Snowden is the gift that keeps on giving — to the Chinese government.
The latest revelation has it that the NSA compromised Huawei, the world’s largest telecommunications and networking equipment maker. The agency had two objectives, according to The New York Times: first operation “Shotgiant” attempted to find links between Huawei and the People’s Liberation Army, according to a 2010 document. The NSA was concerned, not without justification, that “Huawei’s widespread infrastructure will provide the PRC with SIGINT capabilities.” The second objective is more creative: the NSA compromised Huawei because, as one document said, “many of our targets communicate over Huawei produced products, we want to make sure that we know how to exploit these products.”
How successful was the NSA in both respects?
Regarding the first, we don’t know for sure, but it seems unsuccessful. Shotgiant was remarkably high-profile: it involved the White House intelligence coordinator as well as the FBI. The operation started already in 2007. But a 2012 House Intelligence Committee report on Huawei and ZTE, another Chinese company, found no evidence confirming the suspicions links to the PLA (or at least it didn’t make anything public).
How about the second goal, exploiting Huawei themselves? We also don’t know. The New York Times and Der Spiegel articles so far aren’t very precise on the technical details (there’s more to come, says Der Spiegel). It appears the NSA got access to the source code of individual products. But it is unclear what kind of products. It is also unclear if the products were actually compromised for exfiltration to the NSA without Huawei noticing this (this isn’t trivial from an engineering perspective). And it is unclear if the NSA actually exploited targets this way.
But we do know something. Four points leap out at me:
First, there is now more publicly available evidence that the NSA exploited Huawei than there is public evidence that shows the PLA or other Chinese agencies did so. That is remarkable.
Second: if the US government has evidence that they didn’t publish in the 2012 report, they should do so now. If they don’t publish evidence, then Huawei’s case, that its products are not compromised by the Chinese government, will gain credibility. Huawei’s argument that they are clean always made complete sense from a business perspective. Their incentive to offer trustworthy products is the same as, say, Google’s incentive to offer trustworthy products to all its customers. (But then there is, of course, the possibility that the Chinese government has compromised Huawei without their acquiescence, sounds familiar?)
Third: if Huawei so far resisted pressure from the Chinese government to be exploited for intelligence collection, then it will become a good deal harder to continue to resist that pressure in the future. Because now the PLA has a great new trump card up its sleeve: if their modified code would ever get caught, say by the UK cell that evaluates Huawei products, they could simply say, “Well, that was the NSA, didn’t you read about that in The New York Times?” If that argument makes technical sense is difficult to say on the basis of what we know — but that rarely stopped people in the past.
And finally: many users seem to trust companies and equipment makers based on their national background. Think Schengen-routing or Norwegian email providers. That argument never made much sense. If the US can exploit Chinese products, why should Russia not be able to compromise German products? The idea that a re-nationalisation of products, services, and networks would increase security is simply laughable.
What matters is the quality of products, the quality of encryption, users’ security setups, and whether you live in an open democracy or not.