China - South Africa
Part One: Are South Africans safe with Huawei? It’s all about the risk
Millions of South Africans depend on Huawei to stay connected through its mobile network equipment, like base stations and fibre optic cables. But the United States insists the company will spy for the Chinese government. On 28 February 2020, the US – itself notorious for conducting electronic espionage on a global scale – passed the so-called ‘rip and replace’ bill, which provides for a fund to replace Huawei equipment in American networks. Meanwhile, President Cyril Ramaphosa firmly backs the Chinese giant. Should ordinary South Africans trust them? In this two-part analysis, Daily Maverick finds out.
Meet Li Jingguo*.
He’s a Huawei engineer who worked on rolling out mobile networks across South-East Asia, as well as a variety of Huawei projects throughout Europe and Britain. He also served as a representative for China’s Ministry of State Security within Huawei – China’s lead ministry in espionage and counter-intelligence.
In several projects, in and outside China, Li’s task was building lawful interception capabilities into Huawei equipment. (Such capabilities refer to the technology a government legally uses to monitor communications – voice, emails, texts et cetera – in order to investigate crime. South Africa’s Telkom, Vodacom, MTN and Cell C, being legally obliged, have such capabilities.)
Li’s curriculum vitae was one of 590-million resumés “leaked” online from Chinese HR companies’ databases in 2018. Fulbright University Vietnam analysed three Huawei employees’ CVs and found that Li’s work at Huawei “matches the type of technical requirements” for intercepting “transiting information even with various safeguards” (such as encryption).
Li’s ties with China’s Ministry of State Security is the sort of relationship that makes America nervous. In December 2018, the US Justice Department laid charges against two Chinese men “who acted in association with”, the ministry and “conducted global campaigns of computer intrusions targeting … intellectual property” for over a decade. US government agencies and over 45 private companies were also allegedly targeted.
Six months later, Reuters detailed the two men’s alleged activities in an explosive report based on a trove of documentary evidence and interviews with more than 30 government and private sector employees involved in the investigations. Reuters reported that “teams of hackers connected to the Chinese Ministry of State Security”, were involved in hacking the systems of major companies (like Hewlett Packard Enterprise, IBM, Dimension Data, Fujitsu and Ericsson), with the aim of stealing trade secrets and intellectual property.
Li’s case is not unique. In 2012, China’s military, the People’s Liberation Army (PLA) employed Yang Guozhi* as a researcher at the National University of Defense and Technology in China. In 2011, he had started work as an engineer for Huawei. The CV indicates that he held these positions simultaneously and his university research closely matched his work at Huawei. But it also falls under the umbrella of the PLA’s Strategic Support Force (SSF) – the body said to be responsible for China’s cyber warfare capabilities.
Again, this does not sit well with the US. In 2013, Mandiant, a cybersecurity consulting firm, released a report detailing what it believed to be the hacking activities of the PLA’s Unit 61398 (located in Shanghai, China). Mandiant believed the unit to consist of “hundreds, and perhaps thousands” of personnel, based on the size of their office building. In 2014, the US Justice Department charged five Chinese – allegedly former officers of Unit 61398 – with computer hacking and economic espionage against six American organisations in the nuclear, metals and solar products industries.
On 10 February 2020, the US Federal Bureau of Investigation (FBI) announced charges against four PLA members accused of hacking the computers of the US credit reporting agency, Equifax. The men are believed to have stolen about 145-million (i.e half of all), Americans’ personal details, names, birth dates, social security numbers, as well as “credit card numbers and other personally identifiable information”, of about 200,000 Americans. The FBI said it was “the largest known theft of personally identifiable information ever carried out by state-sponsored actors”.
The Chinese government has consistently denied supporting hacking activities.
The Fulbright CV study concluded that: “there is strong evidence that Huawei personnel act at the direction of Chinese state intelligence, and that there exists a deep and lasting relationship between Huawei, its employees, and the Chinese state.
“This should raise questions within Western governments worried about Chinese access to domestic information.”
Still, none of this remotely constitutes proof that Huawei actually conducts espionage.
Despite that, in 2017, the US passed a law prohibiting US government institutions from using Huawei equipment. In May 2019, the US government banned American companies from selling product parts to Huawei without government consent. Since then, the US has repeatedly extended a temporary general licence allowing its companies’ sales to Huawei. Regardless, due to the ban, the collective loss of some US firms was reported at $435-million for the second quarter of 2019. Meanwhile, Huawei continued to flourish. By the third quarter of 2019, it was still the world’s largest telecoms equipment provider with a global revenue of $86-billion – a 24.4% increase over the 2018 third-quarter figures.
The lack of proof of spying has been central to Huawei’s objections against the US’s sanctions. But for US security and intelligence agencies, it’s not about profit or proof. In fact, history has shown that neither of the two countries need proof to restrict the use of the other’s telecoms equipment on national security grounds.
In 2018, the US Senate held a special hearing on Chinese cyber espionage. Christopher Krebs, director of the US’s Cybersecurity and Infrastructure Security Agency (Cisa) explained to US lawmakers that prevention – not proof – was paramount:
“We don’t have to wait for attribution to a specific actor in order to issue guidance, alerts, and warnings. Why? Because our job is to give network defenders every possible advantage at the greatest speed possible. For us, the possibility of a threat combined with vulnerability is enough to act.”
Krebs’ statement shows that the US is not viewing cyber espionage from a criminal investigation perspective. Rather, Krebs explained, it is an issue of supply chain risk management.
Roughly put, a supply chain includes all the companies that supply a business (or a government), with what it needs to provide a product or service. If any link in the chain fails, services or production lines are interrupted. A supplier can fail to deliver, or render a faulty product. Supply chain risk management aims to prevent such failure.
Risk management is deemed crucial to data networks; governments consider them to be critical infrastructure because if damaged or destroyed, it could have catastrophic consequences for the public. Other critical infrastructure includes water supplies, electricity grids and roads, and the functioning of these often rely heavily on data networks.
From a national security perspective, critical infrastructure is a target for your adversary. History has shown repeatedly that cutting telegraph lines, blowing up railway bridges, attacking harbours or taking over post offices and telephone exchanges are long-standing tactics during conflict, be it wars, rebellions or coups.
And, despite depending on each other for trade, the US and China are also adversaries with conflicting interests. China has made clear its intention to end the US’s economic and military world dominance, and its national policies are explicitly geared towards this. Already in 1997, China and Russia signed the “Joint Declaration on a Multipolar World and the Establishment of a New International Order”.
While this will ideally happen peacefully, both countries also foresee the possibility of war. The importance of military clout is already seen in territorial disputes in the Western Pacific. For instance, in the South China Sea, China has been increasing its military presence. For the US, maintaining free movement through this waterway for commercial and military maritime traffic is crucial to curtail Chinese dominance and protect US interests in the region. In a global stand-off, one scenario envisioned by US military strategists is China attacking critical infrastructure on American soil – including data networks.
Given this adversarial relationship, China has adopted a risk management approach similar to the US’s: instituting protectionist measures for its telecoms networks and information systems without proof of a specific foreign company spying.
Already in the 1980s, China’s policy was that foreign firms could not own or control China’s telecommunications companies. China’s major mobile operators, like China Telcom, China Mobile and China Unicom, are state-owned.
Ren Zhengfei, the man who founded Huawei in 1987 with just $5,600, was a strong advocate for national security. In the 1980s, China allowed foreign companies to build its communications networks, hoping to adopt foreign technology and then develop its own. Eight companies from Europe, the US and Japan came to dominate the Chinese market.
Ren, who served in the PLA’s engineering corps for nine years before starting Huawei, saw the danger of such foreign domination for China. According to Ren, he met China’s then Communist Party Secretary-General Jiang Zemin in 1994 and advised him that “switching equipment technology was related to national security, and that a nation that did not have its own switching equipment was like one that lacked its own military”.
Ren said that Zemin agreed. Some scholars believe this was a turning point for Huawei, and that the government started favouring homegrown technology for national security reasons. Indeed, from 1996 onward, China stopped preferential treatment for foreign companies, giving domestics like Huawei and ZTE tax breaks and first dibs on government contracts.
China’s protectionism later expanded. In 2014, the country announced it would increase network security. The year before, Edward Snowden, a computer programmer for the US Central Intelligence Agency (CIA), leaked classified documents detailing how the US National Security Agency (NSA) ran multiple international surveillance operations with the aid of allied countries. Huawei was reportedly hacked – apparently because the US wanted to find out if the company was connected to the PLA, and because it wanted to use Huawei networks to spy on other countries. It’s not publicly known if they succeeded.
So in June 2013, the China Economic Weekly, a government publication, ran an article about the risk of American espionage. Eight American companies were featured: Cisco, IBM, Google, Qualcomm, Intel, Apple, Oracle and Microsoft. Dubbed the “Eight Guardian Warriors”, they had reportedly widely “penetrated” China’s government and business data systems.
(The “Guardian Warriors” label is a reference to the invasion of China by eight nations (including the US), during the early 1900s. The alliance crushed a Chinese uprising against Western imperialism.)
Reacting to Snowden’s leaks, China’s State Internet Information Office announced in 2014 that major IT products and services affecting national security would be subject to cybersecurity vetting. The office said China’s government, business and academic institutions, as well as its telecom firms, had “suffered extensive invasion and wiretapping”.
In 2015, China removed various US companies, including Cisco Systems and Apple, from its government procurement lists. In 2017, the Cyberspace Administration of China introduced its “Measures for the Security Review of Network Products and Services”.
But the US has also suffered extensive invasions of its cyberspace by China. In 2015, Presidents Xi Jinping and Barack Obama agreed the countries would stop state-supported hacking to steal government and trade secrets.
It wasn’t enough. Subsequently, the US Justice Department established the China Initiative in 2018 to fight Chinese cyber espionage. The department said that from 2011 to 2018, over 90% of cases involving economic espionage by or to the benefit of a state involved China. Billions of dollars are at stake: once a patent is stolen, potential US revenue and job numbers are lost or reduced.
Currently, the FBI says it is running close to a thousand investigations into China’s attempts to steal US technology.
In one of the latest developments, the justice department has brought charges against Huawei and two of its American subsidiaries, saying it conspired to steal US trade secrets.
With the two countries thus at odds, any manufacturer of mobile network equipment connected to China raises a red flag for the US, including American companies with subsidiaries in China. So why the clampdown on Huawei?
Because to the US, all companies aren’t equally risky. In 2018, supply chain risk management analysts Interos Solutions issued a special report to the US-China Economic and Security Review Commission. (The Commission was established in 2000 to monitor and investigate national security issues related to US-China trade.) The report dealt with the risks China poses to the US’s federal government data networks.
It shows that the US is still in the early stages of developing a co-ordinated approach to supply chain risk management, but in the meantime, it works like this (roughly speaking): The degree to which the Chinese government can potentially control or influence the company’s actions determines the risk it poses to US national security. Thus, a company headquartered in China and owned by the Chinese government (or Chinese nationals, in Huawei’s case), is viewed with more suspicion than an American company based in China. By this reasoning, the first prize for the US is an American company in America staffed entirely by Americans.
This is presumably why the US tolerates Apple products, despite China being a major location for iPhone assembly. American multinationals HP, IBM, Dell, Cisco, Unisys, Microsoft and Intel all supply US government information systems. But the Interos report shows that between 2012 and 2017, on average, 51% of the parts used in these companies’ products were sourced from China.
Dell, for instance, got batteries from Lishen Power Battery Systems. Lishen is ultimately owned by the state-owned China Electronics Technology Corporation (CETC). CETC consists of various former military research units that now operate military and commercial tech enterprises.
But for the US, Huawei ticks too many of the wrong boxes. It’s a Chinese company in China with Chinese staff, striving to become completely independent from other countries for any supplies – hardware and software included. And although it’s not government-owned, America worries that the Chinese state can influence Huawei to spy for it.
Such espionage could be carried out in two ways: Force Huawei employees in other countries to smuggle information back to China, or use Huawei’s telecoms equipment and software to access, and even control mobile networks.
Some of the reasons why the US doesn’t trust Huawei are speculative. Others, however, are based on carefully documented evidence.
Although Huawei is a private company, collectively owned by its shareholding employees, the US argues that actual control could lie with a few powerful people loyal to the Chinese state. Adding to suspicions, the ruling Communist Party of China (CPC) has a representative committee within Huawei – a legal requirement for all companies in China, including foreign firms.
In 2012, the US government held a special investigation into the national security risks posed by Huawei and ZTE (a Chinese state-owned telecoms equipment maker). US officials were not satisfied with the companies’ explanations of their CPC committees’ roles, and neither could they convince officials that they weren’t state-controlled. The hearings concluded that Huawei and ZTE were a threat, but seemed to leave officials none the wiser.
But there’s a second aspect that could make the ownership issue somewhat redundant.
In 2017, China enacted the National Intelligence Law of the People’s Republic. Article seven states: “All organisations and citizens shall, according to the law, provide support and assistance to and cooperate with the State intelligence work, and keep secret the State intelligence work that they know.” It’s still unclear just how this law will play out in practice, but America fears it will compel employees working at Huawei’s international branches to spy for China.
Legal questions and speculation of control aside, evidence of Huawei’s connections to the Chinese government are well documented.
Especially financial connections.
While the Chinese government has repeatedly said that the US’s actions against Huawei violate free-market principles, significant credit lines from Chinese state banks have helped Huawei to survive – and expand.
China’s state news media has various reports of credit extended to Huawei by Chinese state-owned banks. For example, a report by Xinhua News Agency stated that in 2005, the China Development Bank (CDB) gave Huawei a $10-billion credit. The article explains that the bank helped Huawei through the 2008 crisis. In 2009, the CDB signed an agreement with Huawei for a $30-billion credit line. This type of support reflects Chinese government policy meant to aid China’s national, government-driven strategy of “going out” – that is, expanding Chinese businesses globally.
This is partly how Huawei expanded its business to developing countries. Essentially, a Chinese state-owned bank lends money to a country that cannot otherwise afford to build a mobile network, and that country uses the money to purchase Huawei equipment (the latter being a condition of the loan agreement). This helped the company to become the world’s leading network equipment provider with a 2018 global revenue of $107-billion – a 19.5% increase over 2017. It has operations in 170 countries and regions, and close to three billion end customers.
Huawei has also won hundreds of government contracts in China. The company website shows it has completed over 350 e-government cloud projects in China alone. By 2017, the company led the e-government cloud and big data markets in China. Huawei’s 2018 annual report shows that its domestic sales accounted for 51.6% of its total revenue. It has partnered with major state-owned service providers China Mobile, China Unicom, and China Telecom to run 5G commercial tests. In 2019, Huawei won 49% of China Mobile’s 5G network equipment contracts.
Apart from economic support, Chinese government diplomacy has opened doors for Huawei in other countries, partly because Huawei aligned its goals with that of the state. This was explicit in Huawei’s early global expansion strategy, as business analyst Yun Wen explains in her in-depth study of Huawei’s rise. Like China’s government, Ren “clearly recognised the influence of US dominance in the global political-economic order”, writes Wen.
Back in May 1997, the month after China and Russia signed their joint declaration on a multipolar world, Ren made a speech in which he stated that the “strategic partnership … between China and Russia will be in line with the two countries’ fundamental interests and national security. Huawei’s transnational marketing should follow the path of China’s foreign policy.”
Thus, writes Wen, Huawei’s founder made it clear that its entry into the Russian market wasn’t just for profit – it was also in line with China’s geopolitical interests to undercut US dominance. Aligning itself with China’s foreign policy got Huawei the support of the country’s central government and the state would play a crucial role in Huawei’s expansion into foreign markets.
Under the China-Russia joint declaration of 1997, Ren took his business to Russia. Huawei’s Russian sales exceeded $100-million by 2001.
In Africa, the Chinese government also played a pivotal role in Huawei’s expansion. In 2000, when the Forum on China-Africa Cooperation (Focac) was founded, China’s foreign minister, Wu Bangguo, invited Ren to accompany his delegation to various African countries. This laid the foundation for important contracts, such as a $200-million 2005 deal to build Nigeria’s CDMA network, and after Focac 2006, major deals with Ethiopia and Ghana followed.
Huawei has also built mobile networks in Britain, Europe, the Middle East, South-East Asia, and South and Central America, and throughout the years, top state officials have routinely inspected Huawei offices in China and abroad. (Huawei has, however, never been able to significantly break into the US market – apart from rural installations – partly because of the perceived security risk.)
In 1999, Huawei opened for business in South Africa. By January 2020, it held 28% of South Africa’s mobile phone market, and it provides network equipment for Telkom, Vodacom, MTN and Cell C. It’s also partnering with data-only service provider Rain to build 5G networks. But unlike the US’s case, China and SA enjoy warm diplomatic ties, so South Africans shouldn’t worry.
Or should they? In our next instalment, Daily Maverick does its own risk assessment. DM
*Names have been changed by Fulbright University Vietnam for reasons pertaining to research ethics.
Heidi Swart is an investigative journalist who reports on surveillance and data privacy issues. This story was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s department of journalism, film and TV and Unisa’s department of communication science.
Daily Maverick © All rights reserved