Malicious Life Podcast: Hacker Highschool
Pete Herzog, co-founder of ISECOM and Hacker Highschool, wants our kids to learn about cybersecurity - especially the more advanced stuff like security analysis and hacking - check it out...
Malicious Life Podcast
At the end of our last episode, it kind of seemed like Huawei--the Chinese telecommunications company accused of aiding in state cyberspying--was completely innocent. They were being accused of crimes they may not have committed, based on evidence that largely did not exist.
The conspiracies around them seemed unfair at best, malicious at worst. But there’s another side to this story, of course. Huawei didn’t end up on people’s radars for no reason. They’ve earned their notoriety...
The Malicious Life Podcast by Cybereason examines the human and technical factors behind the scenes that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution, with host Ran Levi interviewing hackers and other security industry experts about hacking culture and the cyber attacks that define today’s threat landscape. The show has a monthly audience of over 200,000 and growing.
All Posts by Malicious Life PodcastSecurity researcher. Served for 9 years in the Israeli Army and Government, received two commendations and several certificates of excellence, Now working in an awesome startup - loves solving problems with good and talented people and innovating in the security research field.
Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:
All Posts by Malicious Life PodcastAt the end of our last episode, it kind of seemed like Huawei–the Chinese telecommunications company accused of aiding in state cyber spying–was completely innocent. They were being accused of crimes they may not have committed, based on evidence that largely did not exist. The conspiracies around them seemed unfair at best, malicious at worst.
But there’s another side to this story, of course. Huawei didn’t end up on people’s radars for no reason. They’ve earned their notoriety.
I’ll tell you a story, so you see what I mean. Remember what Amit Seper said earlier this episode, about what Huawei is like?
“[Amit] Think of Huawei sort of a company like Cisco here in the U.S.”
This comparison holds a little more weight than Amit lets on. The reason why traces back to 2003, when the Executive Vice President at Cisco, Mark Chandler, flew to Huawei headquarters in Shenzhen, China, to confront their CEO, Ren Zhengwei. The problem? Cisco had reason to believe that Huawei was copying their…well…everything. Maybe not everything, but manuals, help screens, a command line interface, and, most of all, source code for routers and switches.
The evidence was not ambiguous, either. For example, Huawei’s manuals didn’t just read like Cisco’s, they contained the same typos. Even high schoolers know to re-word the Wikipedia articles they copy into their history papers. According to The Wall Street Journal, when Chandler presented the evidence to his face, Zhengwei replied by saying, quote, “coincidence.”
Cisco sued. In 2004 the parties settled out of court, after Huawei admitted to stealing some router software, and agreed to get rid of all the disputed IP. But if Cisco sought an end to the drama there, they wouldn’t get it. The following year, an American diplomatic cable reported that Cisco employees stationed in Zimbabwe found counterfeit Cisco tech in the telecoms systems installed by Huawei.
Shady Business History
Let’s take a more recent example. Meng Wanzhou is the company’s CFO and, notably, the daughter of its founder, Ren Zhengwei (the “coincidence” guy). On December 1st of 2018, she was arrested at Vancouver International Airport on request from the United States. The Justice Department has charged her with financial fraud, stealing trade secrets and doing business in Iran in disregard for economic sanctions. If found guilty, she faces up to ten years in prison.
Of course, somebody as powerful and well-connected as Meng will almost certainly not go to jail for ten years, let alone any years. But the DOJ does not press charges like these without ample supporting evidence. Meng’s case will continue for a while before a verdict is reached, but even if she somehow escapes all punishment, Huawei itself, as part of the same set of DOJ indictments, has been charged on 16 counts including fraud, theft of trade secrets, and racketeering.
The point of saying all this isn’t to bash Huawei. And, really, evidence of other crimes doesn’t implicate them in cyberespionage. But it does all add up to something, right?
Like, imagine your roommate is our Senior Producer, Nate Nelson. One day, your yogurts go missing. You ask him where they went.
“[Nate] I don’t know, dude, probably the Yogurt Fairy.”
You’ve got no proof that he ate them. You totally could have had some the other day, not realizing you finished the pack.
Then again, Nate used a ton of your cooking oil last week to fry chicken wings, and he didn’t ask first. Plus, he never takes out the trash, or goes shopping when you need toilet paper and paper towels. Really, Nate is a bad roommate! I bet he did steal that yogurt! Ugh, he really sucks, doesn’t he?
“[Nate] Hey, next time can you get strawberry? The blueberry kind is too sweet for me.”
Even before we consider cyberspying, we must consider that Huawei–the organization, as well as some of its highest-level executives and employees–have committed crimes before. They’re hardly the first Chinese company to do so; in fact, as it pertains to IP theft, they’re part of the norm. And that’s also part of the problem. The troubled history of Huawei, and the country they come from, is what makes allegations of cyberspying worth looking into.
State Control
The first European country to meaningfully, publicly question Huawei’s 5G cybersecurity was, of all places, the Czech Republic.
The Czech Republic was a rather unexpected country to take such a stand. Huawei provides a significant portion of the country’s telecom infrastructure. Milos Zeman, the President of the Czech Republic, has for many years been lobbying for Chinese investment in his country, making multiple trips to China and hosting China’s President Xi Jinping in Prague. If there were one sign of just how tight the Czech government was with China’s, it would be Huawei, which for years has provided all the communications technology for President Zeman himself, and his staff. That’s trust.
That’s why it was so notable when, in December of 2018, the Czech National Cyber and Information Security Agency–known colloquially as “Nukib”–issued a warning against Huawei and ZTE, a smaller Chinese competitor. Translated, the notice alleged that China’s law forced companies to, quote, “cooperate with intelligence services, therefore introducing them into the key state systems might present a threat.” End quote. Following the statement, the nation’s Prime Minister, Andrej Babis, called for a ban on Huawei products within the government–the first of its kind proposed in Europe.
But events quickly swung back the other way. After the warning from Nukib, Zeman accused his own cybersecurity agency of, quote, “dirty tricks.” Political infighting ensued. Zeman’s side won out, not just because he had greater power than Babis. The Czech National Security Council found no clear basis for Nukib’s original claim, and the government ban was struck down. Since December 2018, Huawei has continued with business-as-usual in the Czech Republic, even earning new contracts on top of those they already had.
Still, in other parts of the world, the inciting question didn’t feel so totally answered. Does Chinese law require that companies participate in state intelligence? Can we say?
Law Requirement
Officials in China’s government have argued for years that Huawei does not act in service of their intelligence services. Huawei CEO Ren Zhengfei stated that, quote, “Even if we were required by Chinese law, we would firmly reject that.” End quote. But could they “firmly reject that,” even if they wanted to?
In June 2017, with little public discussion on the matter, China updated its National Intelligence Law. Among its stipulations, Article 7 states that, quote, “any organization or citizen shall support, assist, and cooperate with state intelligence work according to law.” End quote. Article 14 expands on the idea, quote: “state intelligence work organs, when legally carrying forth intelligence work, may demand that concerned organs, organizations, or citizens provide needed support, assistance, and cooperation.” End quote. According to the same law, if such a company is called upon, they are not only required to participate, but also protect, quote, “any state intelligence work secrets of which they are aware.”
It seems, therefore, that if China’s state intelligence were to demand Huawei build backdoors into its 5G equipment for use in state surveillance, Huawei would have to comply, and its executives would have to keep that compliance a secret.
But not long after the very public Czech Republic fight, in an attempt to reverse the narrative, Huawei commissioned its own legal review. The review–37 pages, written by a Beijing-based law firm, reviewed by a firm in London–concluded that Chinese law doesn’t appear to require that Huawei would have to participate in government intelligence. Among its conclusions, it argued that Huawei–the makers of the equipment–are not obliged in the same way that the actual operators of networks are. Also, any Chinese laws that would theoretically apply to Huawei do not extend to its subsidiaries or employees outside of China.
The problem with this report, as was quickly pointed out by observers, is that China’s government is not bound by its own laws. Consider how often U.S. intelligence breaks its laws–the NSA’s PRISM program, for example. China’s legal system is far more lenient than the United States’. The Communist Party is the law. Who would hold them in check if they fudged their own rules? They’re the ones who get to decide. But no kid grounds themselves, no teenager turns themselves in for underage drinking.
Cost of Doing Business
“[Nate] What is Huawei’s relationship to the Chinese government? Perhaps a better question would be, what is any company of Huawei size in China’s relation to their government?
[Amit] The way things work in China is that a lot of companies or pretty much every company has some sort of an interface with the government. It could be either by ownership or by pretty much taking instructions and doing whatever the government tells them to do. You have people in the board of directors of these companies that are in the government or in the Chinese military. The government and the military and the intelligence bodies of China is often intertwined. Those companies and the government are often intertwined.”
It’s often said that there’s a “cost of doing business” in China. In reality, there is a certain cost of doing business in any country. In Russia’s oligarchy, for example, the president has major sway in deciding which companies can exist, and who gets to profit from them.
In the United States, the “cost of doing business” is more vague. Private companies have much more freedom and agency, and they possess the legal right to sue the government. But it’s usually a really bad idea to cross the authorities, especially when national security is invoked. The NSA’s PRISM program was an example of just how broadly private sector communications companies can be “extrajudicially” weaponized by the NSA for use in cyber surveillance. But in addition to those cases, there are cases to the opposite. Apple’s refusal to provide the FBI with an iPhone passcode crack in their investigation of the San Bernardino terrorist attacks proved that the largest American companies do have the power to defy government order.
Chinese companies likely have no choice but to participate with the ruling Communist Party’s order, but exactly how much influence the party exerts on any given company isn’t usually clear from the outside. In fact, it’s expressly made to be unclear.
State Funding
Huawei is a good example of this. Last year, the CIA accused Huawei of receiving funding from Chinese military, national security and intelligence agencies. The root of these claims, and the specific dollar amounts, are not publicly known. Last Christmas, the Wall Street Journal wrote that they had received approximately 75 million dollars in state funding over their years of operation. Huawei rebutted that they had received approximately that much money, but in the form of tax breaks and grants for research.
If true, these sources of funding are not unique to China, and don’t on their own indicate government control. Cisco, for example, has received nearly 40 million dollars in the past two decades through U.S. state and federal subsidies. Really, 40 million, or 73 million dollars in state funding is tame compared to what goes on in some other industries. The Raiders football team, for example, squeezed 750 million dollars out of the state of Nevada to help build their new stadium in Las Vegas. And a few years ago, according to documents obtained by the Wall Street journal, New York politicians tried incentivizing Amazon to move to Queens by offering them 2.5 billion dollars in tax breaks and grants.
All this is to say: when state money ends up in corporate hands, it’s not necessarily an indicator of political influence. Cisco, Amazon or the Raiders are not controlled by their state governments. This may also be the case in China. Alternatively, China’s government could be using ostensibly legitimate forms of funding as a way of funneling dirty money.
It is in the interest of both China’s government and their corporations to obscure their connection as much as possible in the eyes of the outside world. For multinational companies, it’s a bad look to be seen as a puppet of the state. For the state, local companies provide two weapons: resources, and plausible deniability.
Those of you who’ve heard our Malicious Life episodes on China vs. Github know exactly how this all goes down. In that episode, we discussed how the Chinese government, on three notable occasions in the last decade, weaponized Baidu–their equivalent of Google–to launch denial-of-service attacks on the website Github. In those attacks, the state was able to take control of Baidu’s IT infrastructure, and weaponize the huge amounts of traffic that flow through their online services. It worked so well that, the third time around, they managed the single greatest DDoS attack recorded in history to that point. Today, we’re pretty sure that China’s government was behind each attack. But it took a lot of investigative work to get to the point where we could say that, and even with that being said, there’s not exactly any 100 percent definitive proof.
It is precisely stories like this that worry Western governments. Can you blame them?
Politics
The response to Huawei’s threat has been handled very differently by different governments around the world. As a case study, consider the five countries that make up the so-called “Five Eyes” intelligence alliance: America, Australia, New Zealand, Britain and Canada. Only one of these countries had taken early, aggressive, consistent action to protect their national comms infrastructure from possible Chinese state influence. Can you guess which one it was?
Australia. In 2012, Australia’s government banned Huawei from participating in their national broadband network. In 2018, they banned all Huawei 5G equipment.
In 2018, New Zealand took a similar action by blocking a local telco company, Spark, from using Huawei equipment. We might call this a “soft” ban–a precedent more than a rule.
The U.S. ban, as well as the recent Department of Justice indictments against Huawei, its subsidiaries, and members of the company, have caused the recent surge in Huawei press. But the leadup to the ban far predates the Trump administration. Every U.S. president since George W. Bush has had to grapple with what to do about Huawei.
Back in 2006, 3Com–a California-based network technologies company–had entered into a joint business venture with Huawei called H3C. Only eight months into his tenure, the Chairman of H3C voluntarily resigned due to concerns he had with Huawei’s business and cybersecurity practices.
A year later, Bain Capital–an investment firm co-founded by Senator Mitt Romney–sought to buy 3Com for over two billion dollars, with between 16 and 21 percent equity given to Huawei. Eight members of congress then pushed a bill suggesting that the Bush administration help block the deal. In a statement, one congresswoman expressed that, quote, “It would be a grave error for U.S. regulators to approve a deal that permits minority ownership in 3Com by one of the least transparent companies operating in China, a firm with shadowy ties to Chinese army and intelligence services.” End quote. The opposition was effective, and the buyout fell through.
In 2010, eight Senators signed a letter to high-up officials in the Barack Obama administration, expressing concern over a potential multi-billion-dollar contract between Huawei and Sprint. Extra emphasis was given to the fact that Sprint was a military and law enforcement supplier, meaning that the Chinese could, theoretically, use Huawei to get to Sprint to get to the U.S. government. Sprint later blocked Huawei’s participation in the deal.
But no real legislation followed. Large and small U.S. telcos continued to purchase Huawei equipment.
Until recently, this was the general pattern: red flags, no data; warnings, no action; hesitation but, ultimately, business as usual.
Canada & U.K.
Canada has followed the same kind of trend line. In 2018 the government revealed it had been conducting a security probe on its Huawei tech since 2013. But in a speech to a parliamentary committee that September, the head of the Center for Cyber Security in Canada said his country would not come out against Huawei–that they prefered, quote, “trying to address all of the risks, and not just one specific one.”
Of the Five Eyes nations, Britain stands out as the country which, most of all, has worked with rather than against Huawei. In 2009, spy chiefs from GCHQ–the NSA of the U.K.–warned government ministers of the potential for a, quote, “deliberate attack by China.” But in 2010, the same agency partnered with Huawei to form the Huawei Cybersecurity Evaluation Center. The same year, a 40-year veteran and former head of engineering at GCHQ took a position at Huawei, and in 2011, a former Chief Information Officer for the U.K. government did the same. In 2012, Prime Minister David Cameron and Huawei CEO Ren Zhengfei signed a long-term investment deal worth 1.3 billion dollars. As recently as this year, Britain’s government said it won’t exclude Huawei from its upcoming 5G infrastructure investments. It will limit their market share to 35 percent, though, and their equipment will be excluded from sensitive geographic locations.
The agreement to allow Huawei 5G came in direct opposition to U.S. lobbying. Over the past couple of years, the Trump administration has aggressively pushed its allies to join in banning Huawei tech within their borders. Part of the motivation has to do with actual cybersecurity best practices. These countries work closely together in cyber intelligence. If America is worried that China can peer into Britain’s network, they’re going to be less likely to cooperate on sensitive projects in the future.
But part of the motivation also has to do with politics, and cold, hard cash.
It’s important to remember that the U.S. also has companies that are competing with Huawei. So far I don’t think they’re doing really well. If right now Huawei has a better product than the American companies, then it kind of makes sense that all sorts of Congress members and all sorts of other kinds of representatives will make all sorts of alarmist announcements about the security of Huawei’s products. There’s always a hidden agenda somewhere.
Regardless of why, America’s lobbying has already had corrosive effects on international cooperation. It has put allied countries in a very difficult position. On one hand, if you ban Huawei, you’ll undoubtedly alienate the Chinese. If you don’t ban Huawei, you risk alienating the Trump administration. Either way, you’ve gained a powerful enemy.
Takeaways
Huawei claims to service a third of the world’s population. If you live in Banbury, Prague, Harare, or even Oregon, you may be among that third. But don’t fret–there’s little reason for you, personally, to worry.
“[Amit] We also need to always remember what is our threat model. If the average Joe buys a Huawei cell phone, is the average Joe a target here or is the target someone more important that has a Huawei phone? It’s important to threat model and think always about what you’re trying to hide and what it is that you’re trying to stay out of.”
There’s a lot we don’t know about Huawei. By the end of two episodes, what we can say is this: there’s ample evidence that Huawei tech is insecure, but little evidence that its vulnerabilities are being exploited by the Chinese state to spy on people.
So we can’t justifiably accuse Huawei of malintent (at least in regards to the issue of cyberspying). At the same time, nations do have legitimate reasons to prevent Huawei from participating in their 5G infrastructure projects. And even though we lack evidence of China leveraging Huawei technology, we know they retain the ability to do so, really, at any time in the future. No matter what their CEO says publicly, they have very little control in the matter. They exist only by virtue of their government allowing them to.
“[Amit] I look at Huawei as an arm of the Chinese government. I look at most of these companies that are coming out of China the same way. There were other companies that make telco equipment that had backdoors found in them. ZTE as well is another company that made headlines. Those things happen. With that being said, you can’t really outrun it because a lot of the stuff that we use is made in China or has Chinese software engineers writing code for it. It doesn’t necessarily mean that anything that comes out of China or that anything that comes out of Huawei or ZTE or any other company was meant to spy on everyone. It’s just something that we need to keep in mind.”
We’ve gone over a lot of negative stuff in these past two episodes. But if you ask me, even with all the reasons to avoid Huawei, and all the bad press they’ve been getting, I think they’ll come out of this just fine.
“[Amit] A few years ago I met with the network architect of a fairly large ISP in a different country. He told me that his company was using almost exclusively Cisco and Juniper networks equipment. But due to some sort of a change that they had to make in their network they asked Cisco to add a certain feature, especially for them. Something that was not natively in the product. Cisco wanted a lot of money for it. They told him that it would take them a few months to do that. They started shopping… The ISB eventually started shopping for other vendors. They started talking to Huawei. They told them what they need. Huawei sent about 40 software engineers to that ISP’s site. They added everything they wanted to their product in a matter of, if I recall correctly, it was three or four weeks instead of eight months. Sold them the equipment for a very low price, much lower than what Cisco offered them originally.
You can safely assume that that equipment is probably backdoored. At the end of the day, it all comes to dollars and cents. The power that Huawei has… The ability to just send 40 software engineers with their laptop to write code on site, it’s something that not a lot of companies can do. Combine it with the fact that their equipment is cheaper, then it’s no wonder why they’re so popular and they’re everywhere. At the end of the day, when what you look at as a business executive is dollars and cents, then we’re going to see our privacy compromised as a result of that because more privacy usually costs more money.”
People reuse bad passwords, companies only pay for protection after getting hacked, and governments would rather buy border walls than firewalls. Cybersecurity, outside the confines of the industry, is taken only somewhat seriously.
Money, on the other hand, is important to everyone; and Huawei is, in almost all respects, cheaper than the competition. Whether it be state funding, exploitation of workers, or some kind of trade secret, Huawei, next to their Western equivalents like Cisco, usually come out as the viable budget option. So, until the day we find Xi Jinpeng using a Huawei router backdoor to watch a video feed of your mom clipping her toenails in the kitchen, Huawei will continue to be a preferred option for telecoms providers around the world.
In the end, it probably won’t matter much. But, you know…it might.
Pete Herzog, co-founder of ISECOM and Hacker Highschool, wants our kids to learn about cybersecurity - especially the more advanced stuff like security analysis and hacking - check it out...
Black Hills Infosec founder John Strand discusses The Wild West Hackin’ Fest - a unique security conference that emphasizes diversity and lowering the barriers to entering the world of security...
Pete Herzog, co-founder of ISECOM and Hacker Highschool, wants our kids to learn about cybersecurity - especially the more advanced stuff like security analysis and hacking - check it out...
Black Hills Infosec founder John Strand discusses The Wild West Hackin’ Fest - a unique security conference that emphasizes diversity and lowering the barriers to entering the world of security...
Get the latest research, expert insights, and security industry news.
Subscribe