Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 PM
Connect Directly

FCC Designates Huawei & ZTE as National Security Threats

Backdoors in 5G network equipment from these vendors could enable espionage and malicious activity, agency says.

The US Federal Communications Commission (FCC) Tuesday formally designated China's Huawei and ZTE Corp. as national security threats, citing their close relationship with the Chinese government.

The decision means that US carriers can no longer use money available under the FCC's Universal Service Fund (USF) to purchase 5G — or any other — equipment, services, or systems from either of the two Chinese equipment manufacturers or any of their subsidiaries and affiliates. The US Department of Defense and other government agencies previously announced decisions to discontinue use of technologies from Huawei and ZTE equipment from their networks.

“Both companies have close ties to the Chinese Communist Party and China's military apparatus," FCC chairman Ajit Pai said in a press statement. "Both companies are broadly subject to Chinese law obligating them to cooperate with the country's intelligence services."

The FCC's move finalizes a decision by the agency last November barring the use of federal funds on equipment from companies deemed as posing a threat to US national security. At the time, the FCC had named Huawei and ZTE as companies that would be covered under the ban. Today's announcement formalizes that decision.

The FCC last November had also noted that it would require US carriers to remove already installed equipment from these two vendors from all USF-funded networks. Tuesday's FCC notice did not provide any new information on when that requirement would go into effect. But it did note that the agency would work with impacted telecommunications providers to figure out a schedule and a way to pay for ripping and replacing existing equipment.

The USF is an $8.3 billion-a-year fund that is used to ensure affordable access to telecommunication services — including 5G networks — in high-cost areas, for low-income populations, for rural-healthcare providers, and for schools and other entities. Many of those who use the fund are smaller, rural communications providers. The FCC ban means these companies, and others, can no longer use the funds to "purchase, obtain, maintain, improve, modify, or otherwise support any equipment or services produced or provided by [Huawei and ZTE]," the FCC said.

Both Huawei and ZTE have consistently denied any close relationship with the Chinese government or intelligence agencies. They have claimed that the charges against them by the US government — and several other Western nations — are driven purely by economic and geopolitical rivalries with little basis in fact.

Persistent Concerns
However, the US government and intelligence agencies have equally consistently warned about the risks to national security from deploying next-gen 5G networks based on technologies from Chinese firms such as Huawei and ZTE.

The concerns have to do with what is widely perceived as the close — and often forced — relationship between Chinese businesses and the country's government and intelligence apparatus. Of particular concern are national statutes in China that require companies to report certain business-related activities to the government. Reports about companies such as Huawei receiving substantial subsidies from the Chinese government have also spurred questions about their ability to operate independently of government influence.

Many have noted China's extensive cyber-espionage activities over the past decade. They have contended that Beijing could force telecom equipment manufacturers such as Huawei and ZTE to plant backdoors and other traps in their technology to enable cyber espionage and surveillance on a truly global scale.

The fact that companies such as Huawei provide services for managing telecommunications equipment means they have authorized access to customer networks that could be exploited for malicious purposes, the FCC noted in explaining its decision. The FCC also pointed to reports from former Huawei employees about the company providing network services to an elite "cyber-warfare" unit within China's army.

The FCC also cited cybersecurity vulnerabilities in products from both vendors that it said posed a risk to companies that deployed the technology. Concerns over these vulnerabilities had prompted other countries to bar the use of the equipment, the FCC said.

"Modern communications networks are an integral component of the US economy, enabling the voice, data, and Internet connectivity that fuels all other critical industry sectors," the agency noted.

But these networks are vulnerable to various forms of surveillance and attack that can lead to denial of service as well as the loss of integrity and confidentiality of network services. As the United States upgrades to 5G technologies, "the risk that secret 'backdoors' in our communications networks will enable a hostile foreign power to engage in espionage, inject malware, or steal Americans' data becomes even greater," the FCC said.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2020 | 10:51:02 PM
Made in America
I would consider communication to be a critical function for a country. I think with this in mind we should look to creating our own infrastructure because otherwise you run this risk. I'm typically a trade/import advocate due to the benefits but sometimes just to be safe its better to keep things internal.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...