Sprint and Softbank, the company planning to acquire the third-largest U.S. carrier, are committed to meeting national security concerns to make their merger a reality. The companies made it clear to Washington that they will no longer purchase or use equipment the Chinese telecom giant manufactures.
According to The New York Times, Sprint-Softbank's agreement with the U.S. government would allow national security officials to monitor changes to the company's system of routers, servers, and switches, among other equipment and processes. Softbank has offered $20 billion to acquire most of Sprint but needs U.S. government approval.
"I have met with Softbank and Sprint regarding this merger and was assured they would not integrate Huawei in to the Sprint network and would take mitigation efforts to replace Huawei equipment in the Clearwire network," said Rep. Mike Rogers, R-Mich., chairman of the House Intelligence Committee. "I expect them to make the same assurances before any approval of the deal in the CFIUS process."
CFIUS is the Committee on Foreign Investment in the United States, a federal government inter-agency panel that reviews the national security implications of foreign investment in the U.S.
Spying on U.S. Communications
What's the problem with Huawei? Last October, a House Intelligence Committee report warned that buying Huawei Technologies products poses a security risk to the nation. Huawei vehemently opposed the allegations, which include visa fraud and job bias. The report also called out ZTE, another Chinese telecom firm.
The overarching allegation is that China could use equipment these companies manufacture to spy on U.S. communications systems and threaten U.S. technology infrastructure. Some U.S. analysts are saying the report is steeped in protectionism and neither China nor Huawei is taking the report lying down.
Although the House investigation concluded there are "credible reports" of Huawei's illegal behavior, there is no conclusive evidence that either Huawei or ZTE are installing telecom equipment with hidden codes to transmit information back to China. But with the recent back-and-forthing between the U.S. and China government over cyber-security, the issue remains at the fore.
Is the Threat Real?
Paul Henry, a security and forensic analyst at Lumension, told us not to be mistaken -- there is danger here.
"This isn't a case of the government being overly paranoid, though I might also argue that there is no such thing when it comes to cyber-security," Henry said. "It is very possible that back doors are being built into the hardware shipped by the Chinese."
As Henry sees it, the real danger here is that if Chinese companies, deliberately or not, are leaving easy back doors into their products, then malware could be executed at the firmware and peripheral level.
"What that boils down to is a piece of malware executed at a level below the operating system, where it is virtually undetectable by just about every cyber-security product on the market today," Henry said.
"There is some amount of doubt in the security community about whether this sort of attack is even practically possible, but I assure you, it is. It was demonstrated in two proof-of-concept rootkits, Red Pill and Blue Pill, by Joanna Rutkowska at Black Hat in 2006. There is a real danger here that everyone -- not just the government -- should be considering when purchasing IT equipment manufactured overseas."