By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Suspicions about the integrity of Huawei products among US government officials can be attributed in part to a 2012 incident involving a Huawei software update that compromised the network of a major Australian telecom company with malicious code, according to a report published by Bloomberg. The report, based on interviews with seven former officials, some identified and some not, says that Optus, a division of Singapore Telecommunications Ltd., had its systems compromised through a malicious update in 2012 – a claim the company disputes. "The update appeared legitimate, but it contained malicious code that worked much like a digital wiretap, reprogramming the infected equipment to record all the communications passing through it before sending the data to China, [the sources] said," Bloomberg's report explains. After several days, the snooping code reportedly deleted itself, but Australia's intelligence services decided China's intelligence services were responsible, "having infiltrated the ranks of Huawei technicians who helped maintain the equipment and pushed the update to the telecom’s systems." Australian intelligence is said to have shared details about the incident with American intelligence agencies, which subsequently identified a similar attack from China using Huawei hardware in the US. The report seeks to provide an evidentiary basis for efforts by the US and other governments to shun Huawei hardware amid global 5G network upgrades and to give that business to non-Chinese firms. Notably absent is any claim that Huawei leadership knew of this supposed effort to subvert Optus' network. "Bloomberg didn’t find evidence that Huawei’s senior leadership was involved with or aware of the attack," the report says. In short, the claim is that China's intelligence agencies compromised an Australian network by placing agents within Huawei, ongoing risk for any number of prominent global technology firms. China has denied "Australia's slander." It's perhaps worth noting that The Register is unaware of any nation owning up to recent intelligence activities. Even Russian President Vladimir Putin, faced with compelling evidence unearthed by investigative news service Bellingcat of the FSB's attempt to poison political opposition leader Alexey Navalny, denied that Russian agents had anything to do with Navalny's near-fatal poisoning. But the statement from China's Ministry of Foreign Affairs is unusual in that it suggests mutual guilt more than wounded innocence: "Australia’s slander on China carrying out cyberattacks and espionage penetration is purely a move like a thief crying to catch a thief." Even so, Huawei's guilt or innocence as it applies to helping China spy is largely irrelevant. As far as the US is concerned, Huawei can't be trusted because the Chinese government could, in theory, make demands the company could not refuse. The feds are worried about precrime, to use the terminology of Philip K. Dick's Minority Report, a story about a police unit that apprehends people predicted to commit crimes. The US Federal Communications Commission recently used future concerns, alongside past behavior and secret accusations, to ban another Chinese firm from operating in the US. In October, the FCC announced that China Telecom Americas could no longer do business in America. The agency said it based its decision [PDF] partly on classified evidence provided by national security agencies. But it also said "the totality of the extensive unclassified record alone" was sufficient to justify its decision. The agency concluded that China Telecom Americas could potentially be forced to comply with Chinese government requests and company officials have demonstrated a lack of candor and trustworthiness to US officials. And trust is key. The changeable nature of software and the possibility of concealed hardware functions make it inherently risky to accept IT systems from untrusted sources. The risk can be mitigated through source code inspection, auditing, and other precautions, but not completely. Go in-depth by visiting OUR FORUM.