This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

China Security Concerns Coming Home to Roost

China's technology giant Huawei is dropped from a US and an Australian deal.

A US company and an Australian telecommunications project have backed away from working with China's Huawei over concerns about security. The company's history and ties to China's military invite suspicion.

Can you trust your business partners and suppliers? That question is at the root of recent news that China's giant network equipment manufacturer Huawei is being cut out of business on two continents.

Huawei has been barred from bidding on Australia's National Broadband Network project, worth in the neighborhood of $36 billion. And US security and anti-virus company Symantec has dissolved its alliance with Huawei, selling its share in a joint venture back to the Chinese company. The reasons for both moves are similar, according to press reports: the counterparties simply do not trust Huawei, or by extension the Chinese government and military, not to spy and steal corporate and government secrets.

We have written about the "Advanced Persistent Threat" attacks against US and other military, industrial, and intellectual property interests. These attacks are widely assumed to originate in official Chinese circles, although the government there has always angrily denied any involvement (hiding behind the technical difficulties that make ironclad attribution difficult or impossible). The widespread suspicion of China's motives and actions is now, arguably, coming home to roost on the ground of international industrial partnerships. More such news is likely to follow, expanding beyond one company and one industry. (For example, watch developments in this case from the wind energy vertical.)

Symantec's partnership with Huawei goes back almost four years. The two companies were jointly developing computer network security products. Though Symantec does not say so on the record, reports indicate that the company began to get significantly more nervous about its Chinese partner as the national conversation about cybersecurity ramped up. The Obama administration and Congress are working towards consensus on best practices for securing US interests on connected networks.

Why to worry
Many of the proposals being discussed involve data sharing on sensitive security topics between government and private industry. Symantec worried that its involvement with Huawei would cut the company off from critical flows of security information -- because the government, and indeed other industry players, would worry about the Chinese siphoning off secret information.

Huawei is no stranger to such suspicions. The company was started and is run by Ren Zhengfei, a former officer in the People's Liberation Army. It was accused by Cisco of stealing technology in 2004, and sued by Motorola on similar grounds in 2010. Huawei's attempt to buy US supplier 3Com foundered in 2008 over security concerns, and in 2010 it lost out on a bid to supply equipment to Sprint Nextel when Congressmen raised questions of security. And on the Australian front, Chinese intelligence agents were accused of hacking into the computers of Australian Prime Minister and Foreign Minister.

Why is everyone so worried about relying on this particular company's technology in communications networks? They are not sure they can trust that that technology is free of backdoors and Trojan horses. To get an idea of the thinking behind the concerns, please read Unix co-inventor Ken Thompson's 28-year-old ACM Turing Award paper, Reflections on Trusting Trust. Thompson goes through the exercise of hiding a Trojan in a compiler in such a way that it cannot be detected by any amout of inspection of the source code. He notes that deliberate backdoors lower down in the stack, in firmware or hardware, would be even more impossible to detect.

Ken Thompson sums up the take-away lesson this way: "You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)" It is safe to assume that Huawei employs more than a few people like Ken.