A Congressional report yesterday warned that Chinese telecommunications companies Huawei and ZTE pose a “threat to U.S. national security interests” and could sell companies equipment rigged to give the Chinese government control over American communications networks.
The report (PDF), issued by the House of Representatives Intelligence Committee, cites no direct evidence that either Huawei or ZTE has acted to compromise the security of any of its clients. However, experts say the possibility is real that surveillance technology could be built into the routers and switches that underlie the Internet and wireless communications systems—and this could be difficult to detect.
Huawei and ZTE’s primary business is selling high-end computer networking switches and other equipment used by cell phone carriers, Internet service providers, and other companies to run communications networks.
“A switch sees all the traffic that passes,” says Fred Schneider, a professor at Cornell University who works on cyber security and policy. This digital data could be anything from phone calls to Internet traffic. “If you control the switch, you could set it up so that any time it handles data, it makes a copy and sends it someplace else, or you could change the data while en route—a yes to a no.”
A back door installed in networking hardware could be very difficult to detect, says Schneider. “If you siphon off lots [of data], then someone who was looking would notice,” he says. But “if it’s a small scale, it would be pretty hard to tell.” That’s because part of the Internet is designed to be fault-tolerant and allow the occasional piece of data to go missing. “It would be hard to distinguish between drops and retries and something nefarious,” says Schneider.
A trigger could be built either into the software that comes installed in switches and network hardware or into the hardware itself, in which case it would be more difficult to detect, says Schneider. The simplest kind of attack, and one very hard to spot, would be to add a chip that waits for a specific signal and then disables or reroutes particular communications at a critical time, he says. This could be useful “if you were waging some other kind of attack and you wanted to make it difficult for the adversary to communicate with their troops,” Schneider says.
Schneider says many of the companies that buy the kind of equipment sold by Huawei lack the resources to exhaustively check every aspect of a device’s design or software for potential back doors. The use of strong end-to-end encryption could help prevent eavesdropping, but nontechnical defenses—such as buying from trusted suppliers or sourcing equipment from multiple vendors to reduce the consequences if one piece of equipment proves untrustworthy—could also be crucial, he says.
This week’s report is not the first time that a government has noted Huawei’s potential as a vector for Chinese espionage. In 2011, the U.S. Commerce Department blocked the company from bidding to build a new wireless network for first responders; in March 2012, the Australian government barred Huawei from bidding for contracts to create part of its new National Broadband Network.
“The telcos are very worried about this,” says Dmitri Alperovitch, a cofounder and CTO of Crowdstrike, a security startup that’s working on ways for companies to protect against cyber attacks and identify the perpetrators. However, Huawei’s prices are so low that any company that wants to remain competitive has to bear its products in mind. “Huawei is pretty much on par with the western manufacturers from a feature-set perspective, but much cheaper,” Alperovitch says. This week’s report reiterates that trade-off, but it does not lay down a hard and fast rule against U.S. companies doing business with Huawei.
Alperovitch says China is known to be interested in carrying out electronic espionage against other governments and companies, and is a major backer of espionage software spread by e-mail and the Web. “The Chinese are the most pervasive actors in terms of cyber espionage,” he says.
This track record, together with the fact that Huawei has refused to explain its relationship with the Chinese government or the role of a Communist Party committee inside the company, means that it’s fair to wonder if Huawei’s products will remain safe, Alperovitch says. “The question is, if the Chinese government comes to Huawei and says would you put this code in your router, would Huawei do it?” he says.
In a statement released yesterday, Huawei said the intelligence committee report “failed to provide clear information or evidence to substantiate the legitimacy of the Committee’s concerns,” and also said that committee members had been given access to the company’s research and manufacturing facilities, as well as extensive documentation. Company executives have previously said in testimony to the committee that Huawei makes about 70 percent of its $32 billion in annual revenue outside China, suggesting that it has little incentive to anger foreign governments.
Both Schneider and Alperovitch note that although this week’s report singles out Huawei, the globalization of supply chains raises wider security concerns about products from many technology companies. Even if equipment is made in the U.S., for example, it almost certainly contains components and chips made by other companies in other countries.
“There is a broader concern about supply chain,” says Alperovitch. “Who knows what’s being put into your product at the factory?”