The U.S. federal government is ramping up its efforts to ensure the security of its supply chains, and part of this effort involves the recent ban of products and services from Chinese IT firm Huawei.
The U.S. federal government is ramping up its efforts to ensure the security of its supply chains, and part of this effort involves the recent ban of products and services from Chinese IT firm Huawei. But what is it about this company that justifies this action, how is the U.S. government enforcing it, and what is expected of U.S. government contractors going forward?
Background and Pertinent Facts
Huawei’s Humble Origins
Ren Zhengfei was born without the best family connections in a rural part of Guizhou — China’s poorest province. “His father had been labeled a ‘capitalist roader’—someone attempting to restore capitalism and overthrow socialism — making it hard for Ren to become a member of the ruling Communist Party.” Despite these obstacles, Ren managed to graduate from college, and joined the Chinese army as an engineer in 1974.
At that time, China was suffering through severe shortages of even the necessities of life, such as food and clothing. The country was in “chaos,” and “textile rations were so scarce that most people barely had enough to patch and repair clothes.”Ren was ordered to set up a chemical factory to manufacture textile fibers in northeast China, part of a government plan to provide every Chinese citizen with at least one decent piece of clothing. Despite having shabby housing in subzero temperatures and eating mostly pickled vegetables for months at a time, Ren embraced his role. While the government was criticizing other Chinese citizens for reading “too many books,” the factory “was probably one of the few places [where] people could read.”
While in the army, Ren reversed engineered a tool that was needed to test equipment at the fiber factory, gaining the notice of a supervisor. Although the supervisor helped Ren become a party member, his prospects of advancing in the military were limited. Ren hoped to reach the rank of a lieutenant-colonel but never did. His last job with the army was deputy director of a construction research institute.
After Ren’s time in the Chinese army, China was aggressively transforming its markets, and government policy-makers fully supported developing China’s telecommunications industry. After a few years working for an oil company, Ren founded a small communications company, Huawei, in 1987. Ren registered Huawei as a private company in Shenzhen, a fishing village designated as a “special economic zone” in China.
Facing dominant competition from three Chinese government–owned companies (Great Dragon, Datang, and ZTE Corporation), Huawei initially operated as a minor vendor, focusing on China’s small towns and villages — where its bigger, government-owned, competition did not compete. Ren pushed employees “to work long hours and do whatever it took to secure business.”
Huawei initially focused on selling imported telecommunications switches — a hardware device that channels incoming data from multiple input ports to a specific output port that facilitates transporting the data toward its intended destination. In 1990, Huawei started work on its own switch, and in 1993, Huawei obtained a contract with the Chinese army to supply switches for an internal military communications network. Perhaps more important, Ren convinced the Communist Party General Secretary that “a country without a domestic telecoms switch industry was like a country without a military.” By 1996, the Chinese government’s policy favored domestic telecommunications companies, keeping foreign competitors out.
Huawei expanded in China by selling its technology to local governments, often in rural areas, at low prices (and sometimes for free) to eliminate its competitors. When 3G and 4G networks were being built, Huawei was playing catch-up to its international rivals, Ericsson and Nokia, often licensing its technology. Huawei competed in international markets by offering its products at a significant discount compared to its competitors.
In 2009, the owner of the dominant telephone and mobile network operation in Sweden, Teliasonera (now Telia Company), selected Huawei to build one of the world’s first fourth-generation wireless networks in Oslo, Norway. The same year, Telenor (Norway’s largest mobile network operator) selected Huawei to rebuild and replace Norway’s mobile phone network, which had first been built by Ericsson and Nokia. Huawei performed the complex transition ahead of schedule and under budget. These contracts placed Huawei in a new light on the international stage; it was no longer a low-priced, perhaps risky, alternative, but now beating established providers such as Ericsson and Nokia in their own neighborhoods.
Huawei also became “vertically integrated” — designing and supplying most of the components of 5G technology. Today, Huawei holds more 5G-related patents than any other company in the world. Huawei has also made some technical breakthroughs, “having field-tested its 5G technology in lower frequencies (good for coverage) and higher frequencies (better for high data speeds).”Huawei eventually held “30 contracts to build 5G networks around the world, with dozens of other countries close to signing on.”Currently, Huawei controls 29% of the global telecom equipment market, including 43% in the Asia-Pacific region and 34% in Latin America.Thus, Huawei is a formidable competitor with significant financial resources — the company reported that revenue for 2018 jumped almost 20% to more than $100 billion.Further, Huawei possesses competitive technology and the political backing of the Chinese government.
The Importance of the 5G Network
As technology progresses, the 5G network will be even more important than previous mobile networks for the national security of the United States and its allies. The 5G network “will be integral to the communications at the heart of a country’s critical infrastructure”— which will include everything from electric power and other critical utilities, communication networks, and key financial centers. Simply put, 5G will be “the central nervous system of the 21st-Century economy.”As such, an attack on a nation’s 5G network “would amount to a dramatic change in the nature of war, inflicting economic harm and disrupting civilian life far from the conflict without bullets, bombs, or blockades.”
How Huawei Factors in
Security experts have expressed concern that Huawei’s equipment “could be used to spy on foreign competitors, steal intellectual property, or even install ‘kill switches’ in energy or industrial projects.”In fact, some analysts have warned that, in the event of a conflict, the Chinese government could exploit “hidden backdoors in Huawei technology to shut down a foreign power’s infrastructure at the touch of a button.”
Without doubt, China is aware of the importance of cybersecurity to its national defense. In a 2015 document, the Chinese Ministry of National Defense stated as follows:
Cyberspace has become a new pillar of economic and social development, and a new domain of national security. As international strategic competition in cyberspace has been turning increasingly fiercer, quite a few countries are developing their cyber military forces. Being one of the major victims of hacker attacks, China is confronted with grave security threats to its cyber infrastructure. As cyberspace weighs more in military security, China will expedite the development of a cyber force, and enhance its capabilities of cyberspace situation awareness, cyber defense, support for the country’s endeavors in cyberspace, and participation in international cyber cooperation, so as to stem major cyber crises, ensure national network and information security, and maintain national security and social stability.
China’s National Intelligence Lawrequires all Chinese citizens and organizations to cooperate with intelligence agencies, and protects citizens and organizations from liability for such cooperation:
Article 7[.] Any organization or citizen shall support, assist, and cooperate with the state intelligence work in accordance with the law, and keep the secrets of the national intelligence work [from being] known to the public.
The State protects individual and organizations that support, assist, and cooperate with national intelligence work.
As such, Chinese intelligence agencies can require support and cooperation from Chinese citizens and organizations:
Article 14[.] The state intelligence organization shall carry out intelligence work according to law, and may require relevant organizations and citizens to provide necessary support, assistance, and cooperation.
Perhaps most troubling, Chinese intelligence agencies have the power to “adopt technical reconnaissance measures and identify protection measures in accordance with the needs of the work,” and “may preferentially use or legally requisition the means of transport, communication tools, sites, and buildings of relevant organizations and individuals, and if necessary, may set relevant workplaces and equipment.”
Thus, at least in the eyes of Western security experts, Huawei is a global technology powerhouse equal to Nokia and Ericsson — but subject to the direction and policies of Chinese intelligence agencies.
The Basis for Huawei’s Ban
In early 2018, in a complex of low-rise buildings in Canberra, agents of the Australian Signals Directoratewere instructed to simulate a hack into the 5G network of a target nation using all cyber tools at their disposal. What these agents found was that the 5G network was seriously exposed to spying and sabotage.
About six months after the simulation began, the Australian government effectively banned Huawei in its plans for building its 5G network.After the Australians shared their findings with other Western nations, the United States moved to restrict Huawei.
The U.S. Government Effectively Bans Huawei
Most recently, the U.S. government took two actions to restrict Huawei, as well as other companies deemed to be national security threats.
Executive Order 13873
On May 15, 2019, President Donald Trump issued an Executive Orderthat prohibited the “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service…designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”when the transaction poses an undue risk of —
- Sabotage of information and communications technology or services in the United States;
- “[C]atastrophic effects on the security or resiliency of…critical infrastructure or the digital economy of the United States”; or
- “[O]therwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.”
The Executive Order greatly limits the use of products within the United States from companies that the government deems to be “national security threats.” Google’s parent, Alphabet, reportedly suspended business with Huawei as a result of the Executive Order.
The 2019 NDAA
More directly for U.S. government contractors, Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019defined equipment and services produced or provided by Huawei and ZTE Corporation, including their subsidiaries and affiliates, as “covered telecommunications equipment or services,” and restricted the procurement and use of such equipment by the U.S. federal government, U.S. government contractors, and U.S. federal loan and grant recipients. The 2019 NDAA also included within the definition of “covered telecommunications equipment or services” video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities) to be used “for the purpose of public safety, security of [U.S.] government facilities, physical security surveillance of critical infrastructure, and other national security purposes.”
The requirements of the 2019 NDAA were implemented within the Federal Acquisition Regulation (FAR) as follows:
- A new solicitation provision — FAR 52.204–24, “Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment” — was added, which requires offerors to represent whether their response to U.S. government solicitations includes “covered telecommunications equipment or services,” and if so to identify additional details about their use.
- A new contract clause — FAR 52.204–25, “Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment” — was added, which prohibits U.S. government contractors from providing any equipment, system, or service that uses “covered telecommunications equipment or services” as a substantial or essential component of any system, or as critical technology as part of any system, unless an exception applies or the covered telecommunications equipment or services are covered by a waiver described in FAR 4.2104. The contractor must also report any such equipment, systems, or services discovered during contract performance.
These prohibitions and requirements apply to all acquisitions, including acquisitions at or below the simplified acquisition threshold and to acquisitions of commercial items, including commercially available off-the-shelf items. The restrictions must also be included (or flowed down) to all subcontracts.
The U.S. government implemented these provisions “as a national security measure to protect [U.S.] government information and government information and communication technology systems.” Contracting officers are required to include these provisions in solicitations issued on or after August 13, 2019, and resultant contracts and in solicitations issued before August 13, 2019, provided award of the resulting contract occurs on or after August 13, 2019. Contracting officers must also modify existing indefinite delivery contracts to include the FAR clauses for future orders, prior to placing any future orders. When modifying an existing contract or task or delivery order to extend the period of performance, including exercising an option, contracting officers must include the clauses. In short, effective August 13, 2019, the U.S. government has severely limited the use of equipment from Huawei and other companies deemed as “a risk to national security.”
The Huawei case illustrates several important facets of the growing complexity of cybersecurity in U.S. government procurement.
Increasing Supplier Restrictions and Supply Chain Control
First, in the global economy, suppliers to advanced communications networks are more and more likely to be based outside of the United States and its allies, especially with the growing financial and technological strength of China. Supplies from our political adversaries will always create additional risk and could be subject to governmental interference. As Dan Coats (while U.S. Director of National Security) warned in his annual assessment of threats facing the United States —
Foreign production of advanced communication networks “will challenge U.S. competitiveness and data security,” and as American data increasingly flows across those networks, that will increase “the risk of foreign access and denial of service.”
In short, as international competition increases, U.S. government contractors will increasingly face restrictions on suppliers and more demands on controlling their supply chains.
Applicability to Commercial Transactions
Second, the Huawei case demonstrates that national security is not limited to government systems. As cyberwar becomes a central focus of our adversaries’ conflict strategy, the security of our commercial systems is in play. A primary concern with Huawei is the Chinese government’s access to data transmitted over the United States’ commercial 5G network, and the capability to interrupt this network during a potential conflict. Thus, the cybersecurity procedures imposed on U.S. government contractors will likely continue to extend to commercial transactions, as has occurred with Huawei.
Assessing and Controlling Supply Chain Risk
Third, the Huawei case demonstrates the difficulty in assessing and controlling potential risk and threats posed by suppliers outside of the United States, particularly suppliers based outside of our allies. Huawei’s story is, at least in part, one of success — where a small, private company in a competitive market, against heavy odds, achieved massive success; a story typically applauded in the United States. On the other hand, Huawei has also faced serious allegations of intellectual property theft and violations of U.S. export sanctions, in addition to possessing close ties with the Chinese government, which has provided it with an unfair competitive advantage and subjected it to Chinese laws that compromise Huawei’s ability to neutrally maintain cybersecurity across its products and services. The United States had to identify, assess, and respond to the risk Huawei presents to both its government and commercial systems, thus effectively banning it for use within U.S. government supply chains. Even more difficult, the United States will have to assess the risk Huawei presents to the systems of its allies, and what that risk means to the communication of information to allies. According to some reports, this risk has created strains in longstanding relationships with several important allies.
Increased Diligence and Compliance
Finally, and most directly, the Huawei case means that contract managers for U.S. government contractors will have to be very diligent in creating procedures and systems to comply with the new restrictions on the use of products and services from Huawei and the other companies implicated by FAR 52.204–24 and FAR 52.204–25. CM
Partner, Drinker Biddle & Reath LLP.
General counsel for NCMA.
1. The information on Ren Zhengfei’s background has been taken primarily from Sherisse Pham, “Who is Huawei founder Ren Zhengfei?” CNN Business (May 13, 2019), available at https://www.cnn.com/2019/03/13/tech/huawei-ren-zhengfei/index.html.
4. The information on the history of Huawei has been taken primarily from Keith Johnson and Elias Groll, “The Improbable Rise of Huawei,” Foreign Policy (April 3, 2019), available at https://foreignpolicy.com/2019/04/03/the-improbable-rise-of-huawei-5g-global-network-china/.
9. The information on the importance of the 5G network has been taken primarily from Cassal Bryan-Low, Colin Packham, David Lague, Steve Stecklow, and Jack Stubbs; “Hobbling Huawei: Inside the U.S. War on China’s Tech,” Reuters (May 21, 2019), available at https://www.reuters.com/investigates/special-report/huawei-usa-campaign/ (hereinafter, “Hobbling Huawei (May 21, 2019)”).
10. Johnson and Groll, see note 4.
11. “Hobbling Huawei (May 21, 2019),” op. cit.
12. Rob Davies, “The Giant that No One Trusts: Why Huawei’s History Haunts It,” The Guardian (December 8, 2018), available at https://www.theguardian.com/technology/2018/dec/08/the-giant-that-no-one-trusts-why-huaweis-history-haunts-it.
14. The Chinese Ministry of National Defense, “China’s Military Strategy” (May 26, 2015).
15. I.e., the “National Intelligence Law of the People’s Republic” (June 27, 2017).
18. Ibid., at Articles 15 and 17.
19. Editor’s note: This is an Australian government agency within Australia’s national security apparatus.
20. “Hobbling Huawei (May 21, 2019),” see note 9.
21. Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” (May 15, 2019), available at https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain/.
22. Ibid., at Section 1(a)(i).
23. Ibid., at Section 1(a)(ii)(A).
24. Ibid., at Section 1(a)(ii)(B).
25. Ibid., at Section 1(a)(ii)(C).
26. Pub. L. 115–232.
27. As quoted within Johnson and Groll, see note 4.