Huawei: It’s the software, stupid.

A late note on the Huawei US Senate report that found that Huawei and ZTE pose a potential security threat to the United States. I’ve heard a lot more people get a lot more defend Huawei than I expected, most of them assuming it’s simple China-bashing. While I haven’t read the report, and am sure it has issues of its own, I personally wouldn’t recommend that the US government use Huawei hardware without much stronger oversight. I say this knowing that, to date, there isn’t any public evidence that Huawei has done anything wrong.

There are two primary points of disagreement I’ve had with people on this: One is subjective, the other fairly objective. The subjective point concerns whether there’s any reason to suspect that Huawei would do anything like sneak exploits into it’s firmware. I argue that, yes, there is reason to suspect they might. The reason being that there is something approximating a nearly frozen cold war between the US and China. Both sides are making their war plans around each others capabilities. China is building carrier-busting super-sonic cruise missiles and the Department of Defense justified the F-22 almost entirely in terms of keeping a head start on the increasing prowess of the People’s Liberation Army Air Force. Any debate in Congress about reducing the number of aircraft carriers will inevitably bring arguments about China’s role in the world. And the final point to consider: behind every recent high-profile Chinese territorial dispute, there is a US fleet backing up the other side’s claims.

Two anecdotes drive the point home. The first is that I once met a former US military war planner who started a sentence with “I can’t give any details, but..” and went on to explain how if a US-China war ever broke out, the Chinese electric grid on the coast would be one of the first things the US military would try to take out. This fits similar patterns in other US military campaigns. TV and radio stations are also prime targets. It makes sense, then, that Chinese warplanners are looking at the same thing. As people have been warning for decades, the US electric and telecommunications infrastructure is a prime target for attack. There’s evidence that there’s already a low-level state of cyber war between the China and the US. So, for me, it’s not without basis to be wary of letting a company whose CEO’s office is a shrine to Mao Zedong (something a former Huawei worker told me) supply the US with critical infrastructure components. Where does on draw the line in letting the #1 Assumed Future Adversary build foundations of our defense and civilian communications network? 

My final point is more objective. Try opening a complicated Microsoft Office file in any other office productivity software. Docs, OpenOffice, and Pages will guess what that glob of binary 1’s and 0’s means but it’s always a guess. This is because one cannot deduce source code from binary and it’s the source code that shows you exactly what something is programmed to do. You can learn a lot with tinkering and reverse engineering the binary, but it’s always a crude guess. So the issue is not Chinese-hardware, which is why it doesn’t matter that US companies manufacture their components in China.

The issue is Chinese-written software – specifically, the firmware. No one, except Huawei, has any idea of what’s coded into the firmware. The only way you know if your reuter is spying on you is if you somehow catch it spying on you. The only way you know if that telecom gateway has a remote off-switch is if someone activates it. This is why I said at the beginning that I don’t think it matters that there’s no evidence that Huawei has done anything wrong. Whatever evidence exists would be on a programmers computer somewhere in Shenzhen. Even if the code is in your office on the machines you bought, as it stands even the best CIA hacker with the best hardware would have an extremely difficult time reading it.

All that said, I don’t think it’s fair to just ban Huawei and other Chinese companies from competing in the US market because they’re Chinese. In fact, the same concerns can be made for TP-Link or Siemens due to the possibility of a roque programmer.  But I think the problem is fixable.

As an open-source advocate, I question the need to keep firmware code propriety to begin with. But I understand that sort of institutional change won’t come quickly. In the meantime, my suggestion would be this:

  • Create a government organization – maybe intergovernmental with the best of the FBI, CIA, NSA, etc – to identify which network hardware is most susceptible to cyber-attack and/or spying.
  • Make it mandatory that any company, domestic or international, supplying that critical hardware release the source code for their firmware to that organization.
  • Have that organization certify that the code is without gaping security holes or backdoors. In fact, go so far as to let them compile the code themselves and update firmware.

Note that this isn’t entirely a novel idea: ZTE has suggested something like this and Stan Abrams has discussed the possibilities.

 

Be First to Comment

Leave a Reply