Though much water has flowed under the bridge since then, it is clear that the standards of proof have not changed in Washington. One can gauge this easily by looking at the document put out by the Federal Communications Commission to announce a ban on Chinese telecommunications equipment vendor Huawei Technologies from being paid from the Universal Service Fund, a system of telecommunications subsidies and fees, used for communications equipment.
Much of the FCC's argument is based on a so-called study produced by a company named Finite State — which was unknown at the time the study was released in June 2019 — that Huawei gear had "hundreds of vulnerabilities identified in [the] firmware, including the presence of backdoors that potentially could be used to allow an attacker with knowledge of the firmware to log into the device".
The FCC added that, "Finite State found that '[i]n virtually all categories', Huawei devices were 'less secure than comparable devices from other vendors'. Nevertheless, according to Finite State, 'Huawei has repeatedly failed to address these vulnerabilities when making firmware updates". The other firms referred to were Juniper and Arista. Not, as one would think, Ericsson and Nokia, the two other main rivals to Huawei in 5G.
Later, when the study did emerge, I made contact with the company and asked for an interview to clarify some doubts. Initially, Finite State scheduled a call with chief executive Matt Wyckhouse, then changed the date and time, and finally ducked the call together.
Finite State listed 142 devices — routers, switches, UPS units and the like — the firmware of which it said it had analysed in a matter of hours using its proprietary platform. Many of the devices listed were different versions of the same model. The report was titled "Finite State Supply Chain Assessment: Huawei Technologies Co Ltd." It referred to the Finite State 9-dimensional Risk Matrix as being the standard against which its study was done, but there was no sign of what this matrix is on its website.
Some of the issues found by Finite State were the presence of default usernames and passwords — a common issue with many products — configurations that allowed root access for SSH, pre-computed hard-coded authorised-keys allowing the private key holder access, and hard-coded SSH keys which could allow man-in-the-middle traffic interception.
Finite State referred to the fact that Huawei, when found to have similar issues by the UK, had pledged to spend US$2 billion to improve the security of its products and said that "despite these investments our research uncovered a substantial lack of secure development practices resulting in significant number of vulnerabilities". It did not mention that the pledge was only made in March, three months prior to that report being put out.
In another part of the report, Finite State contradicted its own conclusions by stating: "Recently, Huawei pledged to invest 2 billion dollars to develop a comprehensive solution to improving the cyber security of their products. With commitments like that, it is reasonable to expect to see the cyber security risk of their products decreasing over time."
The FCC's conclusion about the Finite State report was: "We find that the Finite State Report substantiates the Commission’s concerns regarding the weak security culture at Huawei. We disagree with Huawei’s criticisms of the report, but even if the report is flawed in some respects. Huawei cannot deny that, now, multiple organisations have independently found similar, substantial security vulnerabilities in their products.”
Apparently, all one has to do to get the FCC to ban company A or B is to feed some disinformation to the media — and the American media gets a hard-on when it hears of indictments, forgetting that these are lists of allegations that have to be proven in court — and they go to town on it.
The fact that very recently, The New York Times was able to claim that Russians were offering to pay the Afghan Taliban to kill American soldiers — when the Taliban hate the Americans with a vengeance and would willingly kill them given the slightest chance — and every major media outlet, apart from a few individuals, swallowed this fabricated yarn, is but the latest proof of this method of giving a dog a bad name and hanging it.
One of the biggest ironies for me is that the US is willing to believe that Huawei, a private company, will bow and scrape to Beijing's dictates – and neither Nokia nor Ericsson will do so. These two companies operate in China as partners of Chinese state-owned units: Nokia Shanghai Bell is a joint venture with the state-owned China Huaxin Post & Telecommunication, and works on 5G, while Ericsson Panda includes as shareholders the state-owned Assets Supervision and Administration Committee.
Every sin of which the FCC finds Huawei guilty — for example, that despite its location outside China, given the pervasive threat of the Chinese government and military apparatus, Huawei’s US subsidiary may be coerced to act as an extension of the intelligence-gathering arm of the Chinese state — could be equally said of American companies like Microsoft, Google, Amazon and Cisco.
In fact, the leaks by Edward Snowden have shown the extent to which these companies have been manipulated by the NSA, much in the same way as the FCC claims Huawei will be manipulated.
But hey, when did that ever matter? When a country is batty enough to call car imports a national security threat, anything can be a threat. This, by the way, was mentioned by no less a personage than German Chancellor Angela Merkel.
"...apparently the American secretary of trade says German cars are a threat to America's national security", Frau Merkel told a security conference in Munich in February 2019.
"We're proud of our automotive industry and I think we can be. We are proud of our cars. They are built in the US. South Carolina is one of the largest.. it's actually the largest BMW plant not in Bavaria.
"South Carolina is supplying China. So when these cars, because they are built in South Carolina, are not becoming less threatening, rather than the ones that are built in Bavaria [that] are supposed to be a threat to the national security of the US, it's a bit of a shock to us."