The Complex

U.S. lawmakers to American companies: Don't do business with Huawei or ZTE

Representatives Mike Rogers (R-Mich.) and Dutch Ruppersburger (D-Md.) unveiled their report accusing Chinese telecomm giants Huawei and ZTE of spying on American companies for the Chinese government today. Bottom line, the report recommends that U.S. businesses, especially those involved in "critical infrastructure," stop buying Huawei and ZTE products until the companies play by the rules.

Rogers, chair of the House Intelligence Committee, claimed during a press conference to unveil the report that Huawei and ZTE are likely breaking the law in the United States -- doing everything from bribing an unnamed company or official to "beaconing," or passing lots of sensitive data about U.S. companies' back to China in the middle of the night (a claim that a Huawei spokesman denied after the press conference until he was nearly red in the face). 

Rogers and Ruppersburger refused to provide more details or evidence about their allegations of wrongdoing other than saying they came from a thorough investigation.

Rogers said that during the lawmakers' yearlong investigation they spoke with everyone from current American employees of the two telecoms -- who were willing to reveal some of their alleged bad behavior -- to Chinese officials from the companies who weren't exactly cooperative, if you ask Rogers.

Rogers said that these firms are not "private entities" but rather are legally bound to conduct the industrial espionage he accused them of on behalf of the Chinese government.

Apparently, the investigation collected enough dirt on Huawei that the FBI is opening an investigation into "a clear case of bribery to get a contract in the United States," according to Rogers.

Among the key recommendations:

 

  • The U.S. government and government contractors shouldn't use anything made by the two companies and the Committee on Foreign Investments in the U.S. (CFIUS) should block any acquisitions, mergers or takeovers involving Huawei and ZTE given their "threat to U.S. national security."
  • U.S. network providers and systems developers should "seek other vendors for their projects."
  • The U.S. government should investigate unfair trade practices, especially illegal Chinese government subsidies to companies like Huawei and ZTE that allow Chinese businesses to undercut their competitors.
  • Chinese companies should become more transparent and responsive to U.S. legal obligations.
  • The U.S. Congress should consider legislation dealing with the risk posed by telecoms with "nation-state ties or otherwise not clearly trusted to build critical infrastructure." Such legislation could involve increasing private companies ability to share information on cyber threats and increasing the CFIUS' ability to review purchasing agreements.

 

Now, here's the unclassified version of the report.

 

Huawei-ZTE Investigative Report (FINAL)

National Security

Is the Pentagon and DHS' cyber info sharing program really shrinking?

The Pentagon's effort to exchange data about cyber threats with defense contractors -- dubbed the Defense Industrial Base (DIB) program -- has actually been losing participants since it was expanded to include the Department of Homeland Security, according to Rep. Mike Rogers (R-Mich.).

"They gave DHS responsibility to [expand] from the 20 in the DIB pilot, the 20 original companies working through the Department of Defense whose mission it was to kind of get this information-sharing thing up and running to see if we could actually do it and if it was scalable," said Rogers during a speech yesterday at the U.S. Chamber of Commerce, where he questioned DHS's ability to be the lead federal agency in defending privately owned critical infrastructure from cyber attack.  

"The president said about a year ago that we want to have a thousand companies engaged in the DIB pilot. That was about a year ago. This oughta say everything we need to know . . .  guess how many companies we have participating?" asked Rogers. "I'll tell you: less than 20. We've lost somewhere between five and seven companies, no gains, no effort to get more people involved."

Rogers' comments come on the heels of assertions by several Pentagon officials who say that companies are lining up to join the program that was expanded out of pilot mode last spring.

"If you're a Defense Department contractor with a facility clearance, we want to share classified threat information with you," Richard Hale, the Pentagon's deputy chief information officer for cyber said on Sept. 27 of DoD's efforts to expand the program with DHS. "It's a voluntary program. We'll share with you, you share with us. We also have a second part of that program that allows you to get security services from a service provider that's getting classified information and using it to protect you."

"We're teamed closely with [the Department of Homeland Security] to see if DHS can expand this model out to other critical infrastructure," added Hale.

Hale's comments echoed those of his boss, DoD's chief information officer, Teri Takai.

"We've got a queue of companies that are interested in joining, we've got other federal agencies that are interested in coming aboard, and we've got other federal agencies that are interested in either using our program or creating a similar program," said Takai while discussing the program with Killer Apps in early September.

Rogers made his criticisms during the same speech in which he claimed that a newfound cyber threat may prompt lawmakers to consider passing legislation that would allow private companies to quickly share information about cyber threats with the federal government without fear of being sued for misusing U.S. citizens' private information.  Numerous pieces of legislation aimed at allowing the government and private sector to quickly share information (including Rogers' CISPA) about cyber threats were defeated in the last year amid protest from a range of privacy advocates

DoD tells Killer Apps it is looking into Rogers' comments, with one spokesman saying, "This is the first I'm hearing that the DIB program is struggling for members."