The Huawei Policy Trojan

Imagine standing in front of a barn with no doors, watching all the horses casually wander outside into the field. Just then, the barn owner walks over to you, and points to some loose boards on the side of his barn. “I’m worried about those loose sideboards,” he says. “Someone could pull them back and steal my horses.”

This story sums up how I feel about the risk of Trojan horse code in Huawei products. Yes, Chinese government-sponsored insertions are likely to have been embedded into the software. It is an issue. But pointing to this as our main cyber security problem is like worrying about loose boards on the side of a barn with no doors.

Let me explain: Software engineers have long known that it is trivial to hide secret code into software. A famous Bell Labs scientist first explained this hidden insertion process in a seminal 1984 paper. Security experts must now routinely assume that procured software from all sources and vendors will probably include Trojan horse code.

Consider Microsoft – one of the finest, and best run technology companies in the world. Two decades ago, they were caught having put Trojans into Word and Excel. Like the reflection of Santa versus Satan, these Trojans were called Easter Eggs because they were purported to have been inserted quietly for fun. But they were still Trojans.

Look – under no circumstances, however benign, should this practice be considered acceptable. It is a sad regret for software security experts that the creation of correct code with reasonable assurance of high integrity remains an elusive goal. Such lacking is one of the reasons the term software engineering might be considered an oxymoron.

In the popular press, including yesterday’s public announcement by the UK that they will steer clear of Huawei, there is general belief in the following cyber threat: That Huawei insertions will introduce means for China to eavesdrop on global network traffic, steal intellectual property, and cause major denial of service events.

Now – anyone who has not been in a cave for the past twelve years knows that these activities are being performed consistently by nation-states such as China with impunity. Following the cadence of the so-called advanced persistent threat (APT), military actors are shoveling data from our enterprise barns every day – because we basically have no doors.

They do it like this: Access is made to some insider's PC through a phish. Malware then infects that system and traverses the enterprise to gain privilege and find juicy things to steal. After laying low sufficiently (the P in APT stands for persistence), the malware tosses the stolen payload out to a hacked repository on the Internet. Game over.

Researchers at Cybereason detected just such an attack last year for several telecom carriers located outside the United States. It is worth emphasizing that the result of this campaign involved valuable call-detail information being stolen. This is the logical equivalent of a wiretap, and it required no secret embedded Trojans. In my view – this is profound.

My advice to global leaders is the following: If you choose to keep buyers away from Huawei, then so be it. But recognize that you are fixing the sideboards on a barn with no doors. Until you recognize the need for massive improvements in enterprise and government cyber defenses, you are doing nothing more than creating your own sort of Policy Trojan.

It’s time for the learned citizens of every country, especially in the United States, to begin demanding greater defensive insight and technical competence from our leaders in the area of cyber security. Luddites should be promptly voted out, and replaced with someone, anyone, who can bring some more informed sanity to national cyber policies.