A major Chinese telecommunications company linked to the Beijing government has been selling equipment to U.S. government security agencies, raising new concerns about electronic espionage and sabotage.
The firm ZTE Corporation, based in Shenzhen, China, and one of the world's largest producers of handheld smart phones, has been providing equipment to both the Pentagon and Department of Homeland Security through a U.S. equipment contractor. The subcontracting has permitted ZTE to circumvent an unofficial ban on the use of Chinese telecommunications gear, said two U.S. officials familiar with details of the transactions.
In March, ZTE was fined $1.19 billion by the Justice Department as part of plea agreement following a six-year investigation that found the company illegally sent U.S.-origin telecommunications gear to Iran and North Korea in violation of U.S. sanctions laws.
The settlement involved an immediate fine of $892 million with an additional $300 million fine suspended as long as the company does not violate the terms of the plea agreement.
In exchange, the company has been allowed to continue doing business in the United States.
The company also obstructed the federal probe into the transfers that were carried out using front companies.
The identity of the U.S. company that ZTE enlisted as a subcontractor could not be learned, and no other details of the sales to the Pentagon and DHS could be learned.
The practice of subcontracting through a U.S. company to sell products to the government is not illegal and there are no rules banning Chinese companies from selling goods to the Pentagon or DHS.
However, the practice is raising serious concerns among Trump administration security officials and congressional oversight committees.
Spokesmen for ZTE USA, based in Richardson, Texas, did not return numerous phone calls and emails seeking comment.
A spokesman for the Pentagon, Cmdr. Patrick Evans said he was unaware of the ZTE's sales to the Pentagon through a contractor. A DHS spokesman had no immediate comment.
As part of the plea bargain, ZTE was removed from the U.S. government's list of sanctioned entities and must undergo a three-year probation aimed at preventing further violations of U.S. sanctions.
ZTE produces a range of telecommunications equipment from handsets to servers, switches, routers, and cellular network gear.
Attorney General Jeff Sessions said in March that "ZTE Corporation not only violated export controls that keep sensitive American technology out of the hands of hostile regimes like Iran’s—they lied to federal investigators and even deceived their own counsel and internal investigators about their illegal acts."
Sales of ZTE telecommunications products to the U.S. government have raised concerns in Congress about the dangers that China can penetrate the military supply chain—the system used to procure weapons and equipment—for future sabotage.
The concerns involve China planting malicious software or opening points that could be used to disrupt U.S. weapons systems or other equipment.
Those concerns were highlighted in November when a private security firm disclosed that Chinese phones contain software that uses a backdoor feature to send all data on handheld and other devices to Beijing every 72 hours.
The preinstalled software on Android phones was produced by the Shanghai Adups Technology Co. and is deployed on more than 700 million phones, cars, and other smart devices.
The Chinese spyware was discovered by the firm Kryptowire that says the software can transmit all text messages, contact lists, and call logs, location information, and other data to a Chinese server.
Adups website has said its software is used by two of the world's largest cellphone makers—ZTE and Huawei.
During a hearing of the House Armed Services Committee in June 2016, Rep. Mike Rogers (R., Ala.) questioned senior defense and military leaders about the risks of using Chinese telecommunications gear, including products from ZTE and a second state-owned firm, Huawei Technologies.
Asked if the Pentagon should rely on ZTE or Huawei equipment—both companies he said are linked to the Chinese military and intelligence services—Thomas Akin, a senior Pentagon official, said the Pentagon does not blacklist companies.
"It does create approved product or supplier Lists (whitelists) of products or organizations that have been assessed for use in certain applications," Akin said in a written response to Rogers.
"There are currently no Huawei or ZTE products on the DOD Unified Capabilities Approved Products List (APL)."
However, the fact that ZTE and Huawei products are not on the approved list does not prohibit contractors from working with the companies, and the government can still select products from those companies, Akin said.
"Short of suspension and debarment, federal contractors and vendors are not precluded from competing on DOD contracts," Akin said.
At the time Akin responded, ZTE had been placed on the Commerce Department's list of foreign companies restricted from selling to the U.S. government.
The company was removed from the list as part of the March plea agreement.
Akin stated that there are no rules prohibiting U.S. defense contractors from buying Chinese telecommunications or information technology, including from ZTE or Huawei.
Air Force Lt. Gen. James McLaughlin, deputy commander of the U.S. Cyber Command, testified at the same hearing when asked if the Pentagon should rely on ZTE or Huawei equipment, that information about such reliance is classified.
A report by the congressional U.S.-China Economic and Security Review Commission published in 2012 stated that ZTE has close ties to the People's Liberation Army, China's military.
"ZTE maintains a diverse relationship with the PLA that encompasses collaborative research with military and civilian universities, including satellite navigation, data link jamming techniques, training of active duty PLA personnel, and as a regular exhibitor and presenter at PLA sponsored defense industry expositions," the report said.
ZTE also has been "a prime supplier of customized telecommunications services and hardware to the PLA, including trunk-like optical network systems."
Disclosure of the ZTE sales of equipment to the Pentagon and DHS comes as a Pentagon Defense Science Board report recently warned of the growing danger that foreign states will use vulnerabilities in the supply chain to conduct cyber sabotage against U.S. weapons and equipment.
"The task force observed instances that may have been unsuccessful attacks on critical weapons systems via malicious insertion," the report said.
"The nation's weapons systems are at risk from the malicious insertion of defects or malware into microelectronics and embedded software, and from the exploitation of latent vulnerabilities in these systems," the report says.
Examples of supply chain sabotage were shown in the commercial sector, notably Volkswagen’s insertion of a "defeat device" that blocked auto emissions testing. Also, a semiconductor company, FTDI, used a Windows driver update to disable computers remotely.
The board urged the Pentagon to improve protections against cyber threats to weapons systems' development.
The fines imposed in March on ZTE were hailed by Commerce Secretary Wilbur Ross as part of a new get tough policy on violations of trade and national security laws.
"We are putting the world on notice: the games are over. Those who flout our economic sanctions and export control laws will not go unpunished—they will suffer the harshest of consequences," Ross said.
Last June, five Republican members of Congress wrote to then-Secretary of State John Kerry and then-Commerce Secretary Penny Pritzker to voice concerns about ZTE.
"It appears that ZTE, a firm that is—at a minimum—influenced by the Chinese government, had developed such strong ties to the American business community that it has become 'too big to sanction,'" the lawmakers said. "Effectively, ZTE has discovered that by integrating with enough American firms it can evade consequences for its intentional decision to ignore American sanctions on Iran, Cuba, and other rogue regimes."
The members of Congress, led by Rep. Steve Chabot (R., Ohio), were complaining about the Commerce Department decision to suspend sanctions on ZTE for its violations of export laws.