A recently issued U.S. congressional report has cast a shadow on Chinese telecom equipment makers Huawei and ZTE. Because neither company answered congressional queries to the satisfaction of U.S. lawmakers, the report concludes that the two companies, as a result of ties to the Chinese government, cannot be trusted to supply telecommunications equipment to U.S. government agencies or U.S. companies.
Both companies vigorously argued against the report's conclusions. Huawei condemned the report as an attempt "to impede competition and obstruct Chinese [telecom] companies from entering the U.S. market." ZTE insisted its equipment is safe and that congressional concerns implicate "every company making equipment in China, including Western vendors."
U.S. lawmakers worry that Chinese-made telecom equipment could contain a hidden backdoor that could be used to eavesdrop on sensitive communications or to disrupt network infrastructure. The version of the report released to the public (a separate classified annex was withheld) contains no evidence that Huawei or ZTE have compromised their products at the behest of Chinese officials. But lack of transparency into the workings of the two companies and lack of answers to lawmakers' queries, in conjunction with ongoing reports about cyber attacks traced to China, have made it difficult for U.S. authorities to trust either company.
[ Learn more about the issue. Read Why Huawei Has Congress Worried. ]
The U.S. is not alone in such concerns. In March, Australia blocked Huawei as a potential vendor for its new national fiber network based on worries about national security. A U.K. government intelligence and security committee is investigating Huawei's longstanding provision of equipment to BT, according to The Guardian, which also reports that Canadian authorities may exclude Huawei from government communications initiatives as a security precaution. India banned the purchase of Chinese telecom equipment on national security grounds in April 2010, relented four months later, and is said to be considering whether to reinstate the ban.
Stewart A. Baker, a partner in the Washington office of Steptoe & Johnson, LLP, and former assistant secretary for policy at the Department of Homeland Security, said in a phone interview that telecom switches are particularly important for reasonably secure communication.
Anyone in the compromise business going after edge devices will find access difficult to maintain, he said. "People will do updates, they'll discard apps and phones," he said. "If you have switch access, you've got it forever, for all communications."
Baker acknowledges that the congressional report presents no specific evidence of espionage, but he believes the report's conclusions are reasonable. "You'd have to be an idiot not to realize that our security problems are bad and getting worse," he said. "I know there are people who will say about any national security claim that you're just looking for funding. But that's not a fair criticism of this report."
"We do face a serious challenge and one that could dramatically undermine our security from all the flaws we have in our IT security infrastructure," said Baker.
Publicly disclosed examples of deliberately compromised telecom equipment are few and far between--accidental vulnerabilities are more common and represent lower hanging fruit for attackers and security researchers. In May 2012, a draft of a research paper detailing a backdoor in an Actel/Microsemi ProASIC3 chip used in military applications was posted in advance of its intended September 2012 presentation date, leading to inaccurate reports that the backdoor had been installed by a Chinese manufacturer.
The paper's authors, University of Cambridge computer security researcher Sergei Skorobogatov and Christopher Woods, a computer security researcher with Quo Vadis Labs, subsequently denied having linked the backdoor to Chinese manufacturers and issued a letter to clarify their findings.
The chipmaker, U.S.-based Actel/Microsemi, claimed that the backdoor is a testing interface. "The alarmist press reports that some third party may have inserted any sort of hidden 'back door' into Microsemi devices are false," the company said.
Woods in an email acknowledged that compromised hardware is not common but suggested other unreported examples are likely to exist. "The only real-life example so far of a backdoor is in Actel's range of flash-based chips," he said. "No one else has found a real-life backdoor or Trojan in a real-world chip yet [and has] actually gone public with the results. But we very much doubt that this backdoor is an isolated case. ... This backdoor inserted into Actel's line of flash-based FPGA was deliberately inserted. Only its 'purpose' is under consideration."
The issue of purpose is a thorny one. Even as the U.S. government decries the risk of backdoors accessible to foreign powers, the FBI is asking online service providers like Facebook and Google to "build backdoors for government surveillance," as CNET put it.
Baker suggests that the FBI may not be after installed backdoors so much as a commitment to cooperate when the agency needs information for an investigation. And he notes that the phone system from the 1940s through the 1980s was in the hands of a limited number of companies and its backdoors were administered successfully. "You were free from wiretaps unless that company carried them out for the government," he said. "There wasn't a lot of misuse of that capability by others."
But what may have worked in the telecom system of yesteryear appears to be less tenable today. Backdoors are harder to conceal in a connected world, where penetration testing can be conducted from afar all day, every day. Google offers an example: In 2010, the company reported that it had detected "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google." What the company did not say, but was later revealed, was that Google created backdoor access into Gmail to assist U.S. government law enforcement and that Chinese hackers had exploited this vulnerability.
Lawful interception capability also facilitated perhaps the most successful known telecommunications hack, the compromise of the Vodafone Greece phone network, detected in early 2005. According to IEEE Spectrum, a 2003 telecom switch upgrade partially implemented an interception management system that hackers, still unknown, were subsequently able to exploit to tap about 100 phones belonging to Greek government officials.
While U.S. officials may have reason to mistrust Chinese companies with ties to the Chinese government, concerns about hardware security really should be much broader.
Woods, whose firm offers technology to scan for hardware vulnerabilities, argues that we need to look at hardware not only from China, but from the U.S. and Europe as well. "Everyone is pointing at China, but so far we have found a backdoor in a U.S.-designed chip," he said. "Could it also not be the case that U.S. manufacturers could have installed backdoors or Trojans in their chips to be used at a later date? Is there any reason they would not put in such functionality if it was known that, most likely, these devices would be used by a foreign power?"
There's an additional complication: Cybersecurity incidents remain difficult to assess. As Errata Security researcher Robert David Graham has pointed out, claims about a Russian attack on U.S. utilities and a 2007 blackout in Brazil blamed on hackers have been turned out not to be attacks at all. Graham also says the 2008 Russian cyberwar against Georgia was merely citizen-driven hacking, without the oversight of the Russian military.
Forget about whether or not to trust Huawei and ZTE. Trusting anyone about cybersecurity matters entails risk. There's a lot of misinformation out there. The only way to moderate that risk is better access to information that can be checked. We need more transparency about the source of cyberattack claims, more transparency about the source code we're using in our products, and greater access to hardware production facilities. Trust but verify. Use open source systems when you can.
Baker suggests that the woes of Huawei and ZTE may help Chinese technology companies open up in order to deal with Western businesses expectations and regulations. "I think they've kind of stepped in it for the next five years," he said. "Their name will be mud in government circles. Maybe if they engage in some trust-building, they will be able to come back. For now, I think they're out of the market."
Huawei is already working on its recovery. Woods says that in the U.K., Huawei has supplied GCHQ--the U.K. equivalent of the National Security Agency--with source code to demonstrate the integrity of the software portion of its products. "You can't offer up source for the hardware, but you can offer the designs of the hardware, which by themselves won't reveal much," he said.
It's a step in the right direction.
Despite DARPA's effort to assure the reliability of hardware through its IRIS testing program, Wood claims that the U.S. and U.K. intelligence communities aren't interested in the techniques his company has developed. "We have offered to both the U.K. and U.S. government data and technology that [are] capable to look at this problem in a way that was not possible before, but we were told by an intelligence agency in the U.K. that they are not interested in backdoors or Trojans and any attempts to get some interest from the U.S. government has fallen on deaf ears."