Assessing the ‘War on Tech’: Huawei vs. U.S.

[I wrote this with Curtis Kang who did a lot of work researching various aspects of this article and provided invaluable help. His research and written contributions made this article possible. It was originally intended to be published on RiskBasedSecurity.com in early 2020 but was passed over so I am publishing it here.]


In 2019, we saw the steadily-growing social and policy conflicts between the United States and China reach a boiling point. China has been a major talking-point of President Trump’s platform since early in his campaign. However, it wasn’t until last year that we saw active policies enforcing a so-called “war on tech” between the U.S. and major Chinese companies like Huawei and ZTE, and those policies being “sidestepped”. We wanted to examine this from a data perspective, looking at the vulnerabilities in similar companies from both sides.

To set the stage, it is useful to briefly revisit the U.S. vs CN timeline.

The Trade War

Since taking office in January 2017, President Trump has had a specific interest in China, stating early-on that the “U.S. will be on a level playing field”. This led to several rounds of tariffs being imposed against China starting in March 2018, and retaliatory tariffs being imposed against the U.S. Early in 2019, there was conjecture that President Trump may use an executive order to limit some U.S. companies such as wireless carriers from purchasing Chinese electronic devices. That executive order was signed on May 15, 2019, citing the National Emergencies Act (50 U.S.C. 1601 et seq.) that would limit or ban purchases of “technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”.

While the executive order did not list any country or company, it was widely accepted that it was a move against Huawei in particular. The order contained interesting language, saying that the banned technology or services “poses an undue risk of sabotage” and is “an unacceptable risk” to the United States, among other wording. Technology meeting those criteria would be determined by the Secretary of Commerce, in consultation with nine other bodies “and as appropriate, the heads of other executive departments and agencies”.

On May 20, 2019, the BIS modified the final rule and granted a Temporary General License (TGL) until August 19, 2019 for transactions regarding, among other things, “Continued Operation of Existing Networks and Equipment” and “Cybersecurity Research and Vulnerability Disclosure.” On August 19, 2019, the BIS extended the TGL by 90 days, or until November 19, 2019. Outside the TGL, any request for a license to sell or transfer commodities, software or technology to Huawei is reviewed “under a policy of presumption of denial.” In other words, the BIS provides virtually no avenue for a continued commercial relationship with Huawei after November 19, 2019.

Months later, when asked if China would retaliate, Chinese foreign ministry spokesman Geng Shuang told reporters “stay tuned.” Two weeks after that, China announced tariffs on $75 billion of U.S. products. This was followed in December with China announcing a ban on foreign technology in “all government offices and public institutions” within three years. The ban also prevented companies such as Google, Dropbox, and Facebook from being used within China. With this, the United States and China were in a new type of technology war based on the premise that the adversarial nation was producing equipment that “poses an undue risk of catastrophic effects”.

The Fear of Backdoors

Computer equipment that poses a risk in the context above, typically brings to mind computer vulnerabilities. Issues that, with the right knowledge, would allow one country to use software vulnerabilities to compromise assets in the adversary nation’s government, business, or infrastructure. Another common scenario brought up by security professionals and intelligence officials is that of a backdoor; computer code planted by a party that allows them, and only them, covert remote access to the device. Some members of the U.S. intelligence community would prefer these Chinese products not be used in the technological infrastructure saying it “would undercut the ability of the U.S. to defend itself.”

This fear, specifically of Huawei routers from China, has been front-and-center since 2011, and a growing concern even before that. In the past, the concerns largely stemmed from each nation compromising the other’s computer networks in government and business. More recently, with the race to implement a 5G network, security issues around that technology have been heavily scrutinized. This war of technology has reminded us of 2010, when Huawei published an open letter to the U.S. government attempting to allay fears and shift public perception after a decade of suspicion. The company went so far as to request a “thorough investigation” to prove that they are “a normal commercial institution and nothing more.” This prompted eight U.S. senators to urge the White House to examine Huawei contracts and the House Intelligence Committee to investigate and publish a report on both Huawei and ZTE.

Ultimately, that report was inconclusive and stated the following – “despite hours of interviews, extensive and repeated document requests, a review of open-source information, and an open hearing with witnesses from both companies, the Committee remains unsatisfied with the level of cooperation and candor provided by each company.” Even over six years later, in 2019, Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, officially stated that no one has found a backdoor in a Huawei product.

This is important to note, given the considerable scrutiny Huawei has received. In addition to their open letter in 2010, Huawei also disclosed their source code to a foreign government, something that no U.S. company has done. Despite the numerous information security companies attempting to find and potentially publish findings of an actual backdoor (including the NSA and specifically created testing centers in the UK), none have been confirmed. Given that the U.S. National Security Agency (NSA) has a significant budget and a vested interest in determining if a company like Huawei is shipping backdoored systems, and has not disclosed one, is compelling.

Ignoring Backdoors and Looking at the Data: Is a Ban Warranted?

Given that history and perspective on the growing tech war between the U.S. and China, we at Risk Based Security wanted to look at some concrete numbers around the vulnerabilities in the companies at the center of the issue.

While much of the focus on this topic has been on fear and the threat of backdoors planted by a vendor at the behest of their government, that is not necessarily where we want to direct attention. Using a backdoor, even if it is well-hidden, would likely bring unwanted attention by giving more positive attribution to those who compromised the machine. Nation-state level hackers would have their own ways into a wide variety of vendors and devices purely based on ‘natural’ vulnerabilities in the code. They simply do not need the access, and risk, a backdoor provides. Why provide hints to the enemy that you’ve “cracked the code” when you could hide behind an existing vulnerability?

Setting aside the possibility of backdoors, the question we’re interested in is this: does one of the government-used devices pose more of a risk due to its vulnerabilities? Despite this, we have found that the “war on tech” cannot be simplified into the classic “how many vulnerabilities are there in…” question, else unspoken bias drastically affects the perceived meaning of the numbers. While there is no way to do a perfect one-to-one comparison of U.S. versus Chinese vendors, there may be some that we can begin to compare, with disclaimers.

Phones: BlackBerry vs. Huawei / ZTE

For the general public, and based on much of the mainstream media reporting, Huawei are predominantly associated with their mobile phones. As more of our lives move to mobile, it is no surprise that those in power are concerned about the security of their phones and tablets. For U.S. and Chinese governments, it is widely viewed that BlackBerry and Huawei / ZTE phones, respectively, are dominant. For BlackBerry, they announced a five year deal for their latest handheld and their AtHoc software with the federal government back in July 2016, specifically the Department of Defense (DoD) Joint Emergency Mass Notification Systems (JEMNS). According to the press release, the DoD chose Blackberry because of the “secure end-to-end mobility offering .. that [shows the] secure platform is designed to meet their priorities”.

Despite the contract, BlackBerry is not the most widely used phone in the U.S. government. The U.S. Senate officially “ditched” BlackBerry in 2016, but allows them to continue to use specific devices per an official memo. In fact, BlackBerry themselves have stopped making their own handheld devices and have shifted to business software and other solutions like AtHoc, apparently used by 70% of federal employees including DoD, DHS, VA, DoE, DoA, PFPA, FEMA, IRS, and the TSA. For a majority of government employees, the most commonly used phones are now Apple and Samsung products.

With regards to China’s government, specific details about mobile phone adoption is not readily available. By simply looking at Huawei’s market share in China, one might safely assume that their devices are favored by some in the Chinese government. While it has long been rumored that Huawei has a very direct and complicated relationship with their government, which is supported both by Vietnamese academic and U.S. government research, Huawei says their relationship with the government is “no different” than any other company in China.

The U.S. government officially uses a mix of BlackBerry, Apple, and Samsung (Android), meaning that there are three major vendors and three major operating systems. For the Chinese government, apparently there is no officially sanctioned device, but it is very likely Huawei (formerly Android, but moving to Harmony OS / Hóngméng in 2020) and ZTE (Android) phones are heavily used. Looking at the last three calendar years, here is a comparison between the vendors to see how many vulnerabilities have been posted:

With these numbers it may seem like BlackBerry represents more risk. However, if BlackBerry shares the same vulnerabilities as any other Android device, and they disclose vulnerabilities in applications they ship, that number can be higher. The same can be said for any other Android phone that ships with packaged vulnerable apps and components as well, so the 1,338 Android vulnerabilities are not a full representation for other devices (e.g. Samsung, Huawei, ZTE). We then have to remind readers that comparing open source software such as Android to closed source such as BlackBerry OS and Apple can introduce bias in disclosure numbers. Another aspect to consider is that the amount of devices being used may influence how many people are actually performing security research on them.

Ultimately, this means neither the U.S. or China can justify banning devices based on phone vulnerability history alone. Trying to state one vendor is more “vulnerable” than the other using currently available vulnerability data alone requires so many disclaimers that the end result loses its potency.

Routers & TelCom: Huawei vs. Cisco et al

The second major aspect of concerns over technology from one country being pervasive in another is that of access. Everyone from the carriers to end users expects the equipment to function seamlessly, giving us access to the internet and mobile service. That service is built on a complex infrastructure of telecommunications (telecoms) hardware and software produced by companies such as Huawei, Cisco, Fujitsu, Nokia, and Ericsson. The telecom hardware includes routers, base transceiver stations, fiber optical networks, satellites, and a lot more. As of 2017, Chinese companies produced the most telecom equipment in the world, about 14% more than the United States.

Looking at these vendors for the last four calendar years, we get another lesson in how there is significant bias introduced into vulnerability statistics due to disclosures. Cisco had 2,227 vulnerabilities in that time. Compared to Huawei with only 813, one might conclude that Cisco’s software is inherently riskier. But compare Cisco with the three other companies. Fujitsu enjoys 79% of the market share by revenue, yet only had 24 vulnerabilities in that time frame. Going off that logic, can we conclude that Fujitsu is the most secure?

Consider that of Fujitu’s 24 vulnerabilities, only three are in their products and one of them a keyboard. The other 21 vulnerabilities are in third-party software or hardware (e.g. Intel processors). Cisco on the other hand has an incredible number of vulnerabilities reported, but they rarely publish that they are affected by vulnerabilities in OpenSSL and Intel for example, despite using those technologies in some of their devices.

Both Cisco and Fujitsui maintain contact pages for reporting security vulnerabilities, have a formal PSIRT team to respond to vulnerability reports, and both publish security advisories. Despite this, they have public disclosure histories that are about as opposite as you can find in many ways. We know for a fact both companies use hundreds of third-party libraries in their code, yet neither publish when third-party vulnerabilities affect their software. Based on our extensive history of tracking vulnerabilities, we are quite certain that Fujitsu products have, or have had, more vulnerabilities than they have officially disclosed. Any notion that Fujitsu (24) is a one-off situation can be dismissed when looking at Nokia (11) and Ericsson (8) for the same periods. That suggests Cisco and Huawei are outliers.

We can apply this same scrutiny to Huawei, with only 813 vulnerabilities despite their large market share, and their considerable transparency when it comes to third-party vulnerabilities. In the world of vulnerability research, access to software and equipment is essential, of course. Some may argue that Huawei equipment isn’t readily available to many researchers, and that might be true for U.S.-based researchers. But the last decade has shown an incredible number of extremely talented security researchers in China, who would presumably have more access. If one were to argue that China is looking to restrict vulnerability disclosure, that certainly will be something to consider moving forward. However, that plan is still preliminary and has not been implemented.

Conclusion: Overkill

You need comprehensive, detailed, and actionable data in order to make informed decisions. Following this mantra, we are comfortable in assessing that with the currently available vulnerability data, a hard stance condemning either side is not possible. As much as we would like it to be, the comparison of vulnerabilities within vendors cannot be a panacea.

That being said, does this mean that both the U.S. and Chinese governments are banning each other’s products solely for political posturing, or is it actually an informed decision? As we can see, it may be easy to arrive at a conclusion when looking at the data. But as informed citizens we all need to be aware of the disclaimers and hidden perspectives that the data may not overtly reveal. The answer is not so simple as “well, this has more vulnerabilities than that”.

Without concrete evidence of backdoors in Huawei products, the concern is definitely valid, but a total ban is overkill and may have far-reaching unintended consequences. As the “war on tech” has raged on, both the U.S. and China have suffered casualties.

Cyberwar with China: Self-fulfilling Prophecy

[This was written by Sioda and myself and originally published on attrition.org.]

Voltaire once wrote, “If God didn’t exist, Man would have to invent Him.” It would seem that the popular press has taken this axiom and turned it on its ear. At the time of this writing, we are inundated with Chicken Little style warnings of an impending “cyberattack” by Chinese crackers. These cautionary tales may or may not be real, but they are real in their consequence.

A recent Wired News article warns the cyber-going public of an impending “week-long all-out crack attack on American websites and networks” by Chinese hackers during the first week of May. The logic? May 1st is “May Day” celebrated in China, May 4th is “Youth Day” in China (all those Chinese script kiddies will be feeling wholly patriotic) and May 7th is the anniversary of the US “accidental” bombing of the Chinese Embassy in Belgrade.

Holy fortune cookie, Batman! Could this be the end of the Internet in America??

No, not really. Just the collective dick-waving of a bunch of script-kidiots fueled by so-called journalists generating media hype – the former trying to feed their egos and the latter to feed their hit counts.

According to the Wired News article, the Chinese crackers are pissed off at the defacement of over three hundred Chinese Web sites by American and/or other allegedly pro-American groups, as well as the loss of a Chinese pilot in the recent spy plane incident.

Breakout of Chinese defaced web sites: http://attrition.org/mirror/attrition/cn.html

The Wired article refers to sites that the Chinese hacker claims were defaced in the name of China – but we could only find two defaced mirrors that may qualify. Note that we could not verify if these were done by Chinese hacker groups or by others looking to inflame the situation (thus generating media attention):

http://www.attrition.org/mirror/attrition/2001/04/10/www.iplexmarin.com/
http://www.attrition.org/mirror/attrition/2001/04/28/www.feasibility.com/

Chinese hacker Jia En Zhu offers his explanation for the lack of defacement evidence in another Wired article.

According to Zhu, the United States government is not reporting attacks to “save their own face.”

Here’s a clue for the Chinese hackers: last we checked, the U.S. government does not maintain a defacement mirror. Attrition sure as hell doesn’t censor the defacements and we’ve mirrored plenty of US government and military defacements in our time.

However, we have a hard enough time verifying the defacements we are informed about without going out and actively looking for them. Of course, not every site that is defaced gets mirrored. Sometimes we miss some while we are busy having a life – and we won’t just take someone’s word for it that a site was defaced – we must see them defaced for ourselves before we will mirror them or have confirmation from a party we trust.

Well, now that we have been notified about the impending Mayday defacement spree, we’ll be sure to stock up on the Kleenex and hand lotion. *yawn*

To us at Attrition, it’s just another week of mirror duty. However, we were rather amused at how easily Wired ran with this story and how little backing and substance it really contained. Do online news outlets have fact-checking? According to the Wired story, everyone has some “hacktivist” agenda.

It’s interesting to note that Chinese web sites were being defaced before the spy plane incident and with no political agenda. The hacker known as “Pr0phet” was on a rant about all the NT systems that were being defaced and was targeting Unix systems instead. Since most Chinese sites seem to run some version of Unix, they were a natural target. It was only after the media attention over the spy plane incident that Pr0phet included a political message.

Federal agencies are now issuing warnings about the impending attacks and generating headlines on CNN: http://www.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html

No doubt the media attention to a bunch of script-kidiots will result in an increase in web defacements over the next week or so. What’s really puzzling is the assumption that web defacements are solely motivated by a political event such as the spy plane incident. Why is a warning necessary? Just looking at the statistics of the increase in web defacements should tell anyone with half a brain that they should take measures to protect their site regardless of an advance warning. However, we sincerely hope that the warnings will result in web administrators taking an active interest in securing their sites so that we have less work to do. Hey – we can dream.

Analysis of Defacements and Timeline

Our commentary on the defacements was inspired by our observations of the following trends. As always, we encourage readers to view the complete mirror (as well as the mirrors of other sites, such as http://www.alldas.de and http://www.safemode.org), and draw your own conclusions. However, it is our opinion that web sites should always be prepared for attacks and that there are much more serious threats to IT infrastructures that simple web defacements.

Mar 30 – First poizonbox Chinese (.cn) defacement in 2001: http://attrition.org/mirror/attrition/2001/03/30/www.travelsichuan.gov.cn/

Apr 1 – U.S. spy plane lands after collision with Chinese jet: http://www.cnn.com/2001/US/04/01/us.china.plane.02/index.html

Apr 1 – US banking site anchorbank.com is defaced by Hackers Union of China/Li0n Crew with an anti-Japanese message. No mention of the spy plane or U.S. http://attrition.org/mirror/attrition/2001/04/01/www.anchorbank.com/

Apr 10 – The American site iplexmarin is allegedly defaced by Chinese hackers. While we don’t doubt that Chinese hackers are capable of doing this, the English used seems a little too polished: http://attrition.org/mirror/attrition/2001/04/10/www.iplexmarin.com/

Apr 11 – First Wired article “A Chinese Call to Hack U.S.” http://www.wired.com/news/politics/0,1283,42982,00.html

Apr 1 through Apr 13 – Poisonb0x has 10 defacement entries (some mass hacks) of random sites, including a senior citizen’s art group. (that’s “hactivism” for you): http://attrition.org/mirror/attrition/2001/04/13/www.seniorsignatures.com/

Apr 14 – First poizonb0x defacement of a Chinese site after spy plane incident. Used the standard poizonb0x template – no reference to the incident or indication that this was anything but a random defacement: http://attrition.org/mirror/attrition/2001/04/14/www.aviation407.com.cn/

Apr 14 through Apr 19 – Poisonbox targets many Chinese sites, but still uses standard template.

Apr 18 – Second Wired article “Crackers Expand Private War“, which refers to Chinese targeted defacements by Poisonbox and Pr0phet: http://www.wired.com/news/politics/0,1283,43134,00.html

Apr 19 – poizonb0x starts defacing Chinese sites with anti-cn graphic. http://attrition.org/mirror/attrition/2001/04/19/www.metro.com.cn/mirror.html

Pr0phet

It should be noted that Pr0phet was targeting Chinese sites before the spy plane incident and that he did not seem to be looking for media attention. He got it anyway.

Mar 07 – First defacement of a Chinese site: http://attrition.org/mirror/attrition/2001/03/07/hbepc.com.cn/ (various random defacements of Chinese sites)

Mar 14 – Pr0phet defaces a Chinese site with a statement that he is targeting Chinese sites, apparently because they are not NT (which he seems to consider unchallenging): http://attrition.org/mirror/attrition/2001/03/14/www.jnws.gov.cn/

Apr 01 – Same day as spy plane collision, no CN/political reference: http://attrition.org/mirror/attrition/2001/04/01/www.bjzw.com.cn/

Apr 02 – Day after collision, no political statement. Instead, another commentary on NT defacements: http://attrition.org/mirror/attrition/2001/04/02/www.dragonpulse.com.cn/

Apr 11 – First Wired Article

Apr 11 – Pr0phet makes first political reference: http://attrition.org/mirror/attrition/2001/04/11/www.yancheng.cngb.com/

Apr 12 – Second political reference by Pr0phet: http://attrition.org/mirror/attrition/2001/04/12/dial.pku.edu.cn/

Apr 18 – Second Wired story that refers to Pr0phet’s defacements

Apr 19 – Pr0phet lashes out at media over reporting on him defacing Chinese sites. States that he *has* no political motivation. http://attrition.org/mirror/attrition/2001/04/19/www.shtdu.edu.cn/

Apr 19 – Pr0phet defaces another site with a statement in response to the media attention that he is not a political hactivist: http://attrition.org/mirror/attrition/2001/04/19/www.121.com.cn/

Apr 25 – Pr0phet returns to random cn defacing: http://attrition.org/mirror/attrition/2001/04/25/www.zd.brim.ac.cn/

Apr 28 – Pr0phet comments on the so-called “Cyberwar”: http://attrition.org/mirror/attrition/2001/04/28/www.yq.zj.cninfo.net/

Apr 28 – Interview with Pr0phet: http://www.securitynewsportal.com/article.php?sid=174&mode=thread&order=0

Apr 28 – Securitynewsportal posts a thread stating that “the FBI has turned up the heat to ‘hand the heads of PoisonBOx and Prophet over to the Chinese’ to try to quell the pending May 1st cyberwar.” They offer no substantiating proof for this claim: http://www.securitynewsportal.com/article.php?sid=169&mode=thread&order=0

Apr 29 – Pr0phet makes a statement in response to the story that the FBI wants to hand him and Poisonbox over to the Chinese to keep peace: http://attrition.org/mirror/attrition/2001/04/29/starinfo.online.tj.cn/

So looking at the timelines of both pr0phet and poisonb0x, it is fairly clear that neither had a real political agenda. There was a 10 day window between the spy plane incident and first Wired article in which neither group made any political reference. It was only AFTER the Wired article(s) that the message began to take a political slant at all. This is a clear case of Wired taking a story with no substance and creating news out of nothing. A self fufilling prophecy.

More defacers jump on the media bandwagon:

Apr 10 – Hackweiser hits Chinese site with anti-Chinese rhetoric: http://attrition.org/mirror/attrition/2001/04/10/www.fjirsm.ac.cn/

Apr 25 – Hi-Tech Hate “we will hate china forever”: http://attrition.org/mirror/attrition/2001/04/25/www.nuclear.cetin.net.cn/

Apr 26 – acidklown (who hasn’t defaced since Oct 2000):
http://attrition.org/mirror/attrition/2001/04/26/www.sheyang.gov.cn/
http://attrition.org/mirror/attrition/2001/04/26/www.grain.gov.cn/
http://attrition.org/mirror/attrition/2001/04/26/www.juxian.gov.cn/
http://attrition.org/mirror/attrition/2001/04/26/www.fn.gov.cn/

Apr 26 – Always on the ball, the NIPC releases an advisory warning of impending web site defacements: http://www.nipc.gov/warnings/advisories/2001/01-009.htm

Apr 26 – Hackweiser hits Chinese site and spews out more anti-Chinese crap: http://attrition.org/mirror/attrition/2001/04/27/www.stats.gov.cn/

Apr 27 – WoH states that they are just hitting Chinese sites because Pr0phet wants them to and it’s something to do: http://attrition.org/mirror/attrition/2001/04/27/www.xxinfo.ha.cn/

Apr 27 – HUC and L10n Crew are Chinese hacker groups that authored the Li0n Worm (which emails sensitive data to a site in China). See analysis of the Li0n worm for more background detail and motivations: http://whitehats.com/library/worms/lion/index.html

Apr 27 – HUC defacement of a Brazilian site, not US. No political statement. http://attrition.org/mirror/attrition/2001/04/27/www.logika.com.br/

Apr 28 – SilverOnFire deface U.S. Court of Appeals site with a statement that they are siding with China: http://attrition.org/mirror/attrition/2001/04/28/www.8thcoa.courts.state.tx.us/

Apr 29 – Hacker Union of China changes their political target to U.S. Guess there’s more press in that: http://attrition.org/mirror/attrition/2001/04/28/www.mcicenter.com/

Apr 29 – Hackweiser also makes a statement: http://attrition.org/mirror/attrition/2001/04/29/www.hnet.net.cn/

Apr 29 – WoH defaces a Chinese site. No political message: http://attrition.org/mirror/attrition/2001/04/29/www.hanzhong.sn.cn/

Apr 29 – Chinese group ‘redcrack’ hits a Mil, Gov and Com:
http://attrition.org/mirror/attrition/2001/04/29/www.capweb.net/
http://attrition.org/mirror/attrition/2001/04/29/www.n3.nctsw.navy.mil/
http://attrition.org/mirror/attrition/2001/04/29/webinfo.od.nih.gov/

As with any high-profile incident involving hacking or “cyber warfare”, security companies and some law enforcement bodies (NIPC) will no doubt scramble to pimp their latest and greatest ‘original’ solutions for protecting your site. Falling into the old routine of reactionary security, they will hypocritically proclaim their products or services would solve these problems if they had been utilized before the damage was done, blah blah blah.

In the next week, things will get worse before they get better. Defacers will keep hitting sites for one reason or another. In some rare cases, they might actually have an agenda above and beyond the thrill of petty vandalism. We’re not holding our breath for anything so profound though. Next week’s defacements will be the next chapter in this over-hyped ‘Ginger-esque’ book.