America is taking actions against the Chinese telecom equipment giant Huawei, and asking rest of the West to follow suit.
How did things reach such a point? How dangerous really is Huawei, and how should India secure its interests in all of this?
Recently, after many years of whispers, allegations, and mistrust on hardware belonging to telecom equipment, the US government formally made its case against Chinese hardware and technology giant, Huawei. The allegations as well as charges on Huawei in different geographies over time have ranged from possibilities of existence of spyware, malware, trapdoor, IP violations, reverse engineering, to wire frauds and violation of Iranian sanctions. All of them have been naturally and constantly denied by the company and its country of origin, China.
Huawei is a privately held company that was founded in 1987 by Ren Zhengfei with just $5,000. According to Zhengfei’s Wikipedia page, Ren Zhengfei attended the Chongqing University in the 1960s and then joined the People's Liberation Army (PLA) research institute to work as a military technologist in the PLA's Information Technology Research Unit. He retired from the army due to a large PLA workforce reduction which impacted 500,000 active duty personnel.
Such ties with the Chinese military have been often cited by many governments for placing restrictions on Huawei. These even led to the collapse of Huawei's efforts to buy 3Com and forced SoftBank to sever ties with Huawei. Softbank had to do this in order to have its takeover of Sprint Nextel acquire US national-security clearance. In the United Kingdom, the Intelligence and Security Committee has recommended the removal of Huawei's equipment due to spying fears.
Huawei surpassed Ericsson to become the number one global seller of network gear in 2017. It currently supplies 45 of the top 50 global phone companies and has signed contracts with 30 carriers to test its next-generation technology. The Huawei smartphone is the world's second largest in terms of market share and the company also prides in being one of the biggest developers of fifth-generation telecom technology along with Nokia and Ericsson.
Now let us examine the reasons why companies with Chinese origin seem to be facing the heat across the globe today.
To begin with, it appears fundamentally to be an issue of trade imbalance but there is something more that is seemingly causing a sense of mistrust. Companies like Huawei are already facing trouble in Australia, Britain, New Zealand, Poland and after the US news, the Czech republic is said to be planning to exclude it from a critical government tender.
India too had its own share of brush with Chinese hardware related mistrust that led to the initial set of regulations in license agreements with Telecom Service Providers (TSPs) being directed by the Department of Telecom. This asked for certifications and subsequent mandatory testing requirements on all hardware entering the telecom networks.
Let’s look at how important and critical is the threat and the reason for mistrust by governments around the world on one another.
According to a paper titled "Stealing Thunder" by European Centre for International Political Economy (ECIPE), Europe is securing personal information with all its might, but business information like ongoing contract negotiations, customer and marketing data, product designs and R&D run the risk of hacking. Within five years, an entire connected business can be copy-pasted, stolen and handed over to a competitor by even a government-sponsored hacking group.
The paper states that while all governments may spy in some form or the other, a few do so to hand over the information to their industry. Since the East India Company of the sixteenth century, the collusion between power and commerce has always been a fact of life – and Internet is just a new chapter in that story.
Chinese hardware companies have often been accused of having ties with the People’s Liberation Army and have been suspected to have undertaken industrial espionage on thousands of Western firms during 2009. The incident, called Operation Aurora in Western media, implied an unprecedented degree of state and business collusion and targeted relatively ordinary businesses (such as banking and chemicals) rather than military intelligence. According to the paper by ECIPE, it’s fair to say that all governments spy, albeit for different reasons, but only a few do so for commercial motives, to pass on the acquired knowledge to their own companies.
APT10 - Operation Cloud Hopper
Since late 2016, PwC UK and BAE Systems have been assisting victims of a new cyber espionage campaign conducted by a China-based threat actor, widely known within the security community as ‘APT10’. The campaign, which is referred to as Operation Cloud Hopper, targeted managed IT service providers (MSPs), allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally. A number of Japanese organisations have also been directly targeted in a separate, simultaneous campaign by the same actor.
PwC UK and BAE Systems assess that it is highly likely that APT10 is a China-based threat actor with a focus on espionage and wide ranging information collection. It has been in operation since at least 2009, and has evolved its targeting from an early focus on the US defence industrial base (DIB) and the technology and telecommunications sector, to a widespread compromise of multiple industries and sectors across the globe.
APT10, a name originally coined by FireEye, is also referred to as ‘Red Apollo’ by PwC UK, ‘CVNX’ by BAE Systems, ‘Stone Panda’ by CrowdStrike, and ‘menuPass Team’ in the public domain. The threat actor has previously been the subject of a range of open source reporting, including a report by FireEye detailing the threat actor’s use of the Poison Ivy malware family2. Blog posts by Trend Micro3 similarly gave details of the use of EvilGrab malware.
It would be also interesting to note here that The Chinese National Intelligence Law (“NIL”) came into force in June 2017 and was updated in April 2018. According to a report by Mannheimer Swartling in January 2019, NIL applies globally to Chinese Groups, whereby all subsidiaries, even those outside China could be subject to NIL. If a Chinese parent company is subject to NIL, NIL could, from a public international law perspective, also have jurisdiction over the group’s foreign subsidiaries.
NIL applies to all organisations in China, regardless of ownership, i.e. regardless of whether the company is private and public, or funded by Chinese shareholders or foreign shareholders.
However, NIL would only apply to the Chinese subsidiaries of a non-Chinese Group. A parent company outside China would not be subject to Chinese jurisdiction under public international law. NIL applies to all Chinese citizens, and because NIL does not appear to have an explicit geographical limitation, it could be construed to apply to all Chinese citizens even when residing outside of China.
Based on a literal reading of NIL, it appears to have an unusually broad scope of application. Article 7 NIL, states “All organizations and citizens shall, according to the law, provide support and assistance to and cooperate with the State intelligence work, and keep secret the State intelligence work that they know.”
These type of laws, although arising from a national security standpoint which every country is entitled to, when applied and read in the context of business, would naturally be understood differently by countries that apply the China prism and supply chain mistrust factor.
The India Side To HUAWEI
The Indian government came out with directives in April 2010 directing telecom players, both public and private, to get security clearance for procuring telecom equipment/software from foreign vendors. With the number of entrants increasing in the Indian mobile market, this move was meant to address concerns raised by Indian intelligence and security agencies that telecom equipment may carry malware/spyware enabling other countries to snoop into Indian networks with a disruptive capability to cripple critical infrastructure. Several further checks were put in place to ensure compliance and an effort directed at setting up an equipment testing lab for checking such issues.
In May 2011, India issued comprehensive guidelines on telecom security, mandating equipment tested only according to Indian or international security standards.
While the onus still continues on the TSPs to continue to take care of their infrastructure and report to the government in case of attacks and detection of activities, India still doesn’t have sufficient safeguards required in the telecom sector, which today, thanks to massive usage of internet through mobiles and rapid growth of e-commerce, seems to be contributing to the next wave of digital economy.
India continues to have a massive trade imbalance with China and continues to rely heavily on import of equipment, components and parts from China. DoT has been on a work-in-progress mode on telecom testing since 2013 by extending the dates till April 2019 for now. In November 2018, the ‘Security Standards Facility’ at National Centre for Communications Security, DoT at Bengaluru was inaugurated for security testing and certification of equipment, security audits, threat intelligence and reporting of security incidents. By the threat standards, this lab starts at the vanilla level without any flavours or toppings and hence has a long way to go.
To its credit, whatever might be the past, Huawei has managed to innovate through R&D and seems to be ready to offer cutting edge 5G technology with its cost advantage intact and even with further capabilities. Countries like Germany, France, Japan etc, seem to be acting with caution but not seem to be taking the banning route. India, despite the past issues in 2014 wherein there was an alleged attack on BSNL networks through a Huawei machine, which could not be established, seems to be going ahead with their participation in 5G trials.
Whatever may be the truth of the case or related geo politics involved between the Chinese and the rest of the world, India needs to do its own homework on what is required and best for its citizens and its security. Hence, irrespective of what comes in in from different parts of the world, India must adopt its own due diligence and progress with caution with necessary checks and balances in place for ensuring cyber safety and security.
Views expressed are personal.