• NCSC writes to telcos to warn of national security threat from ZTE products
• US government bans its companies from exporting goods to ZTE
• FCC votes today to limit funding for companies that pose a security threat
• Meanwhile, Huawei obtains European CE-TEC verification

First Huawei, now ZTE; the US authorities are getting tough on what they perceive to be cyber security threats from the two major China-based telecoms vendors. This time though, the UK has also chimed in with its own security fears around ZTE.

The UK’s National Cyber Security Centre (NCSC) is alarmed by the threat to national security posed by having ZTE equipment installed in the country’s telecoms networks. The Financial Times newspaper has apparently seen a letter sent by Ian Levy, technical director of the NCSC, addressed to the UK telcos, regulator Ofcom and to ZTE itself. Its message was alarming stark.

“The use of ZTE equipment or services within existing telecommunications infrastructure would present risk to UK national security that could not be mitigated effectively or practicably,” wrote Levy. Linking in the wider perceived China threat, he added: “The UK telecommunications network already contains a significant amount of equipment supplied by Huawei, also a Chinese equipment manufacturer. Adding in new equipment and services from another Chinese supplier would render our existing mitigations ineffective.”

The letter from NCSC also apparently referred to the settlement reached earlier this year between ZTE and US officials, when the Chinese vendor pleaded guilty to criminal charges of violating US sanctions on North Korea and Iran, and paid the US Treasury a $1.19 billion fine.

The NCSC posted a brief statement from Dr Levy on its website, and whilst falling short of an official blacklisting of ZTE, the message was clear: “NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated.”

No sooner had Dr Levy sounded the alarm over ZTE in the UK, than the US unexpectedly hit the company with a trade ban. The US Commerce Department barred US companies from exporting goods to ZTE for a period of seven years, claiming it had violated the earlier above mentioned settlement concerning illegal shipments to Iran and North Korea.

The settlement had included a promise by ZTE management to implement a new compliance programme and to punish those employees involved. Apparently that has not happened, at least to the satisfaction of the US government, and so the suspended seven year ban is now back in place.

“ZTE misled the Department of Commerce,” said Commerce Secretary Wilbur Ross said in a written statement. “Instead of reprimanding ZTE staff and senior management, ZTE rewarded them. This egregious behaviour cannot be ignored.”

OEM suppliers to ZTE, such as Qualcomm, Microsoft and Intel, will be affected by the trade ban. Whether ZTE can restructure its supply chain and work without any US-sourced components is debateable. 

Last month, FCC chairman Ajit Pai issued a statement on the national security threats to US networks and their supply chains. He is hoping to pass a proposal that would bar the use of money from the FCC’s $8.5 billion Universal Service Fund to purchase equipment or services from companies that pose a national security threat. A vote is scheduled for today.

“Hidden ‘back doors’ to our networks in routers, switches – and virtually any other type of telecommunications equipment – can provide an avenue for hostile governments to inject viruses, launch denial-of-service attacks, steal data, and more,” said Pai. “Although the FCC alone can’t safeguard the integrity of our communications supply chain, we must and will play our part in a government- and industry-wide effort to protect the security of our networks.”

The UK Government warned of Huawei’s potential security risks back in June 2013, in a reportfrom the Intelligence and Security Committee. It was concerned that the use of Huawei equipment by BT Openreach in its broadband rollout would have “implications for national security”. The Government’ GCHQ security facility set up a dedicated Cyber Security Evaluation Centre, known colloquially as the Cell, working alongside Huawei to examine their equipment and source code. It warned that the “risk of unauthorised access cannot be entirely eliminated”.

As an aside, the mastermind of BT’s ground-breaking 21^stCentury Network (21CN) programme in the early 2000s was CTO Matt Bross. A significant portion of equipment for 21CN was procured from Huawei, which was then pretty much an unknown quantity having been founded only 15 years before. After leaving BT, Matt went and joined… Huawei. He is currently CEO of IPX Advisors, which provides “strategic advisory and operational development services to Chinese companies seeking to expand into western markets and US-based companies who want to develop a business platform in the China market”. Good luck with that, Matt.

Around a year earlier, in October 2012, the US House Permanent Select Committee on Intelligence (HPSCI) published an equally damning report. It concluded that “the risks associated with Huawei and ZTE’s provision of equipment to US critical infrastructure could undermine core US national-security interests”. It recommended that “US network providers and systems developers are strongly encouraged to seek other vendors for their projects.”

Earlier this year, the US stepped up pressure on its telcos concerning Huawei smartphones. AT&T pulled out of a deal with Huawei in January to sell the Mate 10 Pro after allegedly receiving pressure from the government, followed by similar action from Verizon. Neither telco has officially commented on the reasons.

US Representative Mike Conaway then introduced a bill that aims to ban US government agencies from using phones and equipment from Huawei and ZTE as use of this equipment, he said, “would be inviting Chinese surveillance into all aspects of our lives” With impeccable timing, the heads of six US intelligence agencies then warned a Senate Intelligence Committee hearing that citizens should not use devices and services from Huawei and ZTE. It was reported that FBI Director Chris Wray said that the equipment “provides the capacity to conduct undetected espionage.”

It’s not all bad news for the Chinese vendors (!). Huawei announced today that it has obtained the world's first CE-TEC verification for its 5G C-band Massive MIMO AAU products, undertaken by the TÜV SÜD European certification authority in Munich. This means that they strictly adhere to European CE standards, meeting the EU's requirements in terms of RF, EMC, safety, EMF and RoHS.

Huawei says the certification means that its 5G products “are now qualified to be sold and applied in the European market”. However, the verification process doesn’t test for suspicious code or evidence of third-party data intercept, which currently looks like being a far greater obstacle to Chinese vendors hoping to sell their solutions to telcos.