We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

What, if anything, should we be doing about Huawei?

There is a kerfuffle here in the UK over 5G. I can’t in all honesty say that I have the slightest idea what 5G is but I surmise that it is one better than 4G. The issue is around whether the Chinese company, Huawei, should be allowed to supply some of the equipment. Lots of people, including James Delingpole say, “no”. And very few people say, “yes”.

The first question that springs to (my) mind is, what has this got to do with the government? Which I suppose is bound up with the question of what is the threat? Assuming that there is a threat and that government should be “doing something about it”, what is that something?

About the only thing I know about China and telephony is that you should never take your phone to China.

Oh, and one other thing. Guido Fawkes observed that the real scandal is that Chinese technology should prove to be better than western technology. Is this true and is it a portent?

41 comments to What, if anything, should we be doing about Huawei?

  • bobby b

    “I can’t in all honesty say that I have the slightest idea what 5G is but I surmise that it is one better than 4G. The issue is around whether the Chinese company, Huawei, should be allowed to supply some of the equipment.”

    Just imagine buying all of your military squad radios from Germany in 1944.

  • Patrick Crozier

    Well, so long as they work and you get them for a reasonable price…

  • bobby b

    Until the morning of D-Day, when someone in Germany presses a button and they all stop working simultaneously . . .

  • Schrödinger's Hippo

    I gather that the main worry is surrounding the Critical National Infrastructure, or ‘core’ parts of communications networks such as sensitive military or nuclear sites. The government is putting a restriction on the amount of a network that Huawei can own: 35 per cent.

    First of all, one should check the National Cyber Security Centre (NCSC) and how the decision was reached to permit Huawei to provide services to the UK. The worries around Huawei come from its Chinese origin – particularly its potential connections to the country’s government. It’s been suggested that the ruling Communist Party could pressure Huawei into installing backdoors into its products that would allow it to spy on traffic that’s passing through its networks under laws introduced in 2017.

  • Nullius in Verba

    There’s an internet rumour going round that this is all to do with PRISM and the NSA and Ed Snowden. The story is, Ed Snowden revealed to the world that the American NSA was spying on everyone, embedding spyware in everyone’s routers and mobile phones, and that they had targeted exports to China in particular. China responded by blacklisting imported American tech, losing those American companies millions, and thereby making them less willing to cooperate with the NSA. So America responded with a ‘trade war’ tactic, getting all their friends to blacklist Chinese tech. This pressures China into giving in and importing the spyware-laden American tech, and also gets everyone else buying more spyware-laden expensive American tech as well, which is good for both the American tech industry and the NSA spooks. And that’s why it’s caused diplomatic tension with America when the UK decided to buy cheap Huawei tech for 5G after all, for anyone wondering why they’d care.

    Of course, I can neither confirm nor deny any matters of operational security without the Secretary’s approval. 🙂

  • Quentin

    The Chinese are out to get any and all technology, defence, and commercial information. Just like the Americans. Except they can throw far more people at it.

  • bobby b

    I doubt anyone denies that all sides do what they can to spy on everyone everywhere.

    I just think the world ends up a better place if my side wins this one.

  • Julie near Chicago

    Agreed, bobby.

  • Agammamon

    In no particular order.

    5G is the next bit of wireless phone tech.

    Its great – if you live in a dense city with no obstructions. Which no one does. Because the shorter wavelength can allow faster data transfers, tighter beams (lower power usage), oh, and is LoS only. So walls block it. And air absorbs it. So you need a denser network of repeaters to make it work.

    Huawei is a problem because Chinese companies not only are not in a position to tell the Chinese government no when it comes to ‘install a backdoor’ or ‘spy on these people for us’ (not like western companies *will* tell their governments no even if they can) and the Chinese government is as surveillance happy as any in existence.

    Its not that their tech is better – no one who isn’t competing for 5G contracts cares – its that there is far more likely to be exploitable security holes deliberately placed in this stuff.

    But, again, its not like American companies aren’t perfectly willing to sell all the data they collect to the US government agencies at all level – Amazon’s Ring, for example.

    So I think it boils down to which government do you trust least with your secrets, your own or the Chinese government.

  • Itellyounothing

    Huawei already got caught doing naughtiness in Italy.

  • Marius

    All Chinese companies are required to cooperate with the government on data and intelligence. However, due to the murky ownership structure and background of its founder, it is likely that Huawei is actually controlled by the state, possibly the PLA.

    As a Brit, I don’t trust either the US government or the Chinese. The Donald seems to quite like us, but his predecessor clearly didn’t and wouldn’t have hesitated to leg us over. Plus, maintaining the welfare of the UK is not in the POTUS’s job description. Having said all that, the US is not ruled by an organisation which has – within living memory – slaughtered tens of millions of its own citizens, so I’d broadly rather be spied on by the Yanks.

    It seems that Boris has taken a gamble, that excluding Huawei from the most sensitive bits of the network will be protection enough. The pay-off for this gamble is that the UK can get 5Ged quickly* and benefit economically, hopefully squeezing Huawei out with other providers in the future. I hope he’s right. We should also remember that the Saudis – not the world’s leading tech nation – managed to hack Jeff Bezos via Whatsapp, so the security risks to any individual and nation are widespread. It is still probably easier to bribe and extort your way to the information you need than spend $1bn on putting special widgets in your 5G rig.

    In an ideal world, Britain would have a thriving telecoms industry and be developing its own 5G system, like South Korea, Australia or Japan.

    So, first disappointment from Boris. I expect to be disappointed by HS2 soon.

    *I’m still not clear why only Huawei can provide this.

  • Michael Taylor

    5G is not something that should be welcomed at all, regardless of supplier or cost. At one end of the spectrum, it is the infrastructure for mass observation and raids on the ‘attention economy’ on a vaster and more minute scale that hitherto imaginable. At the other end of the spectrum, that necessary infrastructure is possible only in (very) densely populated areas (ie, major cities). As a result, it implements an absolutely unbridgeable ‘digital divide’ between major cities and the rest of the country.

    It is not by accident that the technology is being championed by China.

  • Mr Ed

    Let it be engraved when the time comes, on Mr Johnson’s tombstone

    I did it Huawei“.

  • bobby b

    “As a result, it implements an absolutely unbridgeable ‘digital divide’ between major cities and the rest of the country.”

    This. I’ve been exploring methods of data streaming in remote areas. (Cellular data delivery is the easiest and cheapest way to deliver the internet to people too spread out to justify cabling.) It’s widely acknowledged that 5G is going to be a major impediment to this process. Fortunately, enough carriers have invested enough money in 4G, and even 3G, networks so that these networks will remain viable for some time.

    But investment in network technology improvements are going to flow to the higher-resolution 5G, as the densest use and highest profits are going to come from that system. So, this urban/rural divide is indeed going to be a problem for the rural side, whose phone, IOT, and even auto tech are going to stagnate as city-dwellers’ tech blossoms in capabilities. In a few years, a data-streaming city car likely won’t work well in non-5G areas.

  • Tim the Coder

    The whole saga reeks of protectionism, bigotry and worse.
    “Britain” does not have a 5G network, nor indeed 2G, 3G, nor 4G mobile networks. What is there are networks built and paid for by private sector companies hoping to earn a profit from selling the connectivity to the consumers (inc businesses). Those companies need to invest billions, so quite reasonably try to choose good equipoment at sensible prices.

    To have the state interfering, and telling private sector conmpanies what equipemnt they are allowed to buy…isn’t there a word for that sort of politico-economic system?
    Tip of my tongue….generally agreed to be evil though the uniforms are to die for.
    Indeed, isn’t this exactly the sort of state interference that causes us to object to Chiese involvement ‘cos it’s wot they do?

    I have no skin in this game, and this isn’t a Huawei advert. But their kit is often well featured and well priced. Even if they don’t win a bid, their mere existence in the market keeps the other vendors honest. Removing them from contention, by Fascist Fuckwit Fiat, would cause a huge increase in costs paid by the private sector compaines.
    We still have the rule of law (just), so any Goverment intervention would almost certainly cause legal action for restitution. Do we really want to see tax subsidies of £5bn-£10bn paid to the likes of Orange, O2 and Vodafone in compensation?

    Ah, but they make a man-in the-middle attack possible, because Huawei kit is made in China by Chinese workers subject to the interference of the Chinese state.
    Indeed. And if they did, they would intercept the data. But anyone sending sensitive data enclair over a public network needs their head examined, their bank accounts emptied and unspeakable things happening in prison. Official Secrets Act, GDPR, etc, all make the use of strong E2E encryption mandatory. So the man-in-the-middle attack merely intercepts a stream of random binary digits. Useless noise.
    No, if you wish to get this data, you need to compromise the end point. Attack it before its gets E2E encrypted. Common endpoint> The Apple iPhone of course. Made in China by Chinese workers subject to the interference of the Chinese state. Ah. Do we then ban iPhones?

    Ah…but what about a secret kill switch, to cause the whole network to stop working on demand? Indeed. But you can do that just as well from an endpoint as you can from the middle. Just get some of the endpoints to ‘scream’ and you have a DDoS. See iPhone. Actually, Apple need no help from Chinese state security to do this, having already done so several times….by bungle of course. But in this business we reverse the statement, and never assume incompetence when we fear malice.

    OK, how to address this threat? How about detailed source code inspection and rebuilding of binaries, to allow a team of tame hackers to find any hidden trapdoors? For Huawei, we are doing that. Find any? No. And in iPhones (etc)? Who knows? Not looking. Can’t see it, doesn’t exist, so that’s alright then.

    But, but, but, why not buy non-China, from a good ol USA company like Dell perhaps?
    Dell, whose server motherboards are made in China by Chinese workers subject to the interference of the Chinese state. A years or so ago, there was a scare about secret chips embedded inside Dell motherboard PCB’s doing who knows what. Dell said they weren’t ion their design. Chinese snooping? USA snooping? Who knows. It doesn#t matter if the story was false, the possibility of interference is there.

    So buy European?
    I am aware of a major core infrastructure replacement being supplied to a major UK telco from Ericsson. A question came up that needed discussion with the Ericsson software team. Yep, got it in one. The Ericsson software is written in China by Chinese workers subject to the interference of the Chinese state.
    This kit is “Made in China” with “China” crossed out and “Sweden” written over in crayon.
    Any trapdoors in it? Who knows….not looking. It’s swedish, so no need to inspect the source code as per Huawei!!!!

    The only way to avoid the threat is total self sufficiency, which is a well known recipe for economic success, just look at its best example North Korea…oh.

    If its only the threat from China that concerns you, and USA, EU and others are deemed OK, then you need to cut them out of the ENTIRE supply chain, from chips through to PCB through servers to equipment. I rather think that’s impossible nowadays.
    The same goes if you want to exclude China because of the way they treat (some of) their people. Valid point. But see above….is exclusion even possible now? If so, it’s a major refocus of the entire western technology supply chain, not a tweak of a mobile vendor selection.

    One other point in the latest IET mag: all 3GPP standards include IPR (patents etc) that are required to be licenced on reasonable terms for inclusion in the standards. many such patents are owned by Huawei. So if you unilaterally breach these terms by a state-ordered cartel of buyers strike, then Huawei would be entitled to cease their licence terms. 4G and 5G equipment then become unsaleable without risking legal action. Enough to keep patent attorneys in luxury yachts for a generation.

    And the point of 5G?
    It’s a marketting scheme. It does the same as 4G, but adds more (millimetre) spectrum for high density urban areas. You might get some more bandwidth, if you can think of any valid use for it in a mobile unit.
    Most of the other claims are nonsense: it doesn’t triple the speed of light for example, so latency is still controlled by geography. A pipe remains a pipe.

    The whole Huawei thing is far more a political/ecomomic struggle than a specifc technical threat, because as we see, that threat applies regardless of vendor. Treat is as a dawning realisation in the Muppets That Rule Us that having an entire economy based upon one foreign nation is Not Really A Good Idea.

  • Fred Z

    Tim the Coder has it.

  • Tim the Coder makes a great many excellent points at January 30, 2020 at 10:03 am. I would like to make a small number of additions, some supportive and some less so.

    Firstly and more generally, the problem of (lack of) trust is really one that arises from globalisation rather than being just a problem with China.

    Secondly, the problem of (lack of) trust is really one that worsens with the increasingly widespread use of high-tech. And this is not just higher and higher tech, but the all-consuming nature of highly integrated systems: systems that the world (especially the first world) are less and less able to do without. A particular (well-established) example of this is GPS and other navigation systems combined with maps on mobile phones. Another is the easy and widespread availability of fast travel, up to intercontinental. Remember though the collapse of critical USA air transport infrastructure on 11 Sept 2001; also the collapse of London’s mobile phone infrastructure on 7 July 2005. That these collapses happened through government choice and/or system overload does not mean that there was no collapse – and no widespread economic and associated problems.

    Thirdly, here on Tim the Coder’s points, the existence of end-to-end encryption is very important; however it does not protect against espionage through traffic analysis. In addition, control of crypto-key generation can be used to introduce systematic weaknesses – thereby assisting in back-door access at specific levels for traffic analysis etc.

    Fourthly, Tim the Coder mentions the “kill switch” risk. This he perhaps dismisses too readily – through the valid criticism of other widespread use of component software originating in China (or elsewhere globally, potentially also with adverse motivation). This excludes considerations of the level of infrastructure that would be “killed” – and so the strength of motivation (and lack of likely effectiveness at lower levels) of the potentially hostile software source.

    Fifthly, we have past examples of problems arising from much more emphasis on providing (whizzy) functionality than on compromise of system security. A worldwide and dominant software supplier decided it was good to provide, for many years, automatic execution (for email attachments) of arbitrary program code (BASIC springs especially to mind) and macros in word processor documents etc. Just what were they thinking?!!

    Best regards

  • Tim the Coder

    Nigel: I certainly don’t dismiss the ‘kill switch’ threat, far from it. I’ve spent a significant part of my professional life defending against such things.
    The interception, traffic analysis and disabling threats are all very real.
    …tell me when device X (used by Mr Target) is moving past prepared position 3…and so on.

    My point is that the entire technology chain is a weakspot, regardless of the vendor nameplate or “Made in XYZ” sticker. Argueing about Huawei basestations is really just a distraction.
    You either need to establish trust with PRC or you need to overhaul the entire Western technology supply chain to exclude them. There is no middle path.

    And to add another example to your excellent email example…..all 4G networks are critically dependent on timing information, delivered using embedded GPS modules in each site.
    If someone disabled or jammed GPS…

    NB Hopefully this comment will appear immediately!: alas my previous one got held in moderation (my bad, didn’t * an expletive) so I lost the chance to correct my mis-typing…I type like I code 🙂

  • Tim the Coder writes:

    My point is that the entire technology chain is a weakspot, regardless of the vendor nameplate or “Made in XYZ” sticker.

    Agreed.

    And he writes:

    Arguing about Huawei basestations is really just a distraction.

    That’s certainly possible, but I doubt the public have it in mind.

    And then he writes:

    You either need to establish trust with PRC or you need to overhaul the entire Western technology supply chain to exclude them. There is no middle path.

    This is, I think, where Tim and I do not fully agree.

    I am of the view that there is no perfection in practice on such things, so various “middle paths” exist with varying favour for different people or groups (and at different times). Exactly (even inexactly) which Huawei products are permitted (by the government) and which positions in the chain of communications system links is a very complicated matter. It affects the effort necessary to determine if there are any backdoors; also how successful such efforts might be. This is even the extent to which individual equipments need checking, or only different equipment types. Very importantly, there is whether overall system design requires (for adequate security) what sorts of separation into different subsystems – some of which are excluded to certain suppliers and some are not; this not least to improve cost-effectiveness and quality of the hunt for backdoors.

    Thus, while being extremely sceptical of certainty of detection, I am likely to be tolerant of bona-fide attempts at only partial exclusion of particular suppliers. Whether the UK government’s decision is (on the detail) acceptable is currently unknown to me – and almost certainly will remain so, by such details not being in the public domain.

    Again thanks to Tim the Coder for his diligent and careful contributions.

    Best regards

  • Sam

    Isn’t all this China talk moot unless they ditch their centuries-long practice of buying fresh-ish meat from open air markets? If the commies hadn’t murdered tens of millions during China’s modernization methinks several plagues would’ve racked up similar body counts. Europe learned hygiene the hard way and the poor American Indians never even got the chance. China’s avatar could be a roaring menace or paper-thin, but either way that tiger has incurable worms.

  • Let me give you the 30,000 ft view- you can’t be sovereign if someone else controls your communications network. This is especially true as the bandwith gets higher. We will be able to manufacture events in your country and manipulate your voters and your politicians. In fact, you probably should be more afraid of Americans in this respect because the Chinese aren’t very good a the PR/narrative type of thing. But they’ll be able to do surveillance and use what they learn for leverage.

  • bobby b

    A timely article concerning why 5g is controversial right now:

    https://www.asiatimes.com/2020/01/article/huawei-fortinbras-and-xi-jinping/

  • Kenneth Mitchell

    China has a long track record of developing computer systems in Africa and deploying them – but at night, the server systems connect to a Chinese server and upload most of the data.

    The fear with 5G tech from Huawei (a company that was started by a couple of electronic warfare guys from the PLA) is that they will do likewise, and transmit copies of all the traffic to Beijing. Or could be turned off remotely, so that your cell networks can be crashed on command.

  • Patrick Crozier

    @bobby b: Thanks for the article. Wow! For a long time I have comforted myself with the idea that the West retains its technological superiority. That may no longer be true.

  • Expect privacy over cell phones and the net? I really don’t see how 5G could make it any worse.

    Google, Microsoft, Apple, Amazon, et al know far more about me (and you) than I would like; and they are willing to sell it to the Devil Himself if the Devil offers enough money.

    So what can I do? I try to say nothing incriminating. I keep my data out of the Cloud, because if a blizzard comes in and the power or the net goes down, I can’t get at my data. If an accident happens to my data, I’d rather be the fool than some guy somewhere I neither know nor control. And [whoever] is less likely to stumble over my stuff if they need to work a bit harder to get it.

  • Julie near Chicago

    Ellen, very well said indeed. And tripleplusgood about the Cloud! 🙂

  • Fraser Orr

    It seems to me that this is a business opportunity to expand the reach and ubiquity of VPNs. They prevent snooping and most forms of traffic analysis and can be set up so that you barely even notice they are there. There is a danger that the vendor can shut down the network I guess, but the internet is actually specifically designed to handle that, in fact, that is what it was originally designed for (shut down with nuclear weapons rather than a Chinese kill switch, but amounts to the same thing.) So the key there is diversity. Your phone can connect via 5G, 4G, 3G, wifi and perhaps bridged over usb or bluetooth to your cable modem.

    Of course part of the problem is that the very people who are warning against Chinese spying are the very people who spy on us. The last thing our government wants is a totally secure network, otherwise how will they spy on us?

    With both sides spying on us it might well be that we make the argument “they might be bastards, but at least they are our bastards.” But honestly, I’m not sure they really are our bastards.

    Something else that is worth pointing out — even though I make my living selling commercial software — one of the strengths of the internet is that it is run in large part on open source software. That means that it is harder to install back doors and snoops into the backbone infrastructure because people can look and see how it works (and lots and lots of people do.) Were Huawei to open source their software many of these concerns would go away. But of course they won’t.

    It is also worth saying that the software that runs 5G is an absolute technological marvel. The complexity and sophistication, the design of the electronics and the pushing of physics to its limits is a triumph of human genius.

  • Tim the Coder

    Fraser Orr:
    Genuine open-source is difficult in areas where the software provides the competitive advantage, for reasons that should be obvious to readers here.
    It works very well, and I am a big advocate of it in industry, for areas where it provides a building block that is essential but boring: operating systems, word processors, etc. Linux underpins most Telco servers.

    IBM became a big supporter of Linux when they realised how much money they were spending keeping dozens of inhouse OS alive, and how much of interest this was to their customers (nil). By moving to Linux for many such product lines, they released resources to focus on what the customer was paying for: applications and business solutions (professional services)

    But for bleeding-edge tech products…tricky. There was an open-source HLR project, but it never got very far. Lot of code in an HLR.

    But what you can do is set up a halfway house: a pool of such ‘tame’ hackers who get to see the source code and provide the same level of critical review. This protects the vendor’s commercial interests while still looking for any naughty bits.
    Of course, you also need to rebuild the code and prove the source code you see is what made the binaries they sell.
    This is what is done already.

    Not without snags:
    – you only see source code. You don’t get to see any horrors hidden inside VLSI chips which come out later (roachware).
    – the inspection team is run by public sector, and is expected to be highly effective and efficient.
    – Only Huawei code is so inspected. Anyone else’s products are not, regardless of where they were sourced, hence my post earlier.

    This inspection team made some (rather lame) comments about Huawei version control, bugs, etc, but you could hear the barrel being scraped empty. And since they inspect only Huawei, you had no level to compare against. Was this level of bugginess good, bad or indifferent compared to the industry competitors?
    No idea, not looked.
    But after working in the business a long while, including flight critical avionics software, my impression was Huawei code wasn’t perfect, but was pretty damn good considering. Seen far worse. And don’t even mention Windows!

    It was around this time that someone commented “Oh, that’s why Windows 10 is so buggy: they need to force you to keep downloading the spyware!” When we all stopped laughing, there was a very long, and very uncomfortable silence.

    I don’t know what the answer is, but just using a non-Chinese assembler of Made in China parts is not the answer.

  • Mary Contrary

    I work in this area. The exchange between Tim the Coder and Nigel Sedgewick is well informed.

    Nigel Sedgewick says:
    “Whether the UK government’s decision is (on the detail) acceptable is currently unknown to me – and almost certainly will remain so, by such details not being in the public domain.”

    Actually, an extra tier of detail is available in the public domain. NCSC (the government/spook advisory agency for security) has published which parts of the network Huawei (and other “High Risk Vendors”) are to be banned from. That list is in paragraph 11a of NCSC advice of the use of equipment from High Risk Vendors in UK telecoms networks. Some of it will only make sense if you’re familiar with the architecture of 5G networks, but it’s available if you are able to understand it.

    That said, I think the same objections lie to this list. So you buy a UE Radio Capability Manager from Ericsson: it may have a Swedish badge on it but it’s still made up of Chinese built components, assembled in China, running microcode written in China, even if the firmware is written in Estonia (and that’s a best-case scenario).

  • Fraser Orr

    Tim the Coder
    Genuine open-source is difficult in areas where the software provides the competitive advantage, for reasons that should be obvious to readers here.

    It is not a one way thing though. Certainly closing the source gives you certain advantages of secrecy, but also the disadvantage that people are less able to trust you (and you end up being banned from certain parts of core UK infrastructure.) So it is a two way street. The value of knowing your software is secure is something that has been largely neglected for a long time (meaning that it is valued near zero) however, as more and more CIOs and CEOs loose their job because of careless data breaches, I suspect that dynamic will change. In fact I know it has. Corporations spend gazillions of dollars on software, personnel and auditors to try to improve the quality of their software security, and I know of many who chose open source to facilitate that.

    Will it change enough for Huawei to open their code? Probably not.

  • Tim the Coder

    Fraser Orr: Fair point. That would indeed provide a strong commercial incentive which might override competitive edge “my code” concerns.
    Alas, it doesn’t address the threat though.
    Inside the CPU is a memory management unit – MMU. So one way to hide roachware is thus:
    The MMU operates normally until triggered by something. For simple example, date & time.
    So until then, the CPU reads the memory holding the executable which was open sourced and eyeballed OK.
    When triggered, a small amount of the memory space maps instead to an internal memory area hidden inside the VLSI embedded CPU.
    This does enough to download additional code from somewhere, to refine the attack.
    If you know the CPU is intended to run Linux in the product, then you can refine the hook to a very small memory range.

    In reality of course, the hidden attack would probably just look for a secondary trigger, and maybe a third, etc.
    So long as the final result is to phone home and download a targetted attack, the initial ‘hook’ can be very simple – and maybe even look innocent.
    The downloaded attack can be designed to suit the specific usage the CPU finds itself in.
    Or if the whole product is yours, you could put the whole attack code inplace from the beginning.

    The main memory continues to hold the open source derived code, but the CPU now sometimes runs internal code it provided itself.
    Job done.

    Auditting someones else’s code is hard but feasible. Auditting a VLSI chip, however…..!

    But Open Source Software certainly makes it much harder, and hiding a CPU/MMU hook like this rather removes plausible deniability, so OSS is not to be sniffed at. I’d support your approach.

  • Nullius in Verba

    “and hiding a CPU/MMU hook like this rather removes plausible deniability”

    It depends how obvious you make it, but not really. You make it look like an unintentional and non-obvious error. There are always lots of those anyway, whether you intend to put them there or not. Anyone in the business will have seen hundreds of bug reports to give them examples they can adapt. All you need to do is make a ‘mistake’ deliberately that you know somebody else has already made unintentionally. Or make it look like a manufacturing fault.

    And there are plenty more places you can embed it, besides the processor. You can put it in the memory chips – replace one block of of instructions with another. Or in a hard drive. Or in a keyboard. Or in a cable. I’m sure everyone has seen how small they can make a USB memory stick, so there’s nothing more to it than the USB plug itself. So fairly obviously, you can embed something else in a cable that serves some other more innocent, less suspicious purpose. And the ‘USB memory stick pretending to be a keyboard’ attack is fairly well known nowadays.

    Calling up a website to get more code is an amateur move. All the most interesting computers are never connected to the internet, anyway, and it’s a potentially traceable red flag. There are lots more ways to get the data in and out. In, you can encrypt whatever you like in any random-looking data – you can only spot it if you know the keys. Out, you can buy domestic networks that use the power lines to transmit data from one computer to another in the same building, so you can’t even safely plug your secure computer into the same power circuit as an unsecured machine. Or messages can be passed by steganography, embedded in other documents, or carried out with portable peripherals, or many other ways.

    The truth is, no computer is totally secure. It’s always a matter of how many resources your adversary is willing to throw at it, and the resources you’re willing to expend blocking them. If your opponent has lots of money, then it can get incredibly expensive to keep them out. And as with any crime, any threat, there is always an economic point where the risk is something you’re willing to accept. If you get huge benefits 99.9% of the time, you may decide it’s worth the risk of paying the price for it 0.1% of the time. Because there are always costs on both sides of the decision: if you decide not to let them provide affordable 5G, then you don’t get 5G, and that in itself is a massive denial of service you are inflicting on yourself.

    We should all be aware that governments (all of them) can get into everyone’s computers. The constant discovery of new vulnerabilities is why there needs to be a constant flow of ‘updates’ to fix them. Governments get to see them first. And governments do use them. Ed Snowden told us that. And we’ve seen the constant stream of news stories about how even big business too is building massive databases on all of us and selling our data to advertisers and political campaigns.

    You should take it for granted that you *are* being watched, and that the effort to do something about it will tend to draw their attention. The Chinese can do it – and they don’t even need to use embedded spyware to do it, the bugs put in by software developers, and the bad habits and ignorance of users are more than sufficient. And so do the Western governments. Who should you be more worried about? Well, unless you are a person of particular interest (like Hillary and her bathroom email server) the Chinese are probably not particularly interested in you. You’re not any threat to them. Your own government (and your own employer) is far more likely to consider you a threat. But then, they are well aware that openly doing anything about what they know about you will alarm the populace and so lead to their best source of information being shut off, so like Churchill and Coventry, they will be careful about how they use it. So for most people, they’re well aware that they’re monitored, but they trust that it’s not in the interests of those monitoring to do anything overtly hostile with that data, so long as they’re not plotting to overthrow the state by force or anything. So most people don’t care.

    It’s the same with 5G. Yes, foreign cyber-warfare groups could probably shut it down. Or homegrown kids in basements and bedrooms could do it for the 1337-cred. That’s true, whether we buy Chinese hardware or not. They’re all vulnerable. But we don’t expect to fight a war with them, and they could only use it once before we ripped out all the dodgy hardware and blacklisted them, so they’re unlikely to use it to shut the network down. Industrial and military espionage, yes, but everyone is doing that, including the Chinese. And if you encrypt everything end-to-end, it means the place they would need to attack is the ends, not the network in the middle. Buying cheap Chinese-made USB cables is probably a far bigger threat than worrying about a heavily-inspected critical-infrastructure obvious-target 5G router.

    But like I said, this is most likely all about the Trump trade war with China. The only good reason to keep China out of 5G is to stay friends with the USA – I presume the reason we’re not doing so is that Trump didn’t offer to pay us enough to get us to fight in his war with China, to compensate us for the cost. Maybe he just needs to offer us something more? A nice juicy trade deal, for example?

  • Fraser Orr

    @NIV, I don’t agree that the only good reason to keep China out of 5G is to stay friends with the USA. China is definitely a security threat, in many of the nefarious ways you yourself outlined.

    However, as I said above there is a solution to this, and it involves competition, the powerhouse solution to nearly every human problem. Competitive VPN providers providing a secure tunnel in an insecure environment handle most threats — and these VPNs can certainly be open source, in fact, many are and are HEAVILY investigated by security researchers. That combined with multiple routes over heterogeneous networks and computer systems, means that you can run a secure system if you are willing to pay a bit to make it secure (paying for one or more VPNs and paying for more than one network service.) And perhaps the biggest security hole of all is people doing stupid things. Money can buy better people, and more people to cross check and have separation of responsibilities, because even good people do dumb stuff sometimes.

    VPNs even deal with that most intractable of problems — government intervention. Many of the best VPNs cross international jurisdictions making snooping harder. Unless of course you are in China when you go to jail for using one.

    I should add that one other driver that prevents this competitive marketplace is patents that prevent competitive products being made. I know this is a controversial subject, but it does need to be called out as a tool that prevents a more competitive environment giving us a more secure network.

    But again, let’s just remember, our networks could be made much more secure if our government wanted it, but they don’t want to allow their preventing Chinese spying from preventing their own spying.

  • Nullius in Verba

    “China is definitely a security threat, in many of the nefarious ways you yourself outlined.”

    Yes, of course, but so is everyone else. Why single out China?

    “Competitive VPN providers providing a secure tunnel in an insecure environment handle most threats”

    It handles one threat, not even a particularly important one. Security, like a chain, is only as strong as the weakest link, and that’s almost always at the user’s end. If it’s encrypted in the middle then you don’t attack it in the middle – you attack it at the ends before it’s encrypted, or after it’s decrypted, or you trick the encryption software into trusting you and letting you have the keys.

    And of course a VPN provider is usually just a company, full of people who you have no particular reason to trust, and who are themselves subject to governments. Why, for that matter, wouldn’t the NSA or GCHQ or MSS go into business setting up fake VPN provider companies, and get their targets to pay them to provide ‘security’ against themselves?

    VPNs are just one step. It’s like saying that to secure your house from a police search, you ought to lock your front door when you go out. True. But if they find the door locked they’ll break a window, or climb in through the window you left open round the back, or break the door down, or pick the lock, or use a master key set, or cut through a dividing wall, or dress up as a postman and call when you’re in and then barge past when you open the door. Or maybe they were the people who sold you the lock in the first place! If you secure yourself against one method, they just shrug and use a different one. Bearing in mind that there are bank robbers capable of breaking into armoured bank vaults, what makes you think there is *anything* you can do to secure your house against search by the government, who have access to far more resources than any bank robber?

    But most people operate on the basis of economic calculation. They don’t have anything worth stealing that much, they defend against the threats they’re routinely likely to face, and accept the risk.

    It’s the same with computers. There are always lots of ways in. Some ways are much harder and more expensive than others. You only spend enough to deal with the easier/cheaper threats you’re most likely to face from kids and petty criminals, but you’re not going to be able to defend yourself against someone backed by the resources of a government. And even governments are faced with the same calculation.

    Frankly, if China wanted to take out one of your 5G routers, they could fire a missile at it. We mainly rely on the fact they have no motive to do so.

  • Paul Marks

    All Chinese companies are, by “law”, in coordination with the People’s Republic of China government – there are indeed Ruling Party cells at all levels of such companies.

    The idea that such a company is independent (as the managers have claimed on BBC interviews) is, therefore, a direct lie.

    As for the objective of the People’s Republic of China – power, unlimited power around the world. The PRC regime is not nice – they are happy to do such things as remove human organs from unwilling subjects, and put up pictures of “President” Xia in supposedly Christian Churches and make people worship these images. Of course the Vatican does not care about the persecution of Catholics in China, indeed it is in active alliance with the Communist Party regime in crushing the “underground Church” – but one would have hoped that our own moral standards were a little bit higher than those of Pope Francis (it appears they are not).

    So why are many Westerners prepared to go along with them? Why do they help them? The reason is simple – money.

    There is nothing that Huawei does that other companies could not do – but they might charge a bit more.

    And the “capitalists” are always “eager to sell us the rope with which we will hang them”.

    And this in a country that is about to waste over a HUNDRED BILLION POUNDS on HS2.

    We must save a few bob selling out to Huawei (national security, and the security of the West in general, ignored) – but we are happy to blow over a hundred billion Pounds on HS2.

    Such is life – at least in the madhouse of the modern Western world.

  • Nullius in Verba

    “All Chinese companies are, by “law”, in coordination with the People’s Republic of China government – there are indeed Ruling Party cells at all levels of such companies.”

    Yes, and all British, American, and European companies are required *by law* to cooperate with the respective security services of those countries. If GCHQ turn up with a warrant, do you think your local ISP is going to tell them ‘No’? What would Ed Snowden say?

    And of course, lots of people don’t obey the law. They can be paid, bribed, infiltrated, blackmailed, or politically conspire to serve the interests of criminals, lawyers, political movements, protectionists, business competitors, unions, or governments.

    We are faced with *lots* of threats. The question is not “Why should we be worried about China?” The questions is “Why should we *not* be worried about everyone else?”

    “And the “capitalists” are always “eager to sell us the rope with which we will hang them”.”

    So are you arguing against free market capitalism, now?

    The whole aim of practical politics is to keep the populace alarmed (and hence clamorous to be led to safety) by menacing it with an endless series of hobgoblins, all of them imaginary. If they can even persuade capitalists to abandon capitalism by pointing to some threat, you can see why.

  • Patrick Crozier

    I’m pretty sure the Vikings, Normans, Napoleon, the Kaiser and Hitler were not imaginary.

  • Nullius in Verba

    The Chinese Communist government aren’t imaginary, and neither is the threat they pose to ordinary people within their own sphere of domination – China, Hong Kong, Taiwan, Tibet, and so on.

    But the idea that the Chinese intend any military-level aggression against the UK is imaginary. They’re primarily interested in making money. They want to trade with us. They’re perfectly willing to pirate our technology – their attitude to that is similar to that of ordinary Westerners who pirate software or music – and they do of course operate espionage against other countries for their own security just as we do against them. But they gave up on the Napoleonic ambitions decades ago, once they realised that it was far easier to buy what you wanted, rather than conquer it. Yes, like us, they’ll invest to acquire the capability, but like us they’d only use it if their interests at home were seriously threatened, and we’ve got no intention of doing that.

    Now, somebody like the Iranians probably would quite like to use that capability. It would constitute exactly the sort of asymmetric warfare terrorism they’re looking to use to pressure the West into letting them proceed with their Middle-Eastern Napoleonic ambitions. But we don’t have a terrorism problem from China. The only sort of war they would consider conducting with us is a trade war.

    Threats to liberty and security are generally local. The Chinese government are a bigger threat to the Chinese people, but they justify their policies by pointing to the threat posed by the Westerners. And the biggest threat to the liberty and security of Westerners is Western governments, Western corporations, Western political movements, and Western criminals. They have the motive.

    Now certainly I would consider the threat posed by the Chinese government to people in China is far greater than the threat posed by Western governments to people in the West. You would have to go a long way to find a bigger bunch of bastards than the Chinese Communist Party. Even the likes of Blair, Obama, Corbyn, or Bill and Hillary Clinton in charge of that surveillance state are mild in comparison. But really, the UK isn’t important to China. They’re not the threat they’re portrayed to be.

    As numerous people have pointed out above, the big issue for Western governments is that *they* want to keep the ability to control everybody’s access to the internet, and spy on its contents. If Western companies supply the kit they can far more easily do so than if Chinese companies do. (If the NSA goes to Huawei and asks to put in back doors, Huawei can tell them to GFT, Westerners can’t.) As Snowden revealed in detail, and as most of us knew anyway, Western governments, police forces, and security services can and do embed spyware in the telecommunications infrastructure. As as recent events in the USA have demonstrated, the Deep State uses those capabilities for its own private purposes.

    So when Western governments start stirring up popular patriotic fear of the outsider, contrary to their usual pattern, where that outside threat appears grossly overblown compared to the threat they themselves pose, in order to maintain their own exclusive control over that infrastructure, I’m suspicious that we’re being herded into letting them do something we shouldn’t be letting them do. Patriotism is the last refuge of the scoundrel.

    On the whole, I think it’s just part of Trump’s trade war. But there’s a lot of talk going round that the NSA are pushing for it, too.

  • Nullius in Verba (February 1, 2020 at 6:25 pm), who, if not China, is the greatest combined threat of human and technical (and financial) resources, and motivation, and increasingly aggressive direction (thanks to Xi)?

    The Iranians could be ready to take greater risks to hurt the west, but they are a lot poorer and less numerous, especially in people with the technical skills when it comes to cyber war. The Russians are likely embarrassed that the Chinese are a greater danger to us than they are in that field, but it’s a fact. Our own governments have considerable ability, – and considerable ability to feel consequences. (And, unlike China under Xi, are not obviously on an upward curve against their own citizens right now – except to remoaners and TDS sufferers. 🙂 ) Etc.

    So I’m understanding why people are not seeing China as just an ordinary one-among-many threat.

  • Nullius in Verba

    “who, if not China, is the greatest combined threat of human and technical (and financial) resources, and motivation, and increasingly aggressive direction […]?”

    A lot of people would reply “Donald Trump.” 🙂

    It’s the motivation I’m talking about. Nobody doubts that China is very capable, militarily. They’re a nuclear power with ballistic missiles, tanks, and bombs. And to the relatively small/poor countries in their immediate vicinity, yes, they are potentially an actual military threat. And if you was to try presuring them militarily – if we were, for example, to put British troops into Hong Kong – we’d no doubt get a more aggressive response.

    But in the absence of any such challenge to their interests, they have absolutely no reason to attack us, and plenty of reasons not to. They’re dependent on trade with the West for much of their economy, and for technological development. All we have to do is leave them alone, and they’ll leave us alone.

    And even if they tried any such stunt with shutting down 5G, it would just cause a couple of months of slow internet while we ripped out all their kit so they couldn’t do it again. Perfectly survivable. Expensive, annoying, but trivial compared to the nuclear missiles. And it’s not like we’re not aware of the issue, and perfectly capable of taking precautions. And it’s not like we don’t have an even greater technical capability (if the Ed Snowden story is right) to be able to do the same back to them! China are more into quantity than quality – we still have a massive technological lead over them generally, and that’s a particularly important factor for things like cyberwar.

    But as usual, I think we’ve got caught in the cycle where everyone is stuck in their own point of view. I think there are certain bogeymen that governments can reliably use to justify taking liberties, that the public would not otherwise wear, but which when assessed objectively are nothing like as threatening as people think. But I don’t think either of us will be able to persuade the other. What we feel threatened by is a very personal emotional reaction.

    “Our own governments have considerable ability, – and considerable ability to feel consequences. (And, unlike China under Xi, are not obviously on an upward curve against their own citizens right now – except to remoaners and TDS sufferers. 🙂 )”

    Agreed. I don’t think our own governments are currently a particularly big threat to our electronic liberties, either. Just that they’re a bigger threat than China.

  • bobby b

    “I don’t think our own governments are currently a particularly big threat to our electronic liberties, either. Just that they’re a bigger threat than China.”

    Our sun going supernova is an even bigger threat to our liberties, if we speak of such things without respect to the likelihood of something happening.