Is it safe for Americans to buy Huawei-built Nexus phones?
Three years ago, Congress was considering banning Huawei hardware due to concerns over spying. Today, Google has chosen to make a Huawei-built phone into its flagship Nexus 6P. What are the security implications for American users?
Just three years ago, the U.S. House Permanent Select Committee on Intelligence was conducting investigations into the security threats posed by allowing enterprise-level communications hardware made by Chinese firms Huawei and ZTE into America.
And now, a smartphone made by Huawei is being distributed by Google as the next high-end Nexus device.
Yes, the two nations have agreed in principle not to wage cyberespionage attacks against each other, but does anyone truly believe that, given the opportunity, either China's intelligence apparatus or America's would not take a peek into the other nation's digital private parts? That's like asking Donald Trump not to brag or Hillary Clinton to avoid using email.
Competition on a global level is a very odd thing. On one hand, companies and nations are in a pitched fight, each participant determined to win. On the other hand, there can be no winning without some cooperation. This is true whether we're talking Apple vs. Google or America vs. China.
What Congress was up in arms about were routers and communications devices used in enterprise systems, not consumer-level smartphones. Even so, we are now considering trusting our most personal information to Huawei-built devices. Smartphones are both incredibly personal and incredibly data-intensive. If anything will be of interest to an organization interested in stealing secrets, it would be the personal data found on a smartphone.
Except for one thing: that's not really China's style. China tends to conduct big-picture espionage. The country seems far more interested in big scores, like the plans for our F-35 multirole and F-22 tactical fighters. China seems more than willing to let US taxpayers foot the bill for stolen R&D, which eventually found its way into its Chengdu J-20 Dragon fighter.
In fact, according to the 2013 edition of the always-excellent Verizon Data Breach Investigations Report, 30 percent of all cyberespionage activities originated in China. By contrast, the former Soviet states are into financial hacking. The same Data Breach Investigations Report attributes 40 percent of all financial hacking to Bulgaria, Romania, and Russia.
One of the issues I am particularly curious about is how we, as a global culture, manage technologies that are supplied by nations we may or may not have cordial relationships with. This is of particular concern since national policies can be so transitory, based on whatever regime is in power at any given time.
I reached out to Huawei for comment on this article and the issue of global sourcing. William B. Plummer, Vice President, External Affairs at Huawei Technologies shared this valuable perspective:
There is not a mobile device manufactured today that is not the product of global supply chains, with inputs and code from all over the world. The same, by the way, applies to telecommunications infrastructure. Every company is subject to common vulnerabilities. No-one is immune. No one company -- regardless of flag of headquarters -- is somehow more or less vulnerable or secure.
Huawei, for its part, as a leader in the industry, has put in place very sophisticated supply chain and other security assurance programs -- from ideation to end of life -- to ensure the integrity of our product. Huawei solutions -- infrastructure and devices -- are proven and trusted across 170 markets, connecting one-third of the world's population. Those are all facts.
So, should you feel safe buying a Nexus 6P or not?
First, as we've seen, the Chinese government isn't interested in your individual data. The Chinese government has much bigger fish to fry. So while I wouldn't advise government officials or military contractors to buy Huawei phones just as a matter of general principle, I don't think you're in any danger simply because the Nexus 6P is a Huawei-built device.
Second, of course, is the fact that the Nexus 6P is all Google. You can be darned sure that if there were nasty backdoors and stuff built into a Huawei device sold by Google, Google would discover it and block it particularly quickly. Remember that the hallmark of the Nexus brand is that, unlike other Android handsets, the phones are updated directly by Google.
In my professional opinion, there is a legitimate national security concern related to the degree in which we rely on Chinese manufacturing, and Chinese technology manufacturing in particular. China is not a friend of the United States and while it's not strictly an enemy, relying too much on a "frenemy" is not a wise long-term strategy, especially when our battlefield advantage has always been our technology.
But there's actually a bigger national security concern when it comes to manufacturing overall. For the past 40 years, the United States has moved away from being a manufacturing juggernaut, ceding that incredible international advantage to other nations with less expensive labor. In the long run, this isn't a discussion about China vs. the United States, it's a discussion of what the United States wants to be when it grows up: a strong builder with impregnable infrastructure or a consumer, reliant on other nations to feed our addictions to everything from oil to smartphones.
But that's a worry for policy-makers. As for you, if you want a Nexus 6P, go get a Nexus 6P. If you go out and buy one, let me know what you think about it in the TalkBack below.