On 11 Nov 2021, US President Joe Biden banned the use of Chinese companies Huawei and ZTE within the US, stopping them from receiving approval for network equipment licenses in the US. This follows a long and convoluted debate over the threat posed by Chinese technology providers, with many suggesting the two companies represent a significant national security risk.  

The Secure Equipment Act was approved unanimously by the U.S. Senate on 28 Oct, and earlier in the month by the U.S. House on a 420-4 vote. This means that the US Federal Communications Commission (FCC) should no longer review applications related to the two companies, and effectively prohibits the use of Huawei and ZTE equipment in US telecoms networks. Other companies named in the act include Hytera, Hangzhou, and Dahua. The decision taken by the US has also been replicated with similar legislation and efforts worldwide; the UK, Australia, New Zealand, and recently Sweden, have also introduced restrictions over the use of Huawei equipment. 

The decision surrounding the use of Chinese firms in telecommunications and networking infrastructure, and likely reflects the increasingly frosty relationship between China and the United States. This blog will discuss whether this was the right decision and what impact the Secure Equipment Act will have going forwards.

Huawei and ZTE, a Meteoric rise

As highlighted by US founding father and polymath Benjamin Franklin, “it takes many good deeds to build a good reputation, and only one bad one to lose it”. In the case of Huawei, the rise to the top of the mobile telecommunications industry has been nothing short of remarkable. This has shadowed China’s own ambitions and achievements in becoming a technological superpower. Huawei now represents the world as a leader in providing telecommunications and network equipment technology, and also overtook Apple as the second most sold smartphone manufacturer in 2019. Their market share has however decreased significantly in 2021 as US sanctions have taken a hold on consumer confidence in the Huawei brand. 

Figure 1: Huawei have undertaken a remarkable growth in recent years
Figure 1: Huawei have undertaken a remarkable growth in recent years

ZTE, who are a telecommunications equipment manufacturer, have also gone through a similarly dramatic growth. The company recorded a 12.4% growth in H1 2021 when compared to the same period of the previous year, largely propelled by increased investment and deployment of next generation 5G mobile technology. While it is unclear what the ceiling for Huawei and ZTE’s development may be, they will undoubtedly continue to represent a significant player in the telecommunications technology space for the foreseeable future, regardless of whether sanctions are applied or not. 

Is the decision justified? 

The ban from President Biden—in addition to the multiple sanctions raised on Huawei and ZTE in previous years—has raised considerable debate. Do Huawei represent a significant security threat, or are the companies being used as a proxy for the ongoing battle between Washington and Beijing for technological hegemony? 

The US has previously claimed that restrictions on use of Huawei and ZTE were justified due to Beijing’s potential for influence over the technology providers. Huawei has faced allegations that its wireless networking equipment could contain backdoors enabling surveillance by the Chinese government, in addition to further allegations that it has engaged in corporate espionage to steal competitors’ intelligence property. Supporters of the company have long claimed that the claims hold no validity; however, recent reporting has identified a key piece of evidence underpinning U.S suspicions. 

A sophisticated intrusion onto a telecommunications network in Australia was detected by Australian intelligence officials in 2012. This reportedly began with a legitimate software update from Huawei that was loaded with malicious code. We don’t need to spell out the risks associated with supply chains; there’s been plenty of supply chain attacks that have taken place in 2021, just check out our blog from August. This breach and subsequent sharing of intelligence between Australia and U.S has reportedly shaped policy decision making regarding Huawei since, with the incident substantiating suspicions in both countries that China used Huawei equipment as a conduit for espionage. 

The Chinese state maintains a stranglehold over private industry in China. This comes largely as a result of the influence of the People’s Republic of China (PRC) President Xi Jinping, who since taking office as the General Secretary of the Chinese Communist Party (CCP) in 2012, has made his distrust of the private sector abundantly clear. Several reforms have demonstrated the expanding influence of the CCP over private companies, but no better than the National Intelligence Law of the PRC which was enacted in 2017; this law states, “any organization and citizen shall support and cooperate in national intelligence work.” Party officials now sit on the boards of Chinese companies, and while not likely to play a direct role in managing day to day operations, it is becoming increasingly difficult to distinguish between what is private and what is a state-owned company. Ultimately, the state represents the highest authority in China, and no Chinese company is fully independent from the government. 

If the breach did occur as was briefed by Australian officials, then there is likely one of two scenarios. Huawei were actively complicit in allowing Chinese actors to access their update mechanisms, or otherwise were themselves compromised, with China able to infiltrate the ranks of Huawei’s technicians, who maintained the equipment and distribute the update to Huawei’s customers. Given China’s sophistication, ability, and willingness to conduct cyber espionage, both of these scenarios are plausible. 

What happens now?

The decision-making process regarding the ban of Huawei and ZTE was likely conducted through a combination of security risk and as part of the ongoing jostling for position regarding telecommunications technology; if the reports from the Australian intelligence are correct however, then the US appear to be fully justified in restricting the use of Huawei equipment. 5G represents the next generation of wireless networks and is ultimately a market that will be worth hundreds of billions of dollars. Huawei and ZTE have positioned themselves as one of the world leaders in providing such technology for emerging networks —with some estimates suggesting that they own more than half of all global 5G buildout—and the Secure Equipment Act likely represents the latest efforts to buck that trend.

The reaction from the business will likely be highly dependent on several factors, including their geography, the sector in which they operate, and ultimately whether they currently use Huawei and ZTE equipment. Ultimately, US-based telecommunications companies will no longer be able to purchase Huawei or ZTE equipment to use in their networks, and the bill also reinforces the mandate for service providers to replace existing equipment from banned companies, The US congress has approved a replacement fund for companies affected by this mandate, rather affectionately named the “Huawei rip and replace fund”.  

One part of Huawei that the bill hasn’t banned is Honor, which is a separate Huawei based smartphone sub-brand that serves as a separate company. It is likely that Honor will fill much of the void left behind by Huawei, at least in the smartphone market. Whether a separate brand will emerge to take the mantle in networking equipment is unclear; however, it’s clear that Chinese companies, whether private or state owned, will continue to play an important role in the global technological supply chain. 

The Photon Research Team does a tremendous job covering a variety of cyber threats, including the impact of policy implications, wider geopolitical developments, and how they can potentially herald a shift in the cyber threat landscape. Check out some of our work here, or let us walk you through a demo with a 7-day test drive of Search Light (now ReliaQuest GreyMatter Digital Risk Protection).