I'm sure all these companies have legal entities in all countries the operate in. So Huawei in US is US company and Huawei products bought in US from US Huawei are good,. but bad >when bought from Huawei China?
IANAL however I was a network engineer for the US Air Force for over ten years. Here is how the US DoD looks at it. There are three tiers of defense contractors.
Yes - Cisco, Juniper and other US controller entities that the DoD has already vetted and does business with on a routine basis. Also includes systems pre-integrated by defense contractors like Boeing and Lockheed that are sold as complete turn-key systems.
Maybe - Allied (usually NATO) defense contractors that also have vetted security policy. That would be companies like BAE Systems, Dausault, and Siemens. This would also include US suppliers that may never have done business with the DoD before and would have to undergo further review prior to being awarded a contract. There are also some "buy American" consideration that required us to use US suppliers unless there was a valid reason why the foreign manufacturer was the better choice (say we have an air defense system from BAE that has been designed to work with a specific device as part of a system). That is an economic/political concern in addition to the security concern and is covered under contracting regulations.
No way - entities considered to be under to control of or part of the military industrial complex of rival nations. That would include most Russian, Chinese, Iranian, etc companies. Also companies that refuse to comply with certain government sanctions or disclosure requirements. Also companies that employ specifically banned individuals under the export control act.
This is not necessarily a technical legal thing like having a corporate entity in the US (every multinational does), it is an intelligence assessment of risk. For sensitive software there is a long laundry list of requirements surrounding source code control and signing. In almost all cases I am aware of the US DoD acquires a Restricted Software License which actually means that they have access to view to source code for whatever they are running and require a cryptographically secure way of knowing the running code matches. For many of the systems I worked with there were actually special software loads signed by DISA (Defense Information Systems Agency) that we had to run. DISA software loads also tended to block certain configurations known to be insecure and a lot of times enforced higher security or encryption requirement. Our hardware had to come off a list of approved devices and in very sensitive service the device were sent to an NSA lab for analysis and returned under courier control before they could enter certain areas or networks. If the device ever exited the facility they had to go back for recertification. This was for assurance against embedded hardware taps or bugging devices. They also compared the device against known good models to make sure the hardware was the same.
The US Government considers Huawei and ZTE to have "close ties" to the Chinese government according to the Director of National Intelligence along with the heads of CIA, FBI, and the NSA as stated in testimony before the Senate Intelligence Committee. The founder of Huawei is the former engineering officer of the People's Liberation Army of China.
Now, this only applies to US Government agencies according to their acquisition rules but there have been moves by the FCC to ban these devices from US cellular network. I am not advocating for or against any of these policies and you can run what you want (assuming it can be imported). I myself would be nervous running Huawei code in a device if a cyber war broke out between the US and China.
Steven Naslund
Chicago IL
