Though cybersecurity is not a laughing matter, you have to admit that the revelations this past weekend that the NSA had successfully infiltrated the operations and equipment of the Chinese telecoms giant, Huawei, present at minimum rich veins of irony and hypocrisy. The agency has not only accomplished what US observers have accused Beijing of plotting but also used its access to Huawei products as the base for potential spying operations on the company’s customers worldwide. What follows are preliminary observations in light of earlier events and allegations and from my own previous posts and analysis.
Before proceeding, several points should be underscored: first, cyber attacks from Chinese sources – private entities, university-based centers and arms of the military – are incessant and have indeed increased in recent years. To its credit, this vital background story was included in the New York Times (0) report (1) (2)that broke the NSA/Huawei story (along with Der Spiegel). There are, then, clear reasons why the entire US cybersecurity apparatus should be focused heavily on Beijing and on government and allied internet and information technology bodies. It is also true that China makes no distinction between espionage to advance security goals and economic/industrial espionage conducted to gain competitive advantage for Chinese firms. As the Times story notes, the NSA and its security partners “watched as one group of privately employed engineers…pilfered the blueprints to missile, satellite, space, and nuclear propulsion technology from businesses in the United States, Canada, Europe, Russia and Africa.”
Yet Huawei’s experience in the United States – as compared to its treatment in 145 other countries around the world – demonstrates how difficult it is to discern and act upon true national security concerns in a cyberworld that is increasingly characterized by endless, porous information technology supply chains. I – and many others – have chronicled Huawei’s history in the United States. For purposes of this essay, only a few background highlights:
- Worldwide, Huawei has become the second largest manufacturer of internet backbone equipment (viz., routers, switches), and is now the third largest producer of smart phones. It operates as a private company and is capitalized at about $38 billion.
- While succeeding in many regions – Europe, Asia, the Middle East, Africa and South America – the company has largely been blocked in the United States because of cybersecurity concerns, including sub rosa intervention by the US government to stop Huawei from providing equipment to Sprint-Nextel; the veto of a proposed takeover of the firm 3Com; and rollback of the purchase of intellectual property from a small Silicon Valley firm.
- An October 2012 US House Intelligence Committee report (now endlessly cited by the press) presented the case against Huawei. Regarding the general security fears presented in the report, the committee stated first that: “China has the means, opportunity, and motive to use telecommunications companies for malicious purposes.” The specific fear was that at some point in the future Beijing would intervene and force the company to introduce backdoors or malware into the company’s equipment that could subsequently be used to infiltrate the networks of foreign countries. Beyond this, even if the company resisted such a move, the committee opined that “Chinese intelligence services need only recruit working level technicians or managers in these companies” and (tellingly in light of the recent revelations) “opportunities to tamper with telecommunications components and systems are present throughout product development.”
- The House Intelligence Committee, though it presented no direct evidence linking Huawei to espionage, nevertheless labeled the company a threat to US national security, called for a ban on investment or contracts in the United States, and advised US companies to find other partners if they valued US national security. Last summer, former NSA and CIA director Michael Hayden added his voice to the Huawei indictments – again without presenting corroborating evidence – advising an Australian audience to keep the company away from the country’s broadband rollout. It should be added that Hayden showed himself a dedicated techno-nationalist in warning that governments should only use domestic telecoms companies for their internet infrastructure, though he never explained how most nations (including Australia) without that capacity would acquire an information technology sector.
So what did the latest Snowden-based leaks reveal this past weekend? First, they provided details of a White House-directed 18-month investigation of Huawei that was carried out throughout 2010 in cooperation with the FBI and CIA. The original operation, code named “Shotgiant,” set out to uncover links between Huawei and the Chinese military. In carrying out this assignment, the NSA “pried” its way into servers in Huawei’s headquarters in Shenzhen, allowing it to monitor internal communications, including those of the chairman, Ren Zhengfei. But then the agency went further. Having gained access to the computer source codes of key pieces of equipment manufactured by Huawei, NSA undertook to utilize this and other information to infiltrate the computer and telephone networks of Huawei’s customers around the world. In addition, the NSA tapped into undersea cables that Huawei is laying to connect its worldwide networks. As the NSA document stated: “Many of our targets communicate over Huawei-produced products. We want to make sure that we know how to exploit these products,” and “gain access to networks of interest.” While it is not clear just which national networks were so exploited (Iran, Afghanistan, Cuba, Pakistan and Kenya were cited as priority targets) the program was counted as a great success; “We have access to so much data that we don’t know what to do with it.”
The implications and fallout will continue to unfold as we go forward. Here are several preliminary thoughts. First, maybe commendably, the NSA didn’t indulge in pointless denials: spokesmen limited themselves to underscoring the fact that none of its operations involved industrial espionage to aid US companies: “We do not give intelligence we collect to US companies to enhance their international competitiveness.” And they defended the national operations as aimed at “valid foreign intelligence targets.”
Still, the revelations are highly embarrassing to the agency. The Chinese government, piously and with a straight hypocritical face has, of course, demanded an explanation – as it must, given the discomfort to say the least at the knowledge that its own inner deliberations and conversations have been compromised. Huawei, with greater justification, has pointed up the odd twist of history. As William Plummer, Huawei’s chief spokesman in the US, stated (3): “The irony is that exactly what they are doing to us is what they have always charged that the Chinese are doing through us.”
More important from Huawei’s perspective, is that with all the deep investigations by the White House and the entire US security apparatus, no compromising connection has been uncovered between the company and the Chinese military. As the Times put it: “The documents offer no answer to a central question. Is Huawei an independent company, as its leaders contend, or a front for the People’s Liberation Army, as American officials suggest but have never publicly proved.” I would put it more bluntly: if, after all of this, the US government does indeed have information that proves its case against Huawei, it is time to make it public. Otherwise, what is already a low level of trust and credibility on these security issues will fall even further. I once suggested that House Intelligence Committee chairman Mike Rogers owed Huawei an apology (4). I don’t expect this to happen, but could Congress at least curb its faux indignation at the alleged Beijing-Huawei umbilical cord: from what’s been revealed this week, it is the NSA that has the closest connection with this Chinese company.
Stemming from this premise, both Huawei and the Chinese government have strong reasons to worry. Huawei claims, and there is no reason to doubt it on this, that it did not know of the NSA penetration of its inner networks. Though by implication vindicated on the Beijing connection charge, the company must be doubling – or tripling – its internal security penetration roadblocks (though here it is in the same boat as US companies such as Google, Facebook and Microsoft, themselves the victims of invisible NSA security breaches). As for Beijing, there are two possible scenarios: first, the Chinese government may well have come out of this convinced that it is far behind the US on the cybersecurity front – and thus must hold off moves toward international rules until catch-up has been achieved. Or Beijing could decide to cut its losses and respond positively to US overtures to rein in cybersecurity incursions. Alas, the former option seems more likely from both an economic and security perspective.