Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/30/2020
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FCC Designates Huawei & ZTE as National Security Threats

Backdoors in 5G network equipment from these vendors could enable espionage and malicious activity, agency says.

The US Federal Communications Commission (FCC) Tuesday formally designated China's Huawei and ZTE Corp. as national security threats, citing their close relationship with the Chinese government.

The decision means that US carriers can no longer use money available under the FCC's Universal Service Fund (USF) to purchase 5G — or any other — equipment, services, or systems from either of the two Chinese equipment manufacturers or any of their subsidiaries and affiliates. The US Department of Defense and other government agencies previously announced decisions to discontinue use of technologies from Huawei and ZTE equipment from their networks.

“Both companies have close ties to the Chinese Communist Party and China's military apparatus," FCC chairman Ajit Pai said in a press statement. "Both companies are broadly subject to Chinese law obligating them to cooperate with the country's intelligence services."

The FCC's move finalizes a decision by the agency last November barring the use of federal funds on equipment from companies deemed as posing a threat to US national security. At the time, the FCC had named Huawei and ZTE as companies that would be covered under the ban. Today's announcement formalizes that decision.

The FCC last November had also noted that it would require US carriers to remove already installed equipment from these two vendors from all USF-funded networks. Tuesday's FCC notice did not provide any new information on when that requirement would go into effect. But it did note that the agency would work with impacted telecommunications providers to figure out a schedule and a way to pay for ripping and replacing existing equipment.

The USF is an $8.3 billion-a-year fund that is used to ensure affordable access to telecommunication services — including 5G networks — in high-cost areas, for low-income populations, for rural-healthcare providers, and for schools and other entities. Many of those who use the fund are smaller, rural communications providers. The FCC ban means these companies, and others, can no longer use the funds to "purchase, obtain, maintain, improve, modify, or otherwise support any equipment or services produced or provided by [Huawei and ZTE]," the FCC said.

Both Huawei and ZTE have consistently denied any close relationship with the Chinese government or intelligence agencies. They have claimed that the charges against them by the US government — and several other Western nations — are driven purely by economic and geopolitical rivalries with little basis in fact.

Persistent Concerns
However, the US government and intelligence agencies have equally consistently warned about the risks to national security from deploying next-gen 5G networks based on technologies from Chinese firms such as Huawei and ZTE.

The concerns have to do with what is widely perceived as the close — and often forced — relationship between Chinese businesses and the country's government and intelligence apparatus. Of particular concern are national statutes in China that require companies to report certain business-related activities to the government. Reports about companies such as Huawei receiving substantial subsidies from the Chinese government have also spurred questions about their ability to operate independently of government influence.

Many have noted China's extensive cyber-espionage activities over the past decade. They have contended that Beijing could force telecom equipment manufacturers such as Huawei and ZTE to plant backdoors and other traps in their technology to enable cyber espionage and surveillance on a truly global scale.

The fact that companies such as Huawei provide services for managing telecommunications equipment means they have authorized access to customer networks that could be exploited for malicious purposes, the FCC noted in explaining its decision. The FCC also pointed to reports from former Huawei employees about the company providing network services to an elite "cyber-warfare" unit within China's army.

The FCC also cited cybersecurity vulnerabilities in products from both vendors that it said posed a risk to companies that deployed the technology. Concerns over these vulnerabilities had prompted other countries to bar the use of the equipment, the FCC said.

"Modern communications networks are an integral component of the US economy, enabling the voice, data, and Internet connectivity that fuels all other critical industry sectors," the agency noted.

But these networks are vulnerable to various forms of surveillance and attack that can lead to denial of service as well as the loss of integrity and confidentiality of network services. As the United States upgrades to 5G technologies, "the risk that secret 'backdoors' in our communications networks will enable a hostile foreign power to engage in espionage, inject malware, or steal Americans' data becomes even greater," the FCC said.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2020 | 10:51:02 PM
Made in America
I would consider communication to be a critical function for a country. I think with this in mind we should look to creating our own infrastructure because otherwise you run this risk. I'm typically a trade/import advocate due to the benefits but sometimes just to be safe its better to keep things internal.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...