China Video Tools for U.S. Help Spurs Spy AnxietyKathleen Miller
A manufacturer accused of being tied to the Chinese government has found a way to sell to U.S. agencies in an arrangement that’s raising concerns from security officials and at least one lawmaker about spying.
ZTE Corp., China’s No. 2 phone-equipment maker, linked up with a company in Baltimore to make its videoconferencing system available to federal offices.
The collaboration between Shenzhen-based ZTE and Prescient, a five-employee unit of closely held CyberPoint International LLC, comes amid warnings about China’s military hacking into U.S. computers. A U.S. House committee report advised federal agencies and contractors last October to bypass ZTE and Huawei Technologies Co. products because they might help China spy.
“It’s dangerous for our country,” said U.S. Representative Frank Wolf, a Virginia Republican who has supported restrictions on government use of Chinese goods. “There are job losses, national security ramifications and intellectual property issues at stake.”
The videoconferencing system, which carries both ZTE’s and Prescient’s names, was approved in November by the U.S. General Services Administration for sale to federal agencies.
Prescient said it assessed the device, documented its flaws and installed a U.S.-built hardware- and software-based firewall to block potential unauthorized access. That “substantially transformed” the product so it’s no longer considered a Chinese device, said Jerry Caponera, general manager for global partnerships at CyberPoint, a cybersecurity company.
“The beauty is after all that we have a Made-in-America product,” Caponera said. Prescient has sold three or four of the systems, he said. He declined to identify the buyers.
The U.S. market for networking equipment, which includes videoconferencing systems, is about $51 billion, according to ACG Research, a Gilbert, Arizona-based industry consulting firm.
CyberPoint’s Prescient has made no secret of its work with ZTE, which it has publicized on its website. Prescient also has discussed its efforts to secure foreign technology with U.S. Representative C.A. “Dutch” Ruppersberger of Maryland, the ranking Democrat on the House Intelligence Committee.
“China is where most manufacturing is done, and people are going to buy these products one way or another,” Caponera said. “I’d rather it happens in a more secure fashion.”
CyberPoint’s Prescient unit is the only vendor to go beyond security-testing services for overseas products and offer to build and install U.S.-made safeguards, according to Caponera.
“It’s the first I’ve heard of such a business model,” said Christian Marrone, vice president for national security and acquisition policy at the Arlington, Virginia-based Aerospace Industries Association. The trade group represents more than 300 defense and aerospace companies, including 3M Co., based in St. Paul, Minnesota, and Northrop Grumman Corp., based in Falls Church, Virginia, according to its website.
Even vetted and secured videoconferencing devices may not provide adequate protection, said HD Moore, chief research officer at Rapid7, a Boston-based cybersecurity company.
ZTE products, as well as those from Huawei and Cisco Systems Inc., have been found to have so-called backdoors, Moore said. These alternative entryways are often exploited by hackers. They jeopardize product security, regardless of whether they are intentional, he said.
“I wouldn’t trust ZTE to build a toaster, given the vulnerabilities I’ve seen in their products,” Moore said.
Videoconferencing systems are especially susceptible, Moore said. Some of the devices can default to automatically answer calls, and the cameras are powerful enough to read text from a document on a table, he said.
It’s difficult to counter deliberate compromises of technology equipment, Stewart Baker, a former assistant secretary for policy at the U.S. Department of Homeland Security, said in an e-mail.
Such efforts might work if they are done to the government’s satisfaction and with full knowledge, said Baker, a partner at the law firm Steptoe & Johnson LLP in Washington. “At first blush, though, it makes me profoundly uneasy.”
ZTE was accused in an October 2012 House intelligence committee report of having links to the Chinese government, presenting opportunities for espionage. Huawei, also based in Shenzhen, failed to explain its relationship with the government, the report said.
The U.S.-China Economic and Security Review Commission, an independent panel that advises Congress, said in a 2011 report that Huawei’s management structure is “opaque” and that Chinese government-affiliated entities appear to retain a majority share of ZTE’s stock.
Huawei and ZTE have denied links to espionage in the past, saying they aren’t controlled by the Chinese government.
Nina Zhou, a ZTE spokeswoman, didn’t answer questions about the vendor’s work with CyberPoint’s Prescient unit. “ZTE shares a global interest in promoting, not undermining, cybersecurity,” she said in an e-mail.
CyberPoint was founded in 2009 with four employees. Its staff has expanded to 130 workers, and the company has an office in Abu Dhabi. Karl Gumtow, its chief executive officer and co-founder, previously served as director of government contractor SRA International Inc.’s intelligence and space business unit.
In 2011, ZTE approached CyberPoint’s Prescient unit and asked for help improving its U.S. sales, said Caponera, whose LinkedIn Corp. account shows he previously worked at SRA and Lockheed Martin Corp. At the time, Prescient was exploring developing a niche market in securing overseas-made technology, making it more attractive to U.S. buyers, he said.
“They said they wanted to sell products in the U.S., and we said we could help with that,” Caponera said. “We said if your goal is anything else, we can’t help.”
Engineers at Prescient spent six to nine months assessing ZTE’s videoconferencing system for spyware and defects, creating software and hardware to help protect the device from any intrusions, he said.
The device has been available to government offices for more than eight months through a contract with the GSA, which coordinates orders for U.S. agencies. The GSA wasn’t aware of any purchases of the videoconferencing system through the contract, said Mafara Hobson, an agency spokeswoman.
Government and security officials say there are good reasons to be cautious about ZTE.
In May, the Pentagon for the first time directly accused the Chinese military of intruding on U.S. computers to steal sensitive data. A February report from Mandiant Corp., an Alexandria, Virginia-based computer-security company, said the People’s Liberation Army in China may be behind the hacking of at least 141 companies worldwide since 2006.
In March, President Barack Obama signed a law that limits some federal agencies’ ability to purchase information-technology devices from a company connected with the Chinese government.
The partnership with Prescient may be a way for ZTE to work around Congress’s warnings, said Ray Mota, founder of ACG, the networking-equipment industry consulting. Mota previously served as chief research officer for Synergy Research Group, which analyzes the telecommunications industry.
The U.S. market for networking equipment has largely been closed since the House committee report advised contractors and agencies to avoid ZTE and Huawei, he said.
“Some people have backed off both companies after that report,” Mota said. “This is an opportunity for ZTE to open up the door and break down some barriers. Some people will say, ‘Oh yeah, we’ll use a ZTE product if this other American company says it’s secure and certifies it.’ They see this as an avenue to get back in here.”
Most videoconferencing systems used by the federal government come from San Jose, California-based Polycom Inc. or Cisco, said Phil Karcher, an analyst with Forrester Research Inc. in Cambridge, Massachusetts.
While ZTE doesn’t break out its U.S. sales, it had revenue of 84.2 billion yuan ($13.8 billion) last year, according to its annual report. About 7 percent of that revenue came from the U.S., Cynthia Meng, an analyst with Jefferies Group LLC in Hong Kong, said in an e-mail.
ZTE and Prescient may collaborate on other telecommunications equipment. The Baltimore company is evaluating an optical-fiber distribution system made by ZTE that is designed to speed Internet access. That product might eventually be used by U.S. telecommunications companies that want a competitive offering to Verizon’s FiOS service, said Bryan Paul, a Prescient engineer.
U.S. financial institutions and telecommunications carriers have also approached Prescient seeking a secure way to use foreign products, which are often cheaper or more advanced than their domestic counterparts, CyberPoint’s Caponera said.
Prescient wants to find safe ways to use overseas-made products, though “there’s no such thing as perfect,” he said.
“The market needs it, the country needs it and businesses need it,” said Caponera.