Science·Analysis

If Huawei were a security risk, how would we find out?

There has been no public evidence that Huawei's equipment has been used to conduct espionage on behalf of the Chinese government. Here's what officials are worried about.

Every technology has flaws. The hard part is proving whether a flaw is purposeful

FBI director Christopher Wray, far right, appears at a news conference held Monday to announce indictments against China's Huawei Technologies Co Ltd, several of its subsidiaries and its chief financial officer, Meng Wanzhou, in a pair of cases accusing the company of everything from bank and wire fraud to obstructing justice and conspiring to steal trade secrets. (Joshua Roberts/Reuters)

Over the past few months, telecom companies around the world have, one after the other, announced they would not use Huawei technology in their next-generation 5G wireless networks.

Huawei may be one of the largest manufacturers of telecommunications equipment in the world, but its perceived ties to the Chinese government have unsettled U.S. security officials and some of their allies.

In Canada, however, it hasn't been so simple. The country's cellular service providers — Bell and Telus chief among them — use Huawei technology in their existing networks, and have for years. Now that those same carriers are planning to upgrade to 5G, where Huawei has been selling its technology for less than its competitors, the company is even harder to outright ignore.

Some argue that U.S.-led efforts to convince partners to drop Huawei's technology is less about national security concerns than about stymying Chinese dominance of the next big leap in wireless technology in favour of American innovations.

There's also the belief that Chinese tech companies could, theoretically, be compelled by the Chinese government to modify their technology for spying purposes.

It's likely the two concerns are intertwined. After the U.S. Department of Justice announced a pair of new indictments this week targeting the company, FBI director Christopher Wray said "the immense influence that the Chinese government holds over Chinese corporations like Huawei" is a threat to America's economic and national security.

Ryan Ding, the chief of Huawei's carrier business group, holds a Tiangang 5G base station chipset during a product presentation in Beijing earlier this month. (Thomas Peter/Reuters)

So far, there has been no public evidence that Huawei's equipment has been used to conduct espionage on behalf of the Chinese government. That doesn't mean the evidence doesn't exist — just that no one has been publicly forthcoming.

In the absence of proof, it's hard to know what to believe. But assuming Huawei is indeed a security risk, what sort of vulnerability would threat analysts be looking for, and how would they find out?

Attacking the supply chain

What intelligence agencies and telecommunications companies are especially concerned about is called a supply chain attack. This is where an adversary makes malicious modifications to a piece of hardware or software before it reaches its final destination — say, a telecommunications company's core network. The relationship between a company and its suppliers is built on trust, and supply chain attacks exploit that trust for ill.

5G technology would make an especially enticing target. The next-generation wireless standard is expected to allow all sorts of cutting-edge applications, such as self-driving cars and remotely operated medical robots, send and receive data faster than is currently possible, and with imperceptible delays. But before that can happen, cellular network operators around the world will essentially have to upgrade their technology at the same time.

A well-resourced adversary — like a nation state — could, in theory, use that opportunity to gain a foothold inside the world's rapidly shifting communications infrastructure by targeting the critical 5G hardware that would sit at its core.

Huawei makes a wide range of networking equipment, from core infrastructure such as switches and routers, to antenna units like the ones pictured here during a product presentation in Beijing earlier this month. (Thomas Peter/Reuters)

The idea is that, instead of attempting to phish an employee for their login credentials or infect a vulnerable computer with malware, a supply chain attacker can essentially sneak in the front door like a Trojan Horse (except the Trojan Horse in this case is a piece of tainted, high-end telecommunications equipment).

This is why a story published last year in Bloomberg Businessweek magazine was greeted with such alarm — and scrutiny. Citing six unnamed current and former senior national security officials, its authors alleged that computer components from a U.S. firm called SuperMicro — used by nearly 30 companies, including Apple and Amazon — had been subtly modified during manufacturing in a Chinese factory.

Apple and Amazon have vehemently denied the allegations, as have high-ranking U.S. intelligence members, and the story has yet to be confirmed by any other reporters.

But other, confirmed cases exist. In recent years, attackers have successfully placed backdoors in popular applications, such as the PC maintenance utility CCCleaner and file-sharing app Transmission, without their creators knowing.

Perhaps the most infamous case involved a nasty piece of Russia-linked ransomware called NotPetya, which masqueraded as a legitimate update to the accounting software M.E.Doc, widely used in Ukraine. It didn't take long for NotPetya to spread far beyond its Ukrainian targets, crippling the shipping giant Maersk, pharmaceutical company Merck, a FedEx subsidiary and more.

The usual security advice — don't download files or applications from unknown or untrustworthy sources — is irrelevant when an attacker compromises a source you think you can trust.

On Monday, the U.S. Department of Justice filed a formal request to Canada for the extradition of Meng Wanzhou, Huawei's chief financial officer, pictured here at a conference in 2014. (Alexander Bibik/Reuters)

Trust, but verify

Both the U.K. and Canadian governments have tried to mitigate supply chain concerns — and not just for Huawei, but any telecommunications equipment maker.

Since 2010, the U.K. government has overseen a cybersecurity testing facility that was founded to analyze Huawei's products for vulnerabilities in an attempt to mitigate any perceived national security concerns. (In an ironic twist, the lab is run by Huawei, but operates independently from its parent company, according to a government auditor.)

Similarly, Canada's Communications Security Establishment, the country's electronic spy agency, says it has run a security review program since 2013 "to help mitigate the risk of cyber espionage and network disruption through the exploitation of supply chain vulnerabilities in the current 3G/4G/LTE environment." A separate review of 5G technology is underway.

The idea is that any potential risks posed by Huawei's technology can be adequately managed by testing for vulnerabilities or backdoors before the technology is deployed — what some call "
trust, but verify."

Not everyone is convinced.

Huawei has proven popular among service providers planning to build their next generation 5G wireless networks, because the Chinese company sells cutting-edge technology at a lower cost than competitors. (Mark Schiefelbein/Associated Press)

The Globe and Mail reported last September that U.S. officials are skeptical that Canada's safeguards are good enough to counter any Chinese threats. Earlier this week, FBI director Wray warned against allowing Huawei to "burrow" into American telecom companies.

"That kind of access could give a foreign government the capacity to maliciously modify or steal information, conduct undetected espionage, or exert pressure or control," he said.

Even the U.K.'s own oversight regime admitted last year that, due to recently identified shortcomings in Huawei's engineering process, it "can provide only limited assurance that all risks to U.K. national security from Huawei's involvement in the U.K.'s critical networks have been sufficiently mitigated."

The concept of trust, but verify only works "as long as you really can verify what goes into the infrastructure and critical positions," said Alan Woodward, a former security consultant to the British signals intelligence agency GCHQ, during an appearance before a U.K. Joint Committee on the National Security Strategy last year.

"As I understand it, Huawei was not able to guarantee, and did not have a process in place to show that what was coming off the production line and going into the networks was what had been evaluated."

Looking for proof

U.S. intelligence community concerns about supply chain attacks go back at least a decade, according to a recent story by The Intercept that relied, in part, on previously unpublished classified documents.

One reads:

"The deep influence of the Chinese government on their electronics manufacturers, the increasing complexity and sophistication of these products, and their pervasive presence in global communications networks increases the likelihood of the subtle compromise — perhaps a systemic but deniable compromise — of these products."

U.S. intelligence and law enforcement officials are concerned that if their international allies were to let Huawei technology into the core of their countries' next generation wireless infrastructure, the Chinese government could compel Huawei to modify its technology to be used for espionage purposes. (Andy Wong/Associated Press)

In 2014, The New York Times reported that America's National Security Agency (NSA) went so far as to infiltrate Huawei's network in search of evidence of the company's ties to the Chinese government. Despite apparently eavesdropping on the communications of Huawei's executive team, it's not clear whether the NSA found any evidence to back up its suspicions. The Intercept says its documents are similarly vague and uncertain about what China has done.

Huawei has said that if the U.S. believes there are backdoors in its equipment, it should produce some proof.

It's unlikely that there would be some skeleton key lurking within every Huawei product on the market. A vulnerability that widespread could just as likely be exploited by China's adversaries as by China itself.

The reality is that every technology has flaws and vulnerabilities, and Huawei's products are no exception. The hard part, we're learning, is proving whether a flaw was put there on purpose.

ABOUT THE AUTHOR

Matthew Braga

Senior Technology Reporter

Matthew Braga was the senior technology reporter for CBC News, where he covered stories about how data is collected, used, and shared.