Paranoia will destroy us: Why Huawei and other Chinese tech is not spying on Americans

The notion that the Chinese government would spy on corporations and US agencies with electronic devices manufactured by Chinese companies is not only absurd but would be catastrophic to furthering its ambitions in world trade.
Written by Jason Perlow, Senior Contributing Writer

This article was first published in January 2018.

It all began at CES 2018 in Las Vegas, when the US President of Huawei's consumer business, Richard Yu, went off-script in his presentation to lament that the Chinese smartphone giant had been unable to consummate a deal to sell its smartphones at any large US-based cell carrier.

Political pressure being applied by lawmakers in US Congress on AT&T and other carriers is the root cause of Huawei's woes. US telecom firms would indeed be putting government contracts in jeopardy by doing further business with the Chinese firm, so Huawei mobile devices are currently unobtainable from a major US carrier. 

You have to buy them in places like Amazon, specialist online retailers, or Huawei's consumer websites, and activate them on a carrier yourself.

The situation in the last year has become worse. The CFO of Huawei, and the daughter of the company's founder, Meng Wanzhou, has been arrested in Canada at the request of the US government on grounds that the company violated trade sanctions against Iran. This has become a major international incident, and China is now accusing the US of this action against the company as being politically or economically motivated.

The US has also been canvassing its allies in Europe and other countries to cease doing business with Huawei, particularly as it pertains as international rollouts of 5G equipment. It has been partially successful so far. The wireless firm Orange has ruled out using Huawei products in its core 5G network in France, and Germany's Deutsche Telekom has announced that it's reviewing purchases of Huawei equipment. 

And it appears that the Sprint and T-Mobile merger is likely to present a major issue for SoftBank, which is a majority shareholder in Sprint and has close ties to the Chinese firm -- and may be problematic for completing the $26.5 billion merger itself, if Trump administration officials deem the deal as a threat to national security.

So, what's next for the US and China, and the future Chinese consumer electronics in this country?

Also: Going rogue at CES 2018: Is Huawei a 21st century Dell?

China and the US: A complex relationship

Huawei does not just make smartphones. It is also a gigantic telecommunications equipment manufacturer and is actively involved in determining the global 5G standard, which it is collaborating on with AT&T.

US Republican representative Michael Conway of Texas has sponsored a bill -- H.R. 4747 -- that, if passed, would prohibit any US government agency from doing business with Huawei and similar firms, such as ZTE.

The verbiage of the proposed bill claims that, according to our security agencies, Huawei and ZTE have shared sensitive information with China, and that Chinese security agencies can access private US business communications using Huawei and ZTE's equipment.

Huawei and ZTE, of course, have repeatedly denied these allegations since Congress began accusing both of these firms of using their commercial networking products for espionage back in fall 2012.

It should be noted no substantial proof of espionage by China or Huawei/ZTE has ever been established from these accusations and the House intelligence committee report released at the time did not offer much in terms of substance either.

There's no question that the relationship between China and the US is a highly complex one, and that China possesses one of the most sophisticated security apparatus in the entire world, rivaling that of Russia, the US, and other western nations.

Just as the US routinely spies on many countries, China's security agencies also spy on the US and other nations of interest.

Also: Made in China: Four horsemen of the iPhone apocalypse

Our economic reality

So, what is the solution? To stop buying equipment from China and to cease doing business with them?

Well, the short answer is not only no. But, basically, it would be impossible, financially, and from a practicality standpoint.

In 2016, US exports to China were $116 billion, whereas the value of China's exports to the US was $463 billion -- making that year's trade deficit $347 billion.

Our debt to China, financed by US Treasury notes, is $1.2 trillion. This financing of Treasury notes has kept US interest rates low.

If China stopped buying US Treasury notes, the interest rates would rise and could throw the entire world into a global recession. This wouldn't be in China's best interests because shoppers would buy fewer Chinese exports.

China also cannot call in that $1.2 trillion loan -- it would utterly poison its well.

That's the economic reality. The US -- and the western world as a whole -- is China's best customer next to its own domestic market. The country has zero desire to jeopardize this, regardless of its own national security interests.

If it were discovered that China was, in fact, using consumer electronics exports to spy on American citizens and businesses en masse, the consequences would be utterly disastrous for it.

Not just in terms of jeopardizing its export business in the US but also in every country it does business with now. It would be catastrophic for the country's image and would throw the global consumer electronics industry into utter chaos.

Also: 10 best smartphones not made in China

All kinds of stuff come from China

Chinese firms aren't just responsible for final assembly, productizing, and shipping product abroad, they also form a large portion of the overall supply chain of manufacturing electronic components used in just about every electronic device manufactured all over the world.

I'm talking about all kinds of stuff that go into not just smartphones and mobile devices, but also the Internet of Things (IoT), major appliances, medical devices, automobiles, aerospace, you name it.

If a product has semiconductors in it, there is a good chance they came from China. Yes, there are other countries that make products that have semiconductors and electronics, such as Japan, Korea, Taiwan, Singapore, Vietnam, Malaysia, and, of course, the European and South American nations.

But they too use Chinese firms as not just suppliers for certain things but also for partial and final assembly, because it is that much cheaper to do there.

Also: Chinese censorship cracks down on WeChat, Weibo, WhatsApp

Keeping China out of products

So, what do we do? Well, we can't prohibit American firms from doing business with Chinese companies or foreign firms that use Chinese-made components just because we are nervous they might use their products to spy on us.

We can set internal procurement controls on certain types of products and have rigorous monitoring and testing of stuff before it ends up being used in government agencies, but that's about it.

There is no practical or legislative way of keeping China out of products being brought into the US. Such efforts would be counterproductive.

That being said, the threat of our devices being used to spy on us is very much real -- but China should not be the focus of concern. Rogue nation states such as North Korea and malicious/criminal groups seeking financial gain are really what we need to be concerned about.

Also: Apple transfers iCloud operation in China to a local government-backed firm

An international effort is needed

I believe there needs to be an international effort to monitor and certify consumer electronics so that we can better understand the nature of these threats and then take appropriate action when they are discovered.

The software development and hacker communities residing within the major technology firms already have informal inter-firm efforts to monitor embedded operating systems and applications for potential malware.

To date, they've done a very good job overall of discovering major security exploits and malware, but we can improve this by formalizing how this is done by having our government form and fund organizations with our allies -- as part of overall international treaty negotiations -- with the express effort of increasing due diligence in analysis and monitoring of software that runs on consumer electronics.

The efforts to date have only covered "In-band" types of exploits and malware. In other words, code/processes that exist in software, such as Android or iOS applications distributed in the respective app stores or that are sideloaded, or processes that run in the different OEM distributions of the mobile operating systems themselves.

This needs to continue, but we have to go deeper. The real concern would be "out-of-band" exploits and malware that would not be discovered within applications or operating systems, but in the components, such as firmware or hard-coded routines within the semiconductors themselves (like a baseband communications chip) that would not be detected as a high-level process.

So far, no such state-sponsored malware or an exploit has ever been detected in a semiconductor component originating from China, or, at least, such a discovery has never been validated. All we have received so far is an accusation from a reporter at Bloomberg that certain SuperMicro server systems had a chip that was intercepting and forwarding network traffic from data centers of 30 American corporations, including Apple. That has so far been proven to be categorically false by SuperMicro, as well as Apple and Amazon.

The only comparable out-of-band exploits that have been discovered are the Spectre and Meltdown bugs in Intel, AMD, and ARM processors, which are categorized as unintentional but exploitable architectural flaws and common issues related to modern microprocessor design -- and they have nothing to do with China.

Oh, and the most significant discovered out-of-band exploit prior to those two? Also Intel in origin.

Also: In rapid onslaught, Chinese phone makers take control

We can't preoccupy ourselves with this

So, should we be concerned about out-of-band exploits and potential malware in a society that is increasing its use of electronic devices in every aspect of our lives? Yes.

Should we closely examine this with much more organized and international efforts? Absolutely.

Should we worry that China is plotting some master plan to Hoover all our data and penetrate our government and corporations using undetectable malware embedded in the fundamental components found in consumer electronics manufactured in that country?

No. There's a chance it could happen, and we should be vigilant and take our best efforts to monitor that it isn't happening, but we can't preoccupy ourselves with this.

Let American consumers decide which products they want to buy. Legislation that prevents competition is not only stupid and unproductive but also puts our citizens at a disadvantage by not allowing them to purchase inexpensive products that other countries can freely and easily access.

Should you be allowed to buy Chinese brands of phones in the US? Is Congress and the Trump administration interfering with the fundamental principles of capitalism? Talk Back and Let Me Know.

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Chinese manufacturers fuel global smartphone sales

Worldwide smartphone sales climbed 9.1 percent to 380 million units in first-quarter 2017, driven by Chinese vendors such as Huawei and Oppo offering competitive price-points for feature-packed phones.

Elite Chinese hackers target board directors at some of the world's largest firms

The APT 10 hacking group has struck again, this time using a watering hole attack to compromise the National Foreign Trade Council website and gather sensitive data about its directors.

Editorial standards