Last fall, the House Intelligence Committee issued a scathing report on two companies looking to invest in the United States. Huawei and ZTE, both Chinese telecommunications firms, wanted entry. But committee chairman Rep. Mike Rogers (R-Mich.) was suspicious. He, along with the rest of his colleagues on the panel, worried that the companies’ networking equipment could be installed in U.S. facilities to enable foreign spying.
That type of exploit, known as a supply-chain attack, is the subject of a new Government Accountability Office report out this week. And what it finds is that while the risk is there, it may not be quite as large as we’ve been led to believe:
Officials from the companies and industry groups that we spoke with said that they consider the level of risk to be affected not by where equipment and components are made, but how they are made, particularly the security procedures implemented by manufacturers. Many of these officials also said they were not aware of any intentional attacks originating in the supply chain, and some said that they consider the risk of this type of attack to be low. Officials from four industry groups and one research institution we spoke with told us that supply chain attacks are harder to carry out and require more resources than other modes of attacks such as malicious software uploaded to equipment through the Internet, and, therefore, are the less likely vehicle to be used by potential attackers.
It’s rare to see equipment that contains built-in backdoors, said network operators. Instead, most vulnerabilities are generally the result of unintentional software bugs—accidents.
Among those GAO interviewed were representatives from major telcos like AT&T and Verizon, as well as trade groups such as CTIA—The Wireless Association. Also included were U.S. and international equipment-makers Cisco, Intel and, yes, Huawei and ZTE. It’s still possible these officials have underestimated or downplayed the threat. But even as GAO was gathering information from the companies, it was also analyzing proposals to further insulate U.S. networks from external intrusions.
One idea on the table is to grant broader authority to the federal committee charged with approving international mergers. The Committee on Foreign Investment in the United States, or CFIUS, made headlines last year when it suggested President Obama should block a Chinese-owned company’s attempt to buy up a handful of Oregon wind farms.
Under the proposed expansion, CFIUS would have the ability to examine businesses’ procurement deals in addition to investment decisions. The House Intelligence Committee said in its October report on Huawei that any bills to that effect should be given a chance in Congress.