Don't Trust China with America's Data Security
The NSA has asked its close security allies to prohibit the use of Huawei equipment in their 5G telecom networks. In a telling twist of fate, recently Vodafone revealed it found backdoors in Huawei equipment in Italy in 2011, now supposedly remediated. The U.K., a member of Five Eyes security alliance for sharing intelligence, has also said it would allow Huawei in some parts of its network. These are worrying developments.
It is worth examining the risks the U.S. is worried about in simple, non-technical terms.
There are two components of risk: espionage and attack. Espionage is gathering and ultimately learning from data crossing the network. Attack is shutting down the installed equipment or any other piece of equipment which has ever connected to the network.
Malicious software is the key culprit in both espionage and attack. Even if the code on a piece of equipment is reviewed and declared clean, software updates and patches are installed over time. These updates provide an opportunity to insert malicious software, activate existing code on the equipment, or complete malicious code already on the machine.
Malicious code could be spyware or code targeting control of the Huawei equipment itself, other equipment on the network, or equipment elsewhere such as power grids or financial networks. Spyware can conduct espionage, “sniffing,” data passing through a device. It can also be a “trojan,” sitting quietly until activated and then attacking the equipment, or any equipment it may have migrated to, by shutting it off. Trojan spyware can also mess with the equipment as the world saw with the worm that destroyed some Iranian atomic centrifuges.
The threat extends beyond software. Hardware can be harnessed as well. Computer and telecom equipment have “firmware” (software “hard-wired” into silicon chips). Firmware might contain malware that could be released via an external signal. Firmware could also be “updated” to inject malicious code. Firmware is a lot harder to review as it is buried in the hardware.
What can be done to mitigate these risks? Not a lot.
Even close inspection by experts could miss a cleverly concealed threat. Future software updates could be examined in light of the knowledge of the base software, but that would be very expensive in terms of time and effort as well as yield uncertain results. Firmware-based threats could be impossible to see regardless of the inspection regime.
It should also be noted that gathering data by enemies, even if encrypted, is a risk. While data gathered today may not be un-encryptable, fast-evolving quantum computing could render it understandable in the future.
Beyond threats from “sniffing” data, once equipment is installed, there is no way to ensure its security or continued use in a time of tension or war. It is also nearly impossible to remove equipment from a network once installed.
This past January, the founder of Hauwei, Ren Zhengfei, said “No law requires any company in China to install mandatory back doors” referring to giving officials a key to access data on devices or networks. He continued with “I personally would never harm the interest of my customers and me, and my company would not answer to such requests.”
While Mr. Zhengfei’s words sound sincere, they must be understood in context of two recent Chinese laws, the National Intelligence Law and the Anti-Spyware Law. Specifically, “any organization or citizen shall support, assist, and cooperate with the state intelligence work in accordance with the law, and keep the secrets of the national intelligence work known to the public. The State protects individuals and organizations that support, assist and cooperate with national intelligence work.”
And also, “When the state security organ investigates and understands the situation of espionage and collects relevant evidence, the relevant organizations and individuals shall provide it truthfully and may not refuse.”
In the words of Michael Pillsbury, author of The Hundred-Year Marathon, China’s Secret Strategy to Replace America as the Global Superpower, “it’s easy to win a race when you’re the only one who knows it has begun”
China has thought this through. We need to do the same.
Mark Rosenblatt is a long-time tech entrepreneur and investor.