A White House-ordered review of security risks posed by suppliers to US telecommunications companies found no clear evidence that Huawei Technologies Ltd (華為) had spied for China, two people familiar with the probe said.
Instead, those leading the 18-month review concluded early this year that relying on Huawei, the world’s second-largest maker of networking gear, was risky for other reasons, such as the presence of vulnerabilities that hackers could exploit.
These previously unreported findings support parts of a landmark US congressional report last week that warned against allowing Chinese companies Huawei and ZTE Corp (中興) to supply critical telecom infrastructure. However, they may douse speculation that Huawei has been caught spying for China.
Some questions remain unanswered. For example, it is unclear if security vulnerabilities found in Huawei equipment were placed there deliberately. It is also not clear whether any critical new intelligence emerged after the inquiry ended.
“The White House has not conducted any classified inquiry that resulted in clearing any telecom equipment supplier,” White House National Security Council spokeswoman Caitlin Hayden said.
She also said Huawei had been barred from participating in an emergency network for first responders a year ago “due to US government national security concerns.”
At the White House’s direction, according to people familiar with the matter, intelligence agencies and other departments conducted the largely classified inquiry, delving into reports of suspicious activity and asking detailed questions of nearly 1,000 telecom equipment buyers.
“We knew certain parts of government really wanted” evidence of active spying, said one of the people. “We would have found it if it were there.”
A spokesman for Huawei said the company was not familiar with the review. but it was not surprised that no evidence of Huawei espionage was found, while ZTE said it had never encountered an instance of its equipment causing security problems in the countries in which it operates.
Last week’s report from the Republican and Democratic leaders of the House of Representatives Intelligence Committee noted the potential for spying through Huawei gear installed to manage traffic on wireless networks. The committee also criticized Huawei’s leadership for failing to provide details about its relationships with Chinese government agencies.
The report did not present concrete evidence that either Huawei or ZTE has stolen US data, although it said a classified annex provided “significantly more information adding to the committee’s concerns” about the risk to the US. Speculation has swirled about the contents of the secret annex, and both committee Chairman Mike Rogers and some intelligence officials have hinted at evidence that Huawei has participated in espionage.
Pressed about why the White House review and unclassified version of the House Intelligence Committee report had not turned up a “smoking gun,” two officials familiar with intelligence assessments said US agencies were most concerned about the capability for future spying or sabotage.
Similarly, Chris Johnson, a former CIA analyst on China, said he had been told that the White House review had come up empty on past malicious acts. Nonetheless, officials emerged from the review with “a general sense of foreboding” about what would happen if China asked Huawei for assistance in gathering intelligence from US customers, he said.
“If the Chinese government approached them, why would they say no, given their system?” Johnson said.
Preventing state spying through technology is a high priority for US President Barack Obama’s administration, which is lobbying for legislation to raise private-sector security standards and readying a more limited executive order along those lines.
Reuters interviews with more than a dozen current and former US government officials and contractors found nearly unanimous agreement that Huawei’s equipment poses risks: The company could send software updates that siphon off vast amounts of communications data or shut them down in times of conflict.
More than anything else, cyber experts complained about what they said was poor programming that left Huawei equipment more open than that of rivals to hacking by government agents or third parties.
“We found it riddled with holes,” said one of the people familiar with the White House review.
At a conference in Kuala Lumpur last week, Felix Lindner, a leading expert in network equipment security, said he had discovered multiple vulnerabilities in Huawei’s routers.
“I’d say it was five times easier to find one in a Huawei router than in a Cisco one,” Lindner said.
Lindner, who spent months investigating Huawei code, said the vulnerabilities appeared to be the result of sloppy coding and poor procedures, rather than any deliberate attempt at espionage. Huawei is looking into his findings, he said.
However, some in the US government have said the alleged poor security practices at Huawei could be a deliberate cover for future attacks. One computer scientist, who helped conduct classified US government research on Huawei routers and switches four to six years ago, said he had found “back doors” that his team believed were inserted with care.
Huawei has denied the existence of these back doors.