CHINA-FILE: The History of Cyber-SCRM
Huawei…Again….
The history of Cybersecurity-Supply Chain Risk Management (Cy-SCRM)[1] can be traced to the year 2012. Shortly after the Chinese company Lenovo purchased International Business Machine’s (IBM) personal computing division, the use or purchase of Lenovo Personal Computer (PC) “…due to backdoor vulnerabilities” (Infosec Institute, 2013) was banned. A discreet ban by several Western nations, to include the US, was initiated against the Chinese firm of Lenovo Personal Computers. While there were no specific unclassified details of any corruption of the supply chain of malicious code it was during this time that industry and the Congress of the United States recognized the far-reaching damage China could have to the global supply chain.
Also, In 2012, the House Permanent Select Committee on Intelligence had major concerns about the threats facing the telecommunications hardware devices and software developments from China. This included the possibility of electronic “eavesdropping” within the confines of US business and agency IT environments. Specific to its investigation of the operating practices of a Chinese IT company, Huawei Technologies, Huawei (Wah-way) Technologies Company, the committee reported that: “The threat posed [by Huawei/China] to U.S. national-security interests… in the telecommunications supply chain is an increasing priority…” (US House of Representatives, 2012, p.1)–the concerns about Huawei have become even more heightened under the Trump Administartion in 2018 and 2019. The fears continue to manifest as China pursues becoming an international economic superpower and a potential threat the supply chain.
In February 2015, the Director of National Intelligence (DNI), identified a major risk facing the United States (US) within the “Cyber” domain was the potential insertion of malicious code into IT hardware and software items sold to the US. The DNI, James R. Clapper, stated the following: “despite ever-improving network defenses, the diverse possibilities for…supply chain operations to insert compromised hardware or software…will hold nearly all [Information and Communication Technology] systems at risk for years to come” (DNI, 2015, p.1). It was most likely at this time that the Intelligence Community (IC) was compelled to share its concerns about a growing threat; a threat that may have been of dramatic concern especially within its own IT environments.
Specifically, Huawei represents a pervasive threat to the international IT supply chain. Huawei has both the means and motives to compromise IT equipment and systems on the behalf of the Chinese government. “…Huawei has refused to explain its relationship with the Chinese government or the role of the Communist Party…inside the company…” (Simonite, 2012). It may be assumed, based on multiple Huawei senior leaders having close ties with the People’s Liberation Army (PLA), that Huawei has an explicit connection with the Chinese government and its strategic objectives.
[1] While the more accurate term is Cybersecurity-SCRM (Cy-SCRM), for the purposes of this edition we will stay with the more expansive term. Expect this term to change within the next year to more accurately describe this aspect of cybersecurity protection measures and controls.
The Threat
The major motivation for Huawei, as a surrogate for the Chinese government, is to support its 100 Year Plan as described by the author, Michael Pillsbury in his book, The Hundred Year Marathon (2016). Huawei is implicitly aligned with this plan that “State-owned enterprises are instructed to acquire assets perceived as valuable by Beijing” (Scissors, 2013 ). It continues a wide-range of acquisitions to include mergers with American and other Western IT companies with the graver concerns by the federal government and the US’s IC.
Furthermore, the PLA’s Unit 61398 has been extensively analyzed by government and private cybersecurity firms over the past decade. In 2013, Mandiant released an exhaustive and authoritative report based upon deep-analysis of code and techniques specific to Unit 61398. The most conclusive statement made was that the “…Communist Party of China is tasking the Chinese People’s Liberation Army [Unit 61398 and others] to commit systematic cyber-espionage and data theft…” (Mandiant, 2013, p. 7). It further suggests that some of that training, equipment and expertise is provided by Huawei directly to the PLA.
The Far Eastern Economic Review reported “…Huawei received a key contract to supply the PLA’s first national telecommunications network” (Ahrens, 2013). These ties point to connections with the Chinese government and the PLA. There is little doubt that China continues aggressive cyber-activities in support of its intentions to increase its economic standing in the world and intrude to the global economic marketplace.
China has demonstrated no desire to quash cyber-espionage activities from within its borders. It is suggested that many Chinese cyber-activities are supported and controlled under the auspices of the Chinese government. The most lucrative target for China, and more specifically Huawei, is the US. Huawei will continue to focus its vast resources against US economic and business entities for the foreseeable future.
Additionally, Huawei has multiple cyber-relevant capabilities to include hardware and software development, IT manufacturing, and in-house technical expertise. However, the major capability afforded Huawei is through its direct backing by the Chinese government. As a mercantile state, the Chinese Communist government has no reason to stop its pursuit of international intellectual property to support its 100 Year Marathon as described in greater detail by Pillsbury (2016). Further, in terms of government contracts and resources, Huawei has powerful direct support from Beijing.
China’s intelligence apparatus is vast and vibrant. Access to the Internet as a surreptitious mechanism to hide its activities is also a threat posed by Huawei to subvert the worlds’ IT architecture. By leveraging its own infrastructure, in conjunction with the Chinese state, it has near limitless capabilities to disrupt the US and its allies via the Internet; the fears of cyber-espionage are only a small portion of the threat posed by China in the 21st Century.
According to Lachow, Huawei as a complex agent, would require “…a team of individuals (or perhaps multiple teams) with expertise in a number of technical areas…” (Lachow, 2008, p. 444) to exploit the supply chain as well as meet its cyber-espionage collection objectives. Huawei, in coordination with the PLA (or vice versa), has access to formidable resources; “[t]he PLA is reaching out across a wide swath of [the] Chinese civilian sector to meet the intensive requirements necessary to support its burgeoning [Information Warfare] capabilities, incorporating people with specialized skills from commercial industry…” (Krekel, 2009, p. 7).
Huawei should be expected to continue its use the Internet for passive cyber-espionage collection activities; however, it has the potential to engage in more active operations. This could include establishing Command and Control (C2) nodes within its international IT hardware and software sales. Such “infections” pose the greatest risk to the international marketplace. With such access, China continues to represent a formidable offensive threat.
Vulnerabilities
Huawei has a huge target-set to pursue. With its growth throughout the global IT marketplace, any nation requiring IT products offers a target-rich environment for Huawei to exploit. Targets available to Huawei are wide-ranging and span the entire developed and industrial nations that conduct regular business with China, Huawei, and other Chinese companies.
All countries are potentially exploitable especially in terms of their reliance on the capabilities and vital nature of the Internet. The need for computer hardware and software by developed nations affords a consistent and regular vulnerability. It is also suggested that Huawei personnel have the requisite knowledge and ability to exploit all levels of its manufactured products (and those of its competitors); this capability provides a direct ability to align with Beijing’s motivations to become the predominant economic powerhouse of the world.
For example, in terms of cyber-espionage, the Washington Post identified in a 2014 article the magnitude of China’s intrusions at the time. It was calculated at more than $445 Billion annually “…to the world economy” (Nakashima & Peterson, 2014). If the allegations against Huawei are true, the potential economic loss to the world could be far greater if Huawei is afforded even greater capacity to process the volumes of exfiltrated data. The implications would be damage to the global economy more in the trillions of dollars annually in stolen intellectual property and data.
The severest, and more exploitive consequence would be Huawei could have the ability to leverage injected malicious code in its products to eavesdrop on the communications of every device on the Internet. This could also imply the ability to shutdown portions or the entire Internet because of its control of foundational backbone hardware devices such as routers, switches, and firewalls. While the ongoing cyber-espionage economic losses to countries are serious, China has the potential to inflict massive offensive harm against countries or groups that in the future it may be in conflict to include the US.
Huawei is a complex threat. Lachow reserves this label to highly coordinated and effective state actors with nearly unlimited resources. Huawei is such a threat with the obligatory skill-sets to a very diverse and technologically capable adversary. With the presumptive backing of the Chinese government, and its resources, Huawei continues to be a major threat to US and international governments and their respective economies.
While there is no conclusive or even public evidence, that Huawei has injected malicious coding into any of its products, the risk is formidable. Michael Maloof, a former senior security policy analyst in the Office of the Secretary of Defense, ascribes from sources that “[t]he Chinese government reportedly has “pervasive access” to some 80 percent of the world’s communications, thanks to backdoors it has ordered to be installed in devices made by Huawei” (Protalinski, 2012).
Jim Lewis, at the Center for Strategic and International Studies provided an ominous point of view working with Chinese businesses: “The Chinese will tell you that stealing technology and business secrets [are] a way of building their economy, and that this is important for national security” (Metz, 2013). The risk to the US’s national security, its economic viability, and its critical infrastructure is directly threatened by Huawei.
Even at the time of the printing of this book, China, and Huawei, specifically, are identified as key threats. The history of SCRM continues to unfold where there are many legislators and cybersecurity professionals seeking to identify the means to brunt China (as well as other nefarious nation-states from harming or compromising the equipment and data that many of us take for granted. This book provides a 21st Century framework to reasonably and practically implement solutions that mitigate and stop the “bad guys in their tracks.
References
Ahrens, N. (2013, February). China’s Competitiveness: Myth, Reality and Lessons for the United States and Japan. Retrieved from Center for Strategic and International Studies: http://csis.org/files/publication/130215_competitiveness_Huawei_casestudy_Web.pdf
Barbozaaug, D. (2010, August 22). Scrutiny for Chinese Telecom Bid. Retrieved from New York Times: http://www.nytimes.com/2010/08/23/business/global/23telecom.html?_r=0
DNI. (2015, February 26). Statement of Record: Worldwide Threat Assessment. Retrieved from http://www.armed-services.senate.gov/imo/media/doc/Stewart_02-26-15.pdf
Infosec Institute. (2013, October 11). Hardware attacks, backdoors and electronic component qualification. Retrieved from Infosec Institute: http://resources.infosecinstitute.com/hardware-attacks-backdoors-and-electronic-component-qualification/
Krekel, B. (2009, October 9). Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation. Retrieved from George Washington University: http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-030.pdf
Lachow, I. (2008). Cyber Terrorism: Menace or Myth. Cyber Power, 19-20.
Mandiant. (2013, February 18). APT1: Exposing One of China’s Cyber Espionage Units. Retrieved from Mandiant: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
Metz, C. (2013, December 31). U.S. to China: We Hacked Your Internet Gear We Told You Not to Hack. Retrieved from Wired: http://www.wired.com/2013/12/nsa-cisco-huawei-china/
Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and espionage costs $445 billion annually. Retrieved from Washington Post: http://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html
Pillsbury, M. (2015). The hundred-year marathon: China’s secret strategy to replace America as the global superpower. Henry Holt and Company.
Protalinski, E. (2012, July 14). Former Pentagon analyst: China has backdoors to 80% of telecoms. Retrieved from ZDNet: http://www.zdnet.com/article/former-pentagon-analyst-china-has-backdoors-to-80-of-telecoms/
Scissors, D. P. (2013 , May 9). Chinese Investment in the U.S.: Facts and Motives. Retrieved from Heritage Society: http://www.heritage.org/research/testimony/2013/05/chinese-investment-in-the-us-facts-and-motives
Simonite, T. (2012, October 9). Why the United States Is So Afraid of Huawei. Retrieved from MIT Technology Review: http://www.technologyreview.com/news/429542/why-the-united-states-is-so-afraid-of-huawei/
US House of Representatives. (2012, October 8). Investigative Report on the US National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE. Retrieved from https://intelligence.house.gov/sites/intelligence.house.gov/files/documents/Huawei-ZTE%20Investigative%20Report%20(FINAL).pdf
Twenty-two years of military service. Support for Government and Department of Defense (DOD) and Intelligence Community (IC) as a contractor; Information Systems Security Manager, Information Systems Security Officer, Security Certification Assessor, and Security Analyst. Provided cybersecurity experience with the following frameworks and guidance documents: DCID 6/3, ICD 503, and Risk Management Framework (RMF). Contractor with: The Analytical Science Corporation (TASC), Systems High Corporation (SHC), and Mantech International Corporation on Chantilly, VA.