular concern since national policies can be so transitory, based on whatever regime is in power at any given time.

I reached out to Huawei for comment on this article and the issue of global sourcing. William B. Plummer, Vice President, External Affairs at Huawei Technologies shared this valuable perspective:

There is not a mobile device manufactured today that is not the product of global supply chains, with inputs and code from all over the world. The same, by the way, applies to telecommunications infrastructure. Every company is subject to common vulnerabilities. No-one is immune. No one company -- regardless of flag of headquarters -- is somehow more or less vulnerable or secure.

Huawei, for its part, as a leader in the industry, has put in place very sophisticated supply chain and other security assurance programs -- from ideation to end of life -- to ensure the integrity of our product. Huawei solutions -- infrastructure and devices -- are proven and trusted across 170 markets, connecting one-third of the world's population. Those are all facts.

So, should you feel safe buying a Nexus 6P or not?

Let's ignore the issue of just how safe or unsafe anyone should feel running Android, what with Stagefright and other exploits running around in the wild. Let's just focus on whether or not an Android phone made by Huawei specifically should be considered safe for Americans to buy.

The bottom line is this: I think you're good.

First, as we've seen, the Chinese government isn't interested in your individual data. The Chinese government has much bigger fish to fry. So while I wouldn't advise government officials or military contractors to buy Huawei phones just as a matter of general principle, I don't think you're in any danger simply because the Nexus 6P is a Huawei-built device.

Second, of course, is the fact that the Nexus 6P is all Google. You can be darned sure that if there were nasty backdoors and stuff built into a Huawei device sold by Google, Google would discover it and block it particularly quickly. Remember that the hallmark of the Nexus brand is that, unlike other Android handsets, the phones are updated directly by Google.

In my professional opinion, there is a legitimate national security concern related to the degree in which we rely on Chinese manufacturing, and Chinese technology manufacturing in particular. China is not a friend of the United States and while it's not strictly an enemy, relying too much on a "frenemy" is not a wise long-term strategy, especially when our battlefield advantage has always been our technology.

But there's actually a bigger national security concern when it comes to manufacturing overall. For the past 40 years, the United States has moved away from being a manufacturing juggernaut, ceding that incredible international advantage to other nations with less expensive labor. In the long run, this isn't a discussion about China vs. the United States, it's a discussion of what the United States wants to be when it grows up: a strong builder with impregnable infrastructure or a consumer, reliant on other nations to feed our addictions to everything from oil to smartphones.

But that's a worry for policy-makers. As for you, if you want a Nexus 6P, go get a Nexus 6P. If you go out and buy one, let me know what you think about it in the TalkBack below.

By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.

Editorial standards