2000s In the U.S., officials and politicians within the federal government have raised concerns that Huawei-made telecommunications equipment may be designed to allow unauthorised access by the Chinese government and the Chinese
People's Liberation Army, given that
Ren Zhengfei, the founder of the company, served as an engineer in the army in the early 1980s. The
Committee on Foreign Investment in the United States scrutinized a deal by
Bain Capital to acquire
3Com with Huawei as a minority investor, and an attempt to acquire the virtualization firm 3Leaf Systems, both due to security concerns (with concerns that China could gain access to U.S. military-grade technology in the case of the former). Both deals fell through. In 2010,
Sprint Nextel blocked bids by Huawei on a supply contract, after the company was contacted by the
Secretary of Commerce. In November 2010, Huawei agreed to proactively allow local officials to perform cybersecurity examinations of its products, resulting in the opening of the Huawei Cyber Security Evaluation Centre (HCSEC). Its oversight board includes members of the
National Cyber Security Centre and
GCHQ. In October 2009, the Indian
Department of Telecommunications reportedly requested national telecom operators to "self-regulate" the use of all equipment from European, U.S. and Chinese telecoms manufacturers following security concerns. Earlier, in 2005, Huawei was blocked from supplying equipment to India's
Bharat Sanchar Nigam Limited (BSNL) cellular phone service provider. In 2010, the Indian
Central Bureau of Investigation (CBI) insisted on cancelling the rest of the Huawei contract with BSNL and pressed charges against several top BSNL officers regarding their "doubtful integrity and dubious links with Chinese firms". In June 2010, an interim solution was introduced that would allow the import of Chinese-made telecoms equipment to India if pre-certified by international security agencies such as Canada's Electronic Warfare Associates, U.S.-based Infoguard, and Israel's ALTAL Security Consulting.
Early 2010s In a 2011 open letter, Huawei stated that the security concerns are "unfounded and unproven" and called on the U.S. government to investigate any aspect of its business. The U.S.-based non-profit organisation
Asia Society carried out a review of Chinese companies trying to invest in the U.S., including Huawei. The organisation found that only a few investment deals were blocked following unfavorable findings by the CFIUS or had been given a recommendation not to apply. However, all large transactions had been politicised by groups including the U.S. media, members of Congress and the security community. However, another article unrelated to the report published by the Asia Society reported that, "fear that the P.R.C. government could strongarm private or unaffiliated Chinese groups into giving up cyber-secrets is reflected in the U.S. government's treatment of Chinese telecom company Huawei." In December 2011,
Bloomberg reported that the U.S. is invoking
Cold War-era national security powers to force telecommunication companies including AT&T Inc. and Verizon Communications Inc. to divulge confidential information about their networks in a hunt for Chinese cyber-spying. The U.S.
House Intelligence Committee had said on 18 November that it would investigate foreign companies, and a spokesman for Huawei said that the company conducts its businesses according to normal business practices and actually welcomed the investigation. On 8 October 2012, the Committee issued a report concluding Huawei and
ZTE were a "national security threat". However, a 2012
White House-ordered review found no concrete evidence to support the House report's espionage allegations. In March 2012, Australian media sources reported that the
Australian government had excluded Huawei from tendering for contracts with
NBN Co, a government-owned corporation that is managing the construction of the
National Broadband Network, following advice from the
Australian Security Intelligence Organisation regarding security concerns. The
Attorney-General's Department stated in response to these reports that the National Broadband Network is "a strategic and significant government investment, [and] we have a responsibility to do our utmost to protect its integrity and that of the information carried on it." On 9 October 2012, a spokesperson for prime minister
Stephen Harper indicated that the Canadian government invoked a national security exception to exclude Huawei from its plans to build a secure government communications network. On 19 July 2013,
Michael Hayden, former head of the U.S.
National Security Agency and director of
Motorola Solutions, claimed that he has seen hard evidence of backdoors in Huawei's networking equipment and that the company engaged in espionage and shared intimate knowledge of the foreign telecommunications systems with the Chinese government. Huawei and Motorola Solutions had previously been engaged in intellectual property disputes for a number of years. Huawei's global cybersecurity officer, John Suffolk, described the comments made by Hayden as "tired, unsubstantiated, defamatory remarks" and challenged him and other critics to present any evidence publicly. In 2014, Huawei reached a sponsorship deal with the
NFL's
Washington Redskins to install free public Wi-Fi at
FedExField, but the agreement was abruptly shelved weeks after it was announced due to unofficial action by a U.S. government advisor. In 2016, Canada's immigration department said it planned to deny permanent resident visas to three Chinese citizens who worked for Huawei over concerns the applicants are involved in espionage, terrorism, and government subversion.
Late 2010s In 2018, an investigation by French newspaper
Le Monde alleged that China had engaged in
hacking the African Union headquarters in
Ethiopia from 2012 to 2017. The building was built by Chinese contractors, including Huawei, and Huawei equipment has been linked to these hacks. The Chinese government denied that they bugged the building, stating that the accusations were "utterly groundless and ridiculous." Ethiopian Prime Minister
Hailemariam Desalegn rejected the French media report.
Moussa Faki Mahamat, head of the African Union Commission, said the allegations in the
Le Monde report were false. "These are totally false allegations and I believe that we are completely disregarding them." On 17 April 2018, the
Federal Communications Commission (FCC) held a preliminary, 5–0 vote on rules forbidding the use of government subsidies to purchase telecom equipment from companies deemed to be a risk to national security. A draft of the policy specifically named Huawei and ZTE as examples. The same day, the company revealed plans to downplay the U.S. market as part of its future business plans, citing the government scrutiny as having impeded its business there. In August 2018, U.S. president
Donald Trump signed the
National Defense Authorization Act for Fiscal Year 2019, which contains a provision barring the U.S. government from purchasing hardware from Huawei or ZTE, under cybersecurity ground. In retaliation for the aforementioned campaigns and legislation targeting the company, Huawei sued the U.S. government in March 2019, alleging that it has "repeatedly failed to produce any evidence to support its restrictions", and that
Congress failed to provide it
due process. In March 2019, the HCSEC Oversight Board published a report stating that it had "continued to identify concerning issues in Huawei's approach to software development bringing significantly increased risk to UK operators", and that it had "not yet seen anything to give it confidence in Huawei's capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects". The report cited, in particular, use of outdated versions of
VxWorks in its networking equipment and inconsistent
checksums between OS images, and during a visit to a Huawei development centre in Shanghai, it was found that Huawei had been using an "unmanageable number" of
OpenSSL revisions between individual products. On 15 May 2019, Trump issued the Executive Order on Securing the Information and Communications Technology and Services Supply Chain, which gives the government power to restrict any transactions with "foreign adversaries" that involve information and communications technology. The same day, also citing violations of
economic sanctions against Iran, the
U.S. Department of Commerce added Huawei and its affiliates to its
Entity List under the
Export Administration Regulations. This restricts U.S. companies from doing business with Huawei without government permission. On 19 May 2019, Reuters reported that Google had suspended Huawei's ability to use the
Android operating system on its devices with licensed
Google Mobile Services, due to these restrictions. The next day, it was reported that
Intel,
Qualcomm, and
Xilinx had stopped supplying components to Huawei. On 16 May 2019, Dutch newspaper
de Volkskrant said Dutch intelligence agency
AIVD had received a report about backdoors on Huawei equipment belonging to a Dutch carrier and was determining whether or not the situation allowed espionage by the Chinese government. Huawei denied allegations of spying. Dutch telecom operator
KPN said the report was compiled for
risk management and no supplier had unlimited access to its networks. In 2019, a report commissioned by the
Papua New Guinea (PNG) National Cyber Security Centre, funded by the
Australian government, alleged that a data center built by Huawei for the PNG government contained exploitable security flaws. "It is assessed with high confidence that data flows could be easily intercepted," said the 2019 report on PNG's National Data Centre. The report noted the layout of the data centre did not match the intended design, opening up major security gaps. The project was part of a US$147 million digital support package from China to PNG which is also funding a national broadband network. Huawei told the AFR that the data centre project "conforms to appropriate industry standards and customer requirements". The AFR says that the firewalls had already reached their end of life in 2016—two years before the centre became operational. The paper quotes the security report as saying: "The main switches are not behind the firewalls. This means that remote access would not be detected by the security settings within the appliances." Huawei responded that the project "complies with appropriate industry standards and the requirements of the customer." The Government of Papua New Guinea has called the data centre a 'failed investment' and attempted to have the loan cancelled.
2020s In June 2020, the head of France's cybersecurity agency, the
Agence nationale de la sécurité des systèmes d'information, stated that he would encourage telecom operators not to use Huawei equipment while not outright banning Huawei. On 28 August 2020, President
Emmanuel Macron said,
France will not formally exclude Chinese telecom giant
Huawei for its upcoming
5G telecommunication networks, but favored European providers for security reasons. However all Huawei components used in 5G networks would have to be phased out by 2028 placing a de facto ban on Huawei. On 15 April 2021, the
Romanian government approved a law that aims to exclude Chinese group Huawei from the future 5G mobile network. According to the draft proposals, telecommunications companies may not be considered in Romania because of "risks, threats or vulnerabilities to national security". On 15 August 2021, according to
Engadget, Huawei was accused of pressuring a U.S. firm to install a data backdoor for a law enforcement safer-cities project in
Lahore,
Pakistan. The system supposedly gave Huawei access to a database that helped it collect sensitive citizen and government data "important to Pakistan's national security."
Chinese law requirement In December 2018, Arne Schönbohm, head of Germany's
Federal Office for Information Security (BSI), stated that the country had not yet seen evidence that Huawei had used its equipment to conduct espionage on behalf of China. That month, it was also reported that the
Japanese government had ceased future procurement of Huawei and ZTE products. The Czech Republic's cybersecurity agency issued a warning against Huawei and ZTE products, arguing that Chinese law required companies to "cooperate with intelligence services, therefore introducing them into the key state systems might present a threat". Huawei refuted the arguments, stating that it is not required to include backdoors in its products, nor has the company ever received any requests to do so. Shortly afterward, prime minister
Andrej Babiš ordered that government offices cease using Huawei and ZTE products. However, the ban was reversed after the agency's claims were found to be without basis. Huawei commissioned While Huawei has claimed the Clifford Chance review as "independent legal opinions", the review contains an explicit disclaimer from Clifford Chance that the material "should not be construed as constituting a legal opinion on the application of PRC law". Follow up reporting from Wired cast doubt on these findings, particularly because the Chinese "government doesn't limit itself to what the law explicitly allows" when it comes to national security. "All Chinese citizens and organisations are obliged to cooperate upon request with PRC intelligence operations—and also maintain the secrecy of such operations", as explicitly stipulated in Article 7 of the 2017 PRC national intelligence-gathering activities law. In late November 2018, the New Zealand signals intelligence agency
Government Communications Security Bureau blocked telecommunications company
Spark from using Huawei equipment in its planned 5G upgrade, claiming that it posed a "significant network security risk." The NZ ban followed a similar ban in Australia in August 2018. In October 2018,
BT Group announced that it had been phasing out Huawei equipment from "core" components of its wireless infrastructure (excluding parts such as phone mast antennas), including its 5G services, and the Emergency Services Network project. In December 2018,
Gavin Williamson, the UK's Defence Secretary, expressed "grave" and "very deep concerns" about the company providing technology to upgrade Britain's services to 5G. He accused Beijing of acting "sometimes in a malign way".
Alex Younger, the former head of
MI6, also raised questions about Huawei's role. On 11 January 2019, Poland announced that two people working on a 5G Huawei network had been arrested: Wang Weijing (a Huawei executive), and Piotr Durbajło, a consultant having worked for Polish domestic security, but currently working for
Orange on 5G network testing. In November 2019, the Chinese ambassador to Denmark, in meetings with high-ranking
Faroese politicians, directly linked Huawei's 5G expansion with Chinese trade, according to a sound recording obtained by
Kringvarp Føroya. According to
Berlingske, the ambassador threatened with dropping a planned trade deal with the Faroe Islands, if the Faroese telecom company Føroya Tele did not let Huawei build the national 5G network. Huawei said they did not know about the meetings. In March 2019, the $200 million bid by TDC to install the 5G network in Denmark came down to Ericsson and Huawei. Huawei resubmitted their "final offer" that came in suspiciously below Ericsson's bid, which spurred investigators to look for a leak. They found suspicious behavior by a TDC mechanical engineer, long-range microphones installed in their company boardroom, a denial-of-service attack on their corporate network, surveillance of company employees, a break-in at a TDC executive's vacation home, and drones spying on meetings.
Consumer electronics In 2015, German cybersecurity company
G Data Software alleged that phones from Huawei and several other Chinese manufacturers had been shipped with malware via infected versions of legitimate apps, that could record phone calls, access user data, and send
premium SMS messages. A Huawei spokesperson told G Data these breaches were likely to have taken place further down the supply chain, outside the manufacturing process. In January 2018, with the proposal of the Defending US Government Communications Act (which would ban the use of Huawei and ZTE products and equipment by U.S. government entities), calls for the FCC to investigate the company, as well as government pressure, it was reported that U.S. carrier
AT&T had abruptly pulled out of an agreement to offer its
Mate 10 Pro smartphone, while
Verizon Communications had declined to carry any future Huawei products. On 14 February 2018, heads of six U.S. intelligence agencies testified to the
Senate Select Committee on Intelligence against the use of Chinese telecom products by U.S. citizens, such as those of Huawei and ZTE.
Christopher A. Wray,
director of the FBI, stated that they were "deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don't share our values to gain positions of power inside our telecommunications networks". Huawei responded to the allegations, arguing that its products "[pose] no greater cybersecurity risk than any
ICT vendor, sharing as we do common global supply chains and production capabilities," and that it was "aware of a range of U.S. government activities seemingly aimed at inhibiting Huawei's business in the U.S. market". In March 2018, it was reported that
Best Buy, the country's largest electronics store chain, would no longer sell Huawei products. In May 2019 a Huawei Mediapad M5 belonging to a
Canadian IT engineer living in
Taiwan was found to be sending data to servers in China despite never being authorized to do so. The apps could not be disabled and continued to send sensitive data even after appearing to be deleted.
Security exploits In July 2012, Felix Lindner and Gregor Kopf gave a conference at Defcon to announce that they uncovered several critical vulnerabilities in Huawei routers (models AR18 and AR29) which could be used to get remote access to the device. The researchers said that Huawei "doesn't have a security contact for reporting vulnerabilities, doesn't put out security advisories and doesn't say what bugs have been fixed in its firmware updates", and as a result, the vulnerabilities have not been publicly disclosed. Huawei replied that they were investigating the claims. In January 2019, Huawei patched a security flaw that was discovered by
Microsoft in the "PCManager" software bundled on its laptops, after detecting that the software used a driver with behavior similar to the
DoublePulsar exploit. In March 2019, the Oversight Board of the UK government's Huawei Cyber Security Evaluation Centre found "serious and systematic defects" in Huawei software engineering and their cyber security competence, and cast doubt on Huawei's ability and competence to fix security problems that have been found, although they do not believe these flaws are caused by Chinese government interference. In October 2019 a person named John Wu presented details regarding Huawei's Undocumented APIs which can poses security risk for Huawei clients (for example it let apps with Admin privileges install new system apps on the Mate 30). Those permissions are used by the "LZPlay" app to install the Google framework and services. Huawei has denied any involvement with the app or the "LZPlay" site. In February 2020,
The Wall Street Journal reported that Huawei has had the ability to covertly exploit backdoors intended for law enforcement officials since 2009. These backdoors are found on carrier equipment like antennas and routers. Huawei's equipment is widely used around the world due to its low cost. == U.S. business restrictions ==