China, Huawei, and the eavesdropping threat

In the world of espionage and intrigue, China has always played the long game, planning far beyond the next quarter, looking over the horizon at the next generation. For this reason, it should come as no surprise that China and Chinese government-supported companies like Huawei will look at every avenue to advance the long-term goals of the Chinese Communist Party (CCP).

With this in mind, CNN’s exclusive report on the FBI’s investigation into how Huawei’s equipment could be used to disrupt and listen to U.S. nuclear arsenal communications should not have come as a surprise.

Is Huawei a national security threat?

The U.S. intelligence community certainly thinks Huawei is a national security threat and included the admonishment to avoid Huawei hardware in the U.S. telecommunications infrastructure at the Global Threats and National Security briefing before the Senate Intelligence Committee in February 2018.

No doubt the IC’s admonishment that Huawei’s equipment provided China “the capacity to maliciously modify or steal information” and “the capacity to conduct undetected espionage,” as voiced by FBI Director Christopher Wray, served as an impetus for CNN to dig into the story. What they found, and shared in March 2019, was that Huawei’s Midwest presence was indeed in proximity to U.S. military sites. In one case a Huawei cellular tower was less than one-third of a mile from a U.S. missile silo.

The FCC issued a ruling in November 2019 that effectively banned Huawei from U.S. networks, under the rubric of it being a national security threat. Yet those entities which had invested in Huawei hardware were not required to immediately remove the equipment and a fund was created to help them purchase new hardware and pull Huawei iron from their racks. The then-acting FCC Chair, Jessica Rosenworcel characterized the FCC effort as “perhaps the most significant federally funded effort to rebuild and secure commercial communications networks nationwide. This means we will evaluate network after network, base station after base station, and router after router until we have rooted out equipment that could undermine our national security.”

Fast-forward two years, and we have CNN’s expose, which describes the possible without providing any evidence of information collection, network control, or interference with U.S. communications by Huawei or China has actually happened. But in the world of intelligence, capability present changes the calculus from an “if” discussion to a “when” discussion, assuming of course that there is 100 percent certainty that what they fear hasn’t already happened (the bane of every counterintelligence analyst: “Am I seeing everything?”).

China’s efforts not limited to networking equipment providers

Huawei has been caught with its hand in the cookie jar in the past, which makes the allegation contained in the CNN piece more easily digestible. For example, in January 2003, Cisco sued Huawei for filching its source code. The two companies reached an agreement in October 2003, where Huawei removed Cisco’s code and Huawei, through its partnership with 3com, would be allowed to sell its hardware in the United States (Note: 3com was acquired by HP in 2010). And they did, with many smaller wireless carriers in the Midwest adopting Huawei’s hardware, as it was cheaper and their margins narrow.

In another example of China’s tactics, the CNN piece references the 2017 effort by China to gift a Chinese garden to the National Arboretum in Washington, D.C. The FBI worked behind the scenes to squash the project when it was learned that the Chinese had selected high ground within two miles of the U.S. Capitol and other government buildings. In addition, the materials for the building weren’t purchased locally, rather they were being shipped in under the umbrella of China’s diplomatic pouch, which precluded the U.S. from inspecting the materials.

Contemporaneously with the effort by the FBI in Washington, D.C., was the discovery that took place in Addis Ababa, Ethiopia when listening devices and daily data transfers to China were discovered by the AU information technology team. The African Union headquarters building was a gift from China, built-in 2012 at a cost of $200 million, paid in full by China. A bold and aggressive act of espionage.

The takeaway for CISOs

When making purchasing decisions, one must consider global political and economic realities and make that risk-reward calculation based on their own instance. Those involved in national infrastructure projects already know that their entities sit firmly in the target sights of adversaries and potential adversaries of their customers. Those who provide goods may also find their supply chain of interest and thus purchasing decisions must consider the track record of a given country of origin’s ability to sway or manipulate the vendor being used.

While it isn’t a dog-eat-dog world, it is a highly competitive world, where on occasion the measure of success is not profitability, but rather it is established access for a nation-state to be able to exploit the network, now or in the future.