03 Sep Trust Compromised: Exploring the Technical Vulnerabilities and Geopolitical Stakes of Huawei in U.S. Government Infrastructure
By,
Dr. Luis O. Noguerol, Senior Fellow, MSI²
Introduction
The Criticality of Protecting Confidential Government Information
In the digital age, governments depend on robust, secure systems to exchange highly sensitive data. Breaches of classified military communications, intelligence sharing, or diplomatic cables can have catastrophic consequences for national security, foreign alliances, and public trust. Therefore, the assurance of end-to-end confidentiality and integrity is a non-negotiable technical and policy priority in any government communications system.
Huawei as a Case Study: Context, Geopolitical Relevance, and Public Sector Use
Huawei is one of the world’s largest suppliers of telecommunications and networking equipment. Leveraging decades of rapid innovation and state-backed investment, it has successfully penetrated public infrastructure markets in Asia, Europe, Africa, and the Americas. In numerous countries, including those within NATO and the EU, Huawei components have formed the backbone of public telecom infrastructure, judicial interception platforms, and even government cloud services. This widespread adoption is not without controversy: allegations of intellectual property theft, regulatory opacity, and, most critically, deepening ties to the Chinese government (particularly its intelligence and military agencies) have propelled Huawei into the crosshairs of global security debates.
Technical Risks Overview: Hardware Vulnerabilities
A principal concern is the possibility of built-in “backdoors” at the hardware level (undetectable pathways that could allow external actors to eavesdrop, control, or disrupt communications). Investigations in the US and allied nations have cited risk scenarios where supply chain tampering or proprietary chipsets permit privileged and unmonitored access to government data flows.
A further complication is the lack of independent and transparent certification of supply chain steps. Huawei equipment, by virtue of China’s opaque verification standards, is difficult to audit conclusively, meaning unintentional flaws or intentional threats may remain undetected throughout the life cycle of the product.
Software Risks and Firmware Updates
Huawei devices run complex, proprietary operating systems and firmware. Technical analysis has shown that undocumented functions (sometimes discovered by third-party researchers) create opportunities for unauthorized data extraction. Remote update mechanisms, which are essential for patching vulnerabilities, can also be weaponized: if a vendor is compelled by national law to enable covert access or surveillance, remote code execution could become a gateway for espionage. Under China’s National Intelligence Law, companies like Huawei may be legally required to comply with such requests, even across international borders.
Legal and Political Foundations: Synopsis of Chinese Legislation and State Mandates
China’s 2017 National Intelligence Law and 2021 Data Security Law both obligate domestic companies to support state intelligence operations, which may include granting access to or facilitating the collection of foreign data held or transmitted on their systems. This legal mandate introduces profound risk: even if the technical architecture is secure in theory, secret cooperation with state agencies may override any technical countermeasures. This changes everything: Huawei, by law, must keep the Chinese government aware of the connections they handle, and the related data (please see the reference in Chinese, and use the browser translation feature to access the original law).
Case Studies of Documented Data Exfiltration
Prominent precedents underscore these risks. In the African Union headquarters data breach, Huawei-supplied servers were found to have regularly transmitted confidential data to servers in China for several years. Similar accusations have arisen in Europe and the Americas, supported by technical forensics and intelligence reports that suggest data exfiltration channels—either intentional or due to weak access controls—are a clear and present danger where Huawei equipment is deployed for sensitive government functions.
Real-world Vulnerabilities: Summary of Published CVEs Relevant to Huawei
Over the past decade, a growing body of Common Vulnerabilities and Exposures (CVEs) has spotlighted weaknesses in Huawei software and hardware, including:
- Insufficient or faulty access controls that permit escalation of privileges or unauthorized system access.
- Exploits that enable unencrypted or poorly encrypted transmission of sensitive data, making interception and tampering feasible.
- Vulnerabilities in remote administration interfaces allow attackers to gain control over critical network assets.
Evidence Cited by U.S. and Allies
Technical reviews by the U.S. Department of Defense, FBI, FCC, and international partners have repeatedly cited the lack of meaningful third-party certification and the persistent absence of effective countermeasures in Huawei’s approach to confidentiality assurance. Numerous bans in the US, UK, Australia, and parts of Europe are directly attributed to these unresolved security gaps. This by itself is a direct but informal recommendation no to use Huawei for anything government related.
Espionage and National Security Concerns: Embedded Surveillance Mechanisms and Loss of Data Sovereignty
The most acute fear is that any government deploying Huawei for confidential communications cannot guarantee exclusive control over its own data. Even when Huawei representatives deny backdoors or unauthorized data access, the technical reality is that state-mandated remote access (under Chinese law) could be implemented in subtle, hard-to-detect ways, especially through firmware or remote-update exploits.
Risks to Intelligence Sharing and Coordination
This persistent uncertainty has led the United States and Five Eyes allies to suspend or condition intelligence cooperation with countries using Huawei infrastructure for critical or classified data exchange. In Spain, for example, U.S. lawmakers have called for the redaction of shared intelligence over fears that Huawei-based systems could leak sensitive operational information to the Chinese intelligence community, a move that could cripple trust-based security partnerships.
Counterarguments and Vendor Position
Huawei’s Official Position
Huawei representatives regularly deny allegations of providing government backdoors or unauthorized data access. The company emphasizes its commitment to legal compliance in host countries, invites independent audits, and highlights the lack of public evidence to support sabotage or deliberate backdoor activity in its commercial deployments.
Review of Independent Audits
While some technical audits (including UK and EU assessments) periodically review Huawei code and hardware, these processes have been limited in scope or depth. The opacity of supply chain steps and the impossibility of ruling out deliberate, concealed features undermine the confidence that vulnerable or malicious components can be definitively excluded from operational systems. This, by itself, should be sufficient for Huawei not to be used in any operation related to the government.
Policy and Defensive Recommendations
Alternative Vendor Models and Zero-Trust Approaches
A robust defensive posture calls for more than technical fixes. Governments should adopt a zero-trust paradigm, presume no equipment from any single vendor is absolutely secure, use vendor diversification, and enforce stringent supply chain hygiene that mandates independent, continual audits at all levels of the stack.
Continuous Vulnerability Assessment and Compliance
Government networks should deploy continuous vulnerability scanning, rigorous compliance frameworks (modeled on standards like NIST SP 800-53), and mandate regular rotation or removal of hardware of uncertain provenance, especially for systems handling classified or sensitive communications.
Diving Deep into the Operating System and Exploring Why End Users Are Fascinated by Huawei: Realities, Myths, and Doubts
Huawei’s HarmonyOS uses a strong, multi-layered security system to protect devices, keep data safe, and stop hackers. It combines hardware safety, small secure parts in the core system, and strict rules about who can access what. Please note that HarmonyOS is primarily used in IoT device ecosystems such as smartphones, tablets, smart TVs, and other consumer smart devices, while Huawei’s network and security devices mainly operate on specialized, proprietary OS platforms like those in the Xinghe Intelligent Network Solution and HiSecEngine security family.
Here’s how it works in simple terms:
- Security Levels for Devices: The OS groups devices into five security levels, from SL1 to SL5. The higher the level, the stronger the protections. SL5 devices have special hardware that stops tampering and software that gets checked very carefully to avoid mistakes or backdoors. Each level adds more safety features like secure startup, attack defense, and extra protection for private information.
- Hardware Safety Building Blocks: The system uses three important hardware protections called Roots of Trust that offer
- Boot Protection: Makes sure that when a device turns on, only safe and approved software starts running.
- Storage Protection: Keeps secret keys and private information locked and safe inside the device.
- Computation Protection: Uses special hardware to run sensitive tasks in a protected area so no hacker or bad software can spy or change them.
Please note that these concepts are standard in modern secure devices from many vendors. In other words, nothing really new on Huawei’s side.
- Small Secure Core (Microkernel): Unlike larger operating systems, where many components operate with broad privileges and are more vulnerable to bugs or attacks, a small secure core (microkernel) operates with limited privileges and is less vulnerable to bugs or attacks. It keeps its core minimal and runs additional services in isolation. This design ensures that if one part is compromised, the others remain protected. In truth, this fundamental difference sets Huawei apart from its competitors. This is a unique approach.
[The top competitors of Huawei from the network and security devices standpoint are a) Cisco, b) Fortinet, c) Juniper Networks, d) Palo Alto Networks, and e) Check Point Software Technologies.]
The system also uses special math checks called formal verification to make sure the core has no mistakes or weak points.
- Who Can Access What? – Similar approach to other vendors. Nothing really new in here. The OS is strict about who can use what, based mainly on two combined systems
- One that makes sure users or apps do not access data higher than their permission level (security labels).
- Another is where file owners decide who can read or write their files, like in regular computers.
c) Only apps and updates with official “signatures” (trusted stamps) can be installed.
Unknown software is blocked. Low-security devices cannot control or trick high-security devices — for example, your fitness band can’t make a big payment through your phone without permission.
- Guarding Against Common Attacks – used commonly by Huawei’s software competitors. Really noting new on the Huawei’s part. The system uses “canaries” – a special check inside the memory to catch hacker tricks that try to overflow or corrupt the memory area, stopping attacks before they cause harm.
- Special Communication Protocols
HarmonyOS uses its own secure network system called DSoftBus to connect devices. It safely discovers who is on the network, checks identities, and encrypts all data sent between devices to keep conversations private and secure. While Huawei does not fully disclose all technical details, DSoftBus likely uses the latest encryption methods, similar to TLS 1.3, known for strong protection. The lack of transparency is again, concerning.
Additionally, connecting devices from manufacturers with unclear or opaque security postures, such as Huawei, to enterprise security infrastructure devices like Cisco, Fortinet, or CheckPoint firewalls presents significant technical risks. Firmware analyses reveal that Huawei’s devices contain a high density of known vulnerabilities, averaging over 100 per device, including critical and high-severity issues, which increase the risk of exploitation by malicious actors (Finite State, 2019).
Common vulnerabilities on Huawei devices include hard-coded backdoor credentials, insecure cryptographic key usage, and software development practices that fail to meet industry security standards (Finite State, 2019). Moreover, such devices may be subject to undisclosed zero-day vulnerabilities that can be leveraged for unauthorized access or control. This fact alone provides a compelling reason to avoid selecting Huawei.
While no technology vendor is entirely free from flaws, a significant distinction lies in the transparency of their operations. Most competitors maintain openness in their processes and engage collaboratively with global security standards and stakeholders. In contrast, Huawei operates with considerable opacity, and crucially, under Chinese law, it is mandated to report its activities to the Chinese government, raising substantial concerns regarding privacy, security, and potential government influence (Huawei, 2019; Bangkok Post, 2023; Council on Foreign Relations, 2019).
The integration of these devices into a secure network potentially introduces new attack vectors and complicates existing security monitoring by creating opaque system behaviors and undocumented telemetry patterns (Finite State, 2019). Additionally, due to limited transparency and potential compliance with foreign government surveillance laws, these devices may facilitate covert exfiltration or denial of service attacks that bypass conventional mitigation techniques (Council on Foreign Relations, 2019). The lack of end-to-end firmware lifecycle management and poor configuration hygiene compounds these risks, creating a broader attack surface within the protected environment (HCSEC, 2019).
Therefore, without rigorous independent security validation and enforced controls such as network segmentation and continuous monitoring, connecting such equipment to critical security infrastructure undermines the integrity, confidentiality, and availability of enterprise network services.
U.S. Government Agencies’ Political Endorsement of the Huawei Ban
The Huawei ban was first introduced and primarily enforced by the Trump administration. In May 2019, President Trump signed an executive order designed to secure the information and communications technology supply chain. This order blocked Huawei by adding it to the Entity List, effectively restricting American companies from conducting business with Huawei without government approval. The ban focused on national security concerns, including fears of espionage and Huawei’s close ties to the Chinese government. These restrictions were rigorously maintained and extended throughout Trump’s presidency.
Under the Biden administration, these restrictions have largely been upheld and even expanded. New rules have been implemented to further prohibit sales of Huawei equipment by U.S. companies and to prevent Huawei from obtaining new licenses since 2021. In essence, the initial ban was initiated under the Trump administration and continues to be reinforced under the Biden administration.
If you require further clarification regarding the rationale behind the United States government’s decision to ban Huawei, the following are five distinct reasons cited for the restriction.
- The U.S. government expressed significant security concerns, specifically the risk that Huawei’s equipment could facilitate espionage or surveillance activities on behalf of the Chinese government, thereby threatening national infrastructure and sensitive data (EM360Tech, 2025; BBC, 2022).
- Huawei’s close relationship with the Chinese government (including its founder’s military background) prompted fears that the company could be compelled under Chinese law to comply with governmental demands for data access or disruption of critical systems (Council on Foreign Relations, 2019; EM360Tech, 2025).
- Multiple allegations of sanction violations were raised against Huawei, including the unauthorized supply of technology to countries under sanctions such as Iran and North Korea, which heightened concerns regarding compliance with international law (EM360Tech, 2025; Wikipedia, 2019).
- U.S. authorities referenced documented instances and ongoing allegations of intellectual property theft and other unfair business practices involving Huawei, further undermining trust in the company’s operations (Council on Foreign Relations, 2019; Wikipedia, 2019).
- The rapid expansion and global market penetration of Huawei—particularly in the domain of 5G infrastructure—was perceived as antithetical to U.S. interests, raising concerns about foreign dominance in essential communications networks and the strategic vulnerabilities this could create (EM360Tech, 2025; Bloomberg, 2025).
Conclusions
Huawei has skillfully integrated diverse operating system components to market its products as innovative and secure. However, this accomplishment is overshadowed by the complete and undeniable negligence of those entrusted with procurement decisions. These decision-makers have flagrantly disregarded critical technical details, demonstrating a total lack of cybersecurity knowledge and expertise.
It is nothing short of catastrophic that government entities responsible for safeguarding national infrastructure have allowed themselves to be misled by superficial assurances and slick presentations, what can only be described as the “sweet talker’s effect.” This gross incompetence has led to the approval and deployment of Huawei equipment without a fundamental understanding of the technology’s inner workings, an egregious failure with severe national security implications.
The decision to adopt Huawei technology is made by individuals who exhibited an alarming deficiency in technical knowledge and cybersecurity expertise. These decision-makers based their conclusions not on rigorous analysis or informed evaluation, but rather on superficial internet searches and recycled opinions, essentially parroting secondhand information without understanding the profound and implicit security risks involved.
This cavalier disregard for critical assessment reflects a catastrophic failure in governance and technical oversight. It demonstrates a reckless abdication of responsibility, placing national security infrastructure at unacceptable risk. Such decisions betray a dangerous gap between decision-makers and the complex realities of modern cybersecurity, exposing vital public assets to vulnerabilities that could have been foreseen and mitigated with even minimal technical acumen.
Furthermore, the central role of Huawei’s DSoftBus within HarmonyOS (a core component responsible for device-to-device communications and distributed system integration) directly ties into the broader Xinghe Intelligent Network Solution and HiSecEngine security family. It defies reason that anyone with decision-making authority would approve the use of such proprietary hardware and software in government settings without comprehending its architecture. Is this oversight a result of gross ignorance, or does it reflect a deliberate betrayal of national trust?
Regardless, the combination of opaque legal obligations, significant technical vulnerabilities, and intertwined political interests surrounding Huawei equipment creates an entirely unacceptable security posture for handling confidential government information. Mandatory compliance with Chinese law, requiring full cooperation with state intelligence agencies, negates any possibility of ensuring absolute confidentiality and integrity of sensitive data exchanged using these devices.
With that said, all the shame belongs squarely to those who voted to adopt Huawei specifically within government agencies. The private sector may conduct different assessments and find Huawei suitable for their particular needs, which is independent and valid. However, when it comes to government, it is absolutely imperative that all technical aspects and cybersecurity concerns are thoroughly evaluated and prioritized above all else. Ignoring this foundational requirement is a reckless betrayal of public trust and national security.
References
Bangkok Post. (2023, September 28). Huawei eyes cybersecurity transparency. https://www.bangkokpost.com/business/general/2654730/huawei-eyes-cybersecurity-
BBC News. (2022, November 25). US bans sale of Huawei, ZTE tech amid security fears. https://www.bbc.com/news/world-us-canada-63764450
Bloomberg. (2025, May 14). What Huawei’s comeback says about US-China tech war. https://www.bloomberg.com/news/articles/2025-05-14/china-s-huawei-how-did-it-survive-bans-by-us-and-allies
China Law Translate. (n.d.). National Intelligence Law of the P.R.C. (2017). https://www.chinalawtranslate.com/en/national-intelligence-law-of-the-p-r-c-2017/
Council on Foreign Relations. (2019, June 11). Is China’s Huawei a threat to U.S. national security? https://www.cfr.org/backgrounder/chinas-huawei-threat-us-national-security
EM360Tech. (2025, February 16). Why was Huawei banned? A look into the telecoms giant. https://em360tech.com/tech-articles/why-was-huawei-banned-look-telecoms-giant
Federal Communications Commission. (2024, February 13). FCC bans sale of new devices from Chinese companies Huawei, ZTE, and others. https://cset.georgetown.edu/article/fcc-bans-sale-of-new-devices-from-chinese-companies-huawei-zte-and-others/
Fortinet. (2024). What is a firewall? Definition and types of firewall. https://www.fortinet.com/lat/resources/cyberglossary/firewall
G2. (2024, November 6). Top 10 Huawei network security alternatives & competitors. https://www.g2.com/products/huawei-network-security/competitors/alternatives/
Huawei. (2019, March 4). Transparency – Huawei Cyber Security Transparency Centre. https://www.huawei.com/en/trust-center/transparency
Kaspersky. (2019). What is a firewall? How firewalls work and types. https://www.kaspersky.es/resource-center/definitions/firewall
NPC Observer. (2025, August 3). National Intelligence Law. https://npcobserver.com/legislation/national-intelligence-law/
PeerSpot. (2024, December 31). Top 10 Huawei network intelligent protection alternatives. https://www.peerspot.com/products/huawei-network-intelligent-protection-alternatives-and-competitors
Reuters. (2022, November 25). U.S. bans new Huawei, ZTE equipment sales, citing national security risk. https://www.reuters.com/business/media-telecom/us-fcc-bans-equipment-sales-imports-zte-huawei-over-national-security-risk-2022-11-25/
SelectHub. (2025, July 6). Top Huawei firewall alternatives & competitors 2025. https://www.selecthub.com/firewall-software/huawei-firewall/alternatives/
Talaat, T. (2025, July 9). Huawei’s strategic position in Gartner Magic Quadrant. LinkedIn. https://www.linkedin.com/pulse/huaweis-strategic-position-gartner-magic-quadrant-analysis-talaat-tpxof
U.S. Department of State. (2020, November 30). The United States further restricts Huawei access to U.S. technology. https://2017-2021.state.gov/the-united-states-further-restricts-huawei-access-to-u-s-technology/
Wikipedia contributors. (2019, April 3). Criticism of Huawei. In Wikipedia. https://en.wikipedia.org/wiki/Criticism_of_Huawei
中华人民共和国全国人民代表大会. (2017). 中华人民共和国国家情报法 [National Intelligence Law of the People’s Republic of China]. http://www.npc.gov.cn/npc/index.html
The opinions expressed in this article are those of the author and do not necessarily reflect the views of the Miami Strategic Intelligence Institute (MSI²).