Does Use of Huawei or ZTE Equipment/Services Trigger SEC Cyber Risk Disclosure Requirements?

Editor’s Note:  The Securities and Exchange Commission (SEC) has issued Disclosure Guidance for Cybersecurity.  The SEC Guidance states, in part, that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed…” under certain circumstances.  As discussed below, the question is raised as to whether the security risks associated with use of Huawei or ZTE equipment or services by publicly traded companies is of a nature that would require public disclosure.  The BBC news story below quotes a security expert at an international conference noting that ” it was five times easier to find [a security vulnerability] in a Huawei router than in a Cisco one….”

Nothing in the following BBC story contradicts the House Intelligence Committee’s bipartisan finding that “neither ZTE nor Huawei have cooperated fully with the investigation, and both companies have failed to provide documents or other evidence that would substantiate their claims or lend support for their narratives” nor cast doubts on the Committee’s recommendations, including the recommendation that “Private-sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE or Huawei for equipment or services. U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects.”

The need for SEC disclosure may be heightened by the findings on multiple occassions that Huawei routers are insecure and that ZTE phones have been found to contain a “backdoor” allowing unauthorized persons to “monitor text messages, listen to calls or install malicious programs” as well as by the House Intelligency Committee report.

Update:  For information on the White House’s denial that Huawei has be cleared of spying, see FISMA Focus here.

From: BBC

Huawei – leaked report shows no evidence of spying

A US government security review has found no evidence telecoms equipment firm Huawei Technology spies for China.

The 18-month review, details of which were leaked to the Reuters news agency, suggests security vulnerabilities posed a greater threat than any links between the firm and the Chinese government.

Last week a US congressional report warned against allowing Chinese companies Huawei and ZTE Corp to supply critical telecom infrastructure.

The firms have always denied espionage.

The classified inquiry was a thorough review of how Huawei worked, involving nearly 1,000 telecom equipment buyers.

One of the government employees involved with the inquiry told Reuters: “We knew certain parts of government really wanted evidence of active spying. We would have found it if it were there.”

Huawei spokesman Bill Plummer said: “Huawei is not familiar with the review, but we are not surprised to hear that the White House has concluded there is no evidence of any Huawei involvement with any espionage or other non-commercial activities.

“Huawei is a $32bn [£19bn] independent multinational that would not jeopardise its success or the integrity of its customers’ networks for any government or third party – ever,” he added.

ZTE’s senior vice president of Europe and North America, Zhu Jiny, told the BBC: “The security issues should not be focused on the Chinese companies. These are problems of the world situation. It’s not only Chinese companies – it’s a global issue.”

Sloppy code

Last week at a conference in Malaysia, Felix Lindner, an expert in network equipment security, said he had discovered multiple vulnerabilities in Huawei’s routers.

“I’d say it was five times easier to find one in a Huawei router than in a Cisco one,” he said.

He blamed sloppy coding rather than any deliberate attempt to leave backdoors open for spying purposes.

Questions about the relationship between Huawei, ZTC and the Chinese government circulated last week following a report from the US House Intelligence Committee.

While the report did not present concrete evidence that either Huawei or ZTE had stolen US data, it said had classified information that provided “significantly more information adding to the committee’s concerns” about the risk to the United States.

It also criticised Huawei for failing to provide details about its relationship with the Chinese government.

Attitudes about Huawei differ from nation to nation.

Canada said last week that the firm could not bid to help build a secure national network. In Britain, however, a spokesman for the Cabinet Office said Huawei’s products were fully vetted and did not represent a security concern.


Leave a Reply

Your email address will not be published.

Please Answer: *