21.1 C
New York
Wednesday, May 22, 2024

The US Fears Huawei Because It Knows How Tempting Backdoors Are

After publicly pressuring its allies to ban Huawei equipment in their 5G networks, US officials are now publicly accusing the Chinese telecom giant of being able to spy on mobile data. The allegations, reported by the Wall Street Journal on Tuesday, represent the first specific concern the US has articulated about Huawei after months of conceptual arguments.

The details around the accusation remain vague, indicating that Huawei may be able to spy on access points meant for law enforcement. US officials speaking to the Journal apparently declined to say whether the company had actually done so. But while suggesting a potential mechanism for improper surveillance does heighten the debate between the US and Huawei, it also hints at a deeper self-awareness on the part of US officials. In truth, the intelligence community fears Huawei for a fundamental reason: China will take whatever advantage it can, not unlike the US has done in the past.

Cloud in sky with Chinese flag

Inside the Feds’ Battle Against Huawei

By Garrett M. Graff

US officials have previously said they didn't need to justify their reservations about Huawei and the potential that the company's equipment could contain Chinese government backdoors. But a number of US allies are taking a different approach to dealing with the telecom giant, hoping to manage the potential risks rather than banning Huawei equipment altogether. The United Kingdom, for example, has maintained an auditing facility in China for years adjacent to Huawei's headquarters. And a UK security analysis from last year found that Huawei has more pressing security issues from sloppy, flawed code than from Chinese espionage. Meanwhile, the German legislature will soon vote on a bill that would allow Huawei equipment in German 5G infrastructure if the telecom makes promises about the integrity of its security protections.

Still, researchers say that it's unclear what exactly the US is alleging on a technical level with its new allegations that Huawei maintains network access that other manufacturers don't.

"We would need to have more details to be able to draw any conclusions," says Lukasz Olejnik, an independent cybersecurity researcher and advisor. "We know that forms of technical lawful intercept are a feature of all generations of cellular telecom specifications. But it's unclear what officials in the Wall Street Journal story are referring to exactly."

If Huawei has been abusing law enforcement access capabilities to clandestinely gather or funnel user communication data, it would be an example of the types of backdoors US officials have warned against.

"The remarks made by US officials completely ignore the huge investment and best practices of Huawei and carriers in cyber security risk management," the company said in a statement. "We are very indignant that the US government has spared no efforts to stigmatize Huawei by using cyber security issues."

Huawei has consistently and vigorously denied that it conducts wrongful surveillance or that it cooperates with the Chinese government by creating backdoors in its network systems. But US government officials have pointed out that China is an authoritarian state that maintains laws about corporate cooperation with government demands.

Furthermore, the US knows all too well that private companies can be infiltrated for espionage or technical control. Take the Swiss secure communications and equipment firm Crypto AG, which operated for decades under secret US intelligence control. Components of the scheme came to light over the years, but Crypto AG continued to operate until 2018, selling security tools with weakened encryption to foreign governments. In the most comprehensive expose on the operation to date, the Washington Post reported on Tuesday that Crypto AG was co-owned and managed from the 1940s by the CIA and West German intelligence (later the German agency, the BND) until the early 1990s, when the BND sold its stake to the CIA.

Crypto AG had a strong business selling security equipment to more than 120 countries, according the Washington Post, including India, Pakistan, and Iran. The Soviet Union and China never bought Crypto AG equipment, presumably over concerns about links to Western governments.

Even with the new layer of accusations, the case against Huawei still comes down to how countries plan to manage "supply chain" security issues. If you don't trust the entity producing technical tools or the environment they were made in, you must consider the possibility that the equipment was created with a hidden backdoor or other foundational flaw. Again, look no further than the US: Reports in 2013 revealed that the US National Security Agency physically intercepted and added technical backdoors to enterprise IT equipment, like Cisco and Juniper Networks products, to enhance data access.

This is why it's so difficult to manage risk with a private company through partial mitigations like those the UK is using. It's very difficult to vet market-ready devices for intentional backdoors, especially those designed to weaken encryption algorithms in near-imperceptible ways. You need to both reverse engineer the code accurately to understand exactly how a system functions and then conduct an exhaustive mathematical analysis of the cryptography. No matter how thorough this process, it's always possible that well-engineered flaws can evade detections.

"Every organization should understand and accept that they can't fully audit the encryption code on the devices they use to secure their data," says Jake Williams, a former NSA analyst and founder of the security firm Rendition Infosec. "And there's a history of potential hardware tampering by government agencies around the world. So organizations need to choose equipment that, if backdoored, presents the least risk. Supply chain security is a bear."

So the Huawei debate continues to go in circles. Regardless of the latest revelations, the question remains whether the risk is manageable, or if the US and its allies should forego Huawei altogether.

"Technology is a matter of national security as never before," Olejnik says. "Generally, what matters is control over hardware and software, bottom up, the full stack. Who do you trust? It's a question of digital sovereignty."

When it comes to equipment sitting in the heart of US wireless networks, you can start to understand the US government's fundamental concerns with Huawei. Especially given the US's own history of planting backdoors in technologies around the world.

Updated Wednesday February 12, 2020 at 1:45pm ET to include comment from Huawei.

Related Articles

Latest Articles