Can Huawei enterprise shed its reputation as security time bomb?

Now that China's Huawei has secured U.S. distribution, it needs to earn the trust of enterprises. Can it shake the image of being a Chinese puppet?

Dogged by concerns about security, Huawei's enterprise business in North America faces an uphill battle against domestic competitors as the China-based manufacturer seeks to get a foothold in new markets.

But with the gaping security holes and shady surveillance deals of vendors like Cisco and HP, it is hard to discern how much riskier Huawei is than its domestic competition. The vendors' quality, however, is much easier for prospective U.S. customers to judge, and that could make it an even longer-term hurdle for the Chinese equipment maker’s North American ambitions.

Coming to America … through a Huawei backdoor?

In May, Huawei launched a campaign to penetrate the North American enterprise market. Long a favorite in its homeland and having courted cost-conscious telecom companies globally, the company's Interop announcement focused on securing North American distribution channel Synnex as well as highlighting the company's North America-based research and development organization.

Despite the announcements and its strong North American growth in the first quarter of 2012, concerns about Huawei security remain a major issue for prospective customers.

Huawei declined repeated interview requests for this article, citing its executives' busy post-July 4 vacation schedules as the reason for the lack of availability.

In report after report and speech after speech, U.S. government officials expressed concerns that China is, or will be, using Huawei's equipment to covertly intercept sensitive communications, endangering not only America's security, but also U.S. corporate competitiveness. Security concerns about Huawei seem to endlessly grab headlines.

"There's concern in Europe and North America about security of Chinese-designed networking equipment," said Alan Weckel, director at market research firm Dell'Oro Group. "Certain governments and certain enterprises just will never be allowed to buy Huawei in the foreseeable future, and that's both for networking and VoIP."

Earlier this year, the company was barred, over security concerns, from participating in Australia's largest-ever infrastructure project, a countrywide fiber optic rollout. Last year, the U.S. Department of Commerce barred Huawei from another national wireless network project. Even the company's proposed Olympic gift to outfit London's subway system with cellular connectivity drew intense scrutiny, and reports are conflicting on whether the bid was ultimately successful.

Huawei enterprise offerings: Master spies or model corporate citizens?

Will these national security scares be enough to dissuade enterprises from adopting Huawei?

"We wouldn't be any more concerned with a Huawei product than any other," Rebecca, a networking consultant who asked to be identified only by her first name, said in an email interview.

Her consultancy generally considers all products to be compromised until proven otherwise, and suspicions about Huawei do not particularly concern her.

While governments around the world have barred Huawei over security concerns, Rebecca argues that the company is actually a relatively model citizen.

"It's one of the leading companies in the field, with fewer corporate [scandals] and negative press than many others," she wrote.

To an extent, she's right. Leading North American brands have seen their own reputations tarnished by security and privacy scandals. For instance, HP has admitted to engaging in many of the practices Huawei's fiercest critics only fear: espionage, accessing sensitive records and fraud.

Cisco recently opened up a new backdoor in its line of consumer-grade Linksys routers, causing a customer backlash. Just four years ago, the FBI revealed that the U.S. military had installed counterfeit Cisco gear in its network, sparking concerns of embedded backdoors and kill switches.

Every vendor has ties to China

Huawei is an easy target. Allegations of secret backdoors and covert ties to China's Ministry of State Security (MSS) are a wonderfully untestable hypothesis: If security holes are discovered in Huawei products, that proves the Chinese are using them to gather intelligence; if they are not discovered, that simply means the MSS is doing its job successfully.

Increasingly, however, hardware -- regardless of the supplier -- is at least partially manufactured or assembled in China. A 2011 report by the U.S.-China Economic and Security Review Commission examined the security implications of Huawei's rise but ultimately concluded that the dangers of espionage went deeper than any one company. Instead, the commission found that fundamental economic shifts and control of the supply chains of all technology manufacturers is a security concern.

"Without being unduly alarmist, decision makers in both government and industry should nevertheless take an objective look at the potential security vulnerabilities posed by dependence upon Chinese corporations for electronics components and/or telecommunications services and work toward solutions that appropriately balance U.S. economic and national security interests," the report concluded.

Whether a U.S. enterprise or the NSA, the rule is the same: Trust no one

Enterprises should assume every vendor is a security risk, regardless of nationality or reputation, said Davi Ottenheimer, president of the security consultancy flyingpenguin LLC.

"It used to be common in the nineties to not trust any system at all," he said. "The future of communications is going to be around encrypting everything. The market should bear encryption."

Rebecca adopts this approach with her clients, and while she prefers not to use Huawei, she's comfortable using it if the client already has it deployed.

"As a very security-focused organization, we adopt a policy of assuming that all products are full of vulnerabilities by default until they've proven themselves," she wrote. "Any sensitive data is encrypted before it hits the network, and we use open source code wherever possible, basically assuming that all network traffic is eavesdropped anyway."

That healthy paranoia echoes W. C. Fields -- be free of all prejudices by distrusting everyone equally -- and it might be resurging, thanks in part to America's own intelligence community.

In 2010, the National Security Agency's (NSA's) Debora Plunkett kickstarted the conversation by bluntly stating that the agency assumes its networks are already compromised -- and acts accordingly.

The real potential Huawei enteprise deal breaker? Quality

All these concerns about the Huawei security threat, however, might pale for many enterprises when it comes to something more day-to-day: the quality and polish of the company's products. Network engineers have occasionally complained that some of the interfaces, for example, were clones -- and not particularly good ones -- of other vendors' products.

This cloning was at the heart of a 2004 lawsuit, when Cisco alleged that Huawei illegally copied Cisco's source code, command line interface (CLI) and other intellectual property into Huawei's switches and routers. The two companies ultimately settled, with Huawei agreeing to modify its products.

Some networking professionals simply think the company's products aren't quite polished enough.

"I wouldn't go so far as to call it a knockoff brand, but I consider Huawei to be low-end," Rebecca said. "It gets the job done in most cases, but the biggest problem for us is lack of [technical] documentation. Even simple things, such as a list of supported AT commands for their 3G modems."

Similar small failings regularly surface in user complaints about Huawei's CLI and other functionality, providing new examples of the company's lack of polish. These product shortcomings ultimately give Rebecca the impression that, to Huawei, the "customer doesn't matter."

To any company looking to grow market share in the hotly competitive North America networking space, that might be the biggest vulnerability of all.

This was last published in July 2012

Dig Deeper on Network Hardware

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.