Huawei's equipment permeates British broadband infrastructure, both fixed and mobile.
The Chinese giant's gateways are used throughout BT's broadband network and its routers are in hundreds of thousands of BT customers' homes. TalkTalk uses Huawei routers too, and employs the company's technology in its HomeSafe security software. EE's network uses Huawei kit, and all the mobile operators carry or have carried Huawei handsets.
So, given that a US congressional committee on Monday issued a very stark warning indeed about Huawei and its Chinese rival ZTE, how worried should the UK be?
Liberal Democrat peer Tim Clement-Jones, until recently one of Huawei's UK advisors, believes the company is less of a risk than portrayed in the report.
"In my view, I'm very sceptical about the way the US plays this, and most of all Republican congressmen," Clement-Jones told ZDNet on Tuesday morning. "I've sat through many meetings [covering Huawei's organisation and activities] and I think that a lot of this is pure anti-competitive behaviour in the US... They skewed the whole inquiry. They got their facts wrong."
READ THIS: Life at Huawei's Shenzhen HQ: In pictures
The main suspicion raised by the committee is that Huawei and ZTE might, in concert with the Chinese state, have backdoors of some kind in their equipment that would allow Western networks to be spied on and potentially disabled in the case of cyber-warfare.
Here's a quick reminder of the US report's key recommendations (PDF) in this context (other points are on business practices, which we will come back to shortly):
- Private-sector companies in the US are "strongly encouraged to consider the long-term security risks associated with doing business with either ZTE or Huawei for equipment or services", and network providers should avoid them as vendors as, "based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence".
- US government systems should most definitely not use Huawei or ZTE equipment, even components. The same should apply to the systems used by government contractors.
- Neither company should be allowed to merge with or acquire any US firms.
The central issue here is whether Huawei and ZTE are trustworthy. The congressmen who wrote the report suggested this is not the case; this is mainly because the Chinese companies' structures are somewhat opaque and because neither was able or willing to reassure the committee that they are entirely free of Chinese state control.
According to the BBC, the UK parliament's intelligence and security committee has also been looking into the Huawei situation and will report back to prime minister David Cameron by the end of the year.
What did the US report say?
Firstly, the report has a classified annex containing evidence that, if exposed, would apparently compromise US national security. As we cannot read this part, we have to ignore it for now and focus on what we do know.
Huawei's structure is far cloudier than ZTE's because it remains a private business. ZTE has floated on the Shenzhen and Hong Kong stock exchanges, theoretically making it far more accountable and transparent about its dealings.
The congressmen highlighted the background of Huawei's chief Ren Zhengfei, who once worked for the Chinese military. This is far from uncommon in the country, but Ren was invited to the 12th National Congress of the Communist Party of China — something of a future leaders' club — in 1982 and soon afterwards founded Huawei, with great success.
"I think that a lot of this is pure anti-competitive behaviour in the US... They skewed the whole inquiry. They got their facts wrong" — Tim Clement-Jones
Huawei maintains that Ren did not set up the company with the assistance of the party machine, but it remains tight-lipped as to whether Ren is still linked to those lofty echelons. Ren holds less than two percent of Huawei's shares, but he retains a veto.
Both Huawei and ZTE have Communist Party committees within their organisations. Again, there is nothing unusual about this — the party aims to have representatives in every private company with 50 or more employees. However, these cells' ubiquity does not make them any less worthy of suspicion, particularly as neither Huawei nor ZTE was willing to tell their US inquisitors what the cells do for the wider party.
Neither company could demonstrate their independence from the Chinese state, and neither provided clear answers over the connection between their R&D activities and the Chinese military.
Those are the most serious allegations. Others, if true, suggest odious business practices, but they do not reflect on the security implications of using Huawei and ZTE's kit.
These allegations include a disregard by both companies for US intellectual property and export laws and restrictions by Huawei on promotion for those who are not Chinese nationals. In addition, ZTE apparently bid below cost for rural broadband contracts in the US — it seems ZTE's representatives initially admitted this dumping, but then changed their tune when the questioners expressed surprise at ZTE's candour.
The UK situation
Although it does have an R&D relationship with BT, ZTE is not nearly as active in the UK as Huawei is.
Huawei's UK R&D facility originally came from the British government and BT. The company's equipment is, as noted above, widely used within the country.
The Chinese company...
...has for many years been very keen to engage the UK press — I am one of many journalists that Huawei has flown over to China to see its headquarters and selected facilities. It also has some very high-level spokespeople and advisors in the UK.
Huawei's security chief, John Suffolk, used to be the UK CIO. The company's UK advisory board is headed up by former UK Trade & Investment chief Andrew Cahn. Tory peer Patience Wheatcroft is on the board, as until recently was Lib Dem peer Clement-Jones.
Clement-Jones's departure from the board was linked to the US congressional inquiry, but only in that the law firm for which he works, DLA Piper, was advising ZTE during the inquiry, and this created a conflict of interest.
The peer pointed to the Banbury-based Cyber Security Evaluation Centre that Huawei established with the UK intelligence services as an example of the company's willingness to let its equipment be vetted.
The congressional report also referred to the centre, particularly as a point of comparison with the vetting offers that Huawei and ZTE have made in the US — there, they have offered third-party vetting; in the UK, the government's own intelligence services are involved. The committee suggested that the third-party approach may result in a false sense of security.
As for the UK testing centre, the congressmen did not suggest it was failing in its duties. Rather strangely, it suggested only that "it is not clear yet... that such steps would readily transfer to the US market or successfully overcome the natural incentives of the situation and lead to truly independent investigations".
"BT's relationship with Huawei is managed strictly in accordance with UK laws and security best practice" — BT
Major customers such as BT are adamant that there is nothing to worry about. The ISP told me that none of the Huawei components it uses in its core network are "intelligent or processing".
"BT's relationship with Huawei is managed strictly in accordance with UK laws and security best practice," the company said. "BT's network is underpinned by robust security controls and built-in resilience. We continue to work closely with all our suppliers and the government, where appropriate, to ensure that the security of the network is not compromised."
Drawing conclusions
Let's be frank: the fundamental problem here is that Huawei and ZTE are Chinese companies. Any firm that wants to grow and succeed in China needs to have some level of state approval, and it certainly needs to have connections to the Communist Party.
Given that China's political and economic system is somewhat less than transparent, it is therefore deeply unsurprising that Huawei and ZTE's testimony to the congressional committee fell short of the questioners' hopes. How much did those representatives know? How much were they allowed to say? These are not questions we can answer.
To some extent, ZTE has been right to retort that, if it and Huawei are to be blackballed in the US, the same should go for every Chinese IT and telecoms equipment manufacturer. How does it make sense to ban Chinese firms from building critical national infrastructure, but be fine with them putting laptops and mobile devices in the hands of most consumers and businesses?
That's not to say such a wide ban should come into play, but it is a logical extension of the thinking behind the report. Apart from testing the kit thoroughly, as it is doing, it is hard to see what the UK could do but simply ban all Chinese IT and telecoms equipment.
That way lies trade wars and market distortion. It would be expensive and a massive risk — and all on the basis of suspicions that may or may not be well-founded.
Unless the Chinese system becomes more transparent, which is unlikely to happen soon, we remain caught between that risk and the risk of using equipment that comes from an untrusted source.
Neither solution to this problem is particularly attractive.