Chinese Spies Accused of Using Huawei in Secret Australia Telecom Hack

Bloomberg has an article that discusses how Chinese spies were allegedly involved in deploying implants on Huawei equipment which was operated in Australia and the United States. The key parts of the story include:

At the core of the case, those officials said, was a software update from Huawei that was installed on the network of a major Australian telecommunications company. The update appeared legitimate, but it contained malicious code that worked much like a digital wiretap, reprogramming the infected equipment to record all the communications passing through it before sending the data to China, they said. After a few days, that code deleted itself, the result of a clever self-destruct mechanism embedded in the update, they said. Ultimately, Australia’s intelligence agencies determined that China’s spy services were behind the breach, having infiltrated the ranks of Huawei technicians who helped maintain the equipment and pushed the update to the telecom’s systems. 

Guided by Australia’s tip, American intelligence agencies that year confirmed a similar attack from China using Huawei equipment located in the U.S., six of the former officials said, declining to provide further detail.

The details from the story are all circa 2012. The fact that Huawei equipment was successfully being targeted by these operations, in combination with the large volume of serious vulnerabilities in Huawei equipment, contributed to the United States’ efforts to bar Huawei equipment from American networks and the networks of their closest allies.1

Analysis

We can derive a number of conclusions from the Bloomberg article, as well as see links between activities allegedly undertaken by the Chinese government and those of Western intelligence agencies.

To begin, it’s worth noting that the very premise of the article–that the Chinese government needed to infiltrate the ranks of Huawei technicians–suggests that circa 2012 Huawei was not controlled by, operated by, or necessarily unduly influenced by the Chinese government. Why? Because if the government needed to impersonate technicians to deploy implants, and do so without the knowledge of Huawei’s executive staff, then it’s very challenging to say that the company writ large (or its executive staff) were complicit in intelligence operations.

Second, the Bloomberg article makes clear that a human intelligence (HUMINT) operation had to be conducted in order to deploy the implants in telecommunications networks, with data then being sent back to servers that were presumably operated by Chinese intelligence and security agencies. These kinds of HUMINT operations can be high-risk insofar because if operatives are caught then the whole operation (and its surrounding infrastructure) can be detected and burned down. Building legends for assets is never easy, nor is developing assets if they are being run from a distance as opposed to spies themselves deploying implants.2

Third, the United States’ National Security Agency (NSA) has conducted similar if not identical operations when its staff interdicted equipment while it was being shipped, in order to implant the equipment before sending it along to its final destination. Similarly, the CIA worked for decades to deliberately provide cryptographically-sabotaged equipment to diplomatic facilities around the world. All of which is to say that multiple agencies have been involved in using spies or assets to deliberately compromise hardware, including Western agencies.

Fourth, the Canadian Communications Security Establish Act (‘CSE Act’), which was passed into law in 2019, includes language which authorizes the CSE to do, “anything that is reasonably necessary to maintain the covert nature of the [foreign intelligence] activity” (26(2)(c)). The language in the CSE Act, at a minimum, raises the prospect that the CSE could undertake operations which parallel those of the NSA and, in theory, the Chinese government and its intelligence and security services.3

Of course, the fact that the NSA and other Western agencies have historically tampered with telecommunications hardware to facilitate intelligence collection doesn’t take away from the seriousness of the allegations that the Chinese government targeted Huawei equipment so as to carry out intelligence operations in Australia and the United States. Moreover, the reporting in Bloomberg covers a time around 2012 and it remains unclear whether the relationship(s) between the Chinese government and Huawei have changed since then; it is possible, though credible open source evidence is not forthcoming to date, that Huawei has since been captured by the Chinese state.

Takeaway

The Bloomberg article strongly suggests that Huawei, as of 2012, didn’t appear captured by the Chinese government given the government’s reliance on HUMINT operations. Moreover, and separate from the article itself, it’s important that readers keep in mind that the activities which were allegedly carried out by the Chinese government were (and remain) similar to those also carried out by Western governments and their own security and intelligence agencies. I don’t raise this latter point as a kind of ‘whataboutism‘ but, instead, to underscore that these kinds of operations are both serious and conducted by ‘friendly’ and adversarial intelligence services alike. As such, it behooves citizens to ask whether these are the kinds of activities we want our governments to be conducting on our behalves. Furthermore, we need to keep these kinds of facts in mind and, ideally, see them in news reporting to better contextualize the operations which are undertaken by domestic and foreign intelligence agencies alike.


  1. While it’s several years past 2012, the 2021 UK HCSEC report found that it continued “to uncover issues that indicate there has been no overall improvement over the course of 2020 to meet the product software engineering and cyber security quality expected by the NCSC.” (boldface in original) ↩︎
  2. It is worth noting that, post-2012, the Chinese government has passed national security legislation which may make it easier to compel Chinese nationals to operate as intelligence assets, inclusive of technicians who have privileged access to telecommunications equipment that is being maintained outside China. That having been said, and as helpfully pointed out by Graham Webster, this case demonstrates that the national security laws were not needed in order to use human agents or assets to deploy implants. ↩︎
  3. There is a baseline question of whether the CSE Act created new powers for the CSE in this regard or if, instead, it merely codified existing secret policies or legal interpretations which had previously authorized the CSE to undertake covert activities in carrying out its foreign signals intelligence operations. ↩︎

Mandatory Patching of Serious Vulnerabilities in Government Systems

Photo by Mati Mango on Pexels.com

The Cybersecurity and Infrastructure Security Agency (CISA) is responsible for building national capacity to defend American infrastructure and cybersecurity assets. In the past year they have been tasked with receiving information about American government agencies’ progress (or lack thereof) in implementing elements of Executive Order 14028: Improving the Nation’s Cybersecurity and have been involved in responses to a number of events, including Solar Winds, the Colonial Pipeline ransomware attack, and others. The Executive Order required that CISA first collect a large volume of information from government agencies and vendors alike to assess the threats towards government infrastructure and, subsequently, to provide guidance concerning cloud services, track the adoption of multi factor authentication and seek ways of facilitating its implementation, establish a framework to respond to security incidents, enhance CISA’s threat hunting abilities in government networks, and more.1

Today, CISA promulgated a binding operational directive that will require American government agencies to adopt more aggressive patch tempos for vulnerabilities. In addition to requiring agencies to develop formal policies for remediating vulnerabilities it establishes a requirement that vulnerabilities with a common vulnerabilities and exposure ID be remediated within 6 months, and all others with two weeks. Vulnerabilities to be patched/remediated are found in CISA’s “Known Exploited Vulnerabilities Catalogue.”

It’s notable that while patching is obviously preferred, the CISA directive doesn’t mandate patching but that ‘remediation’ take place.2 As such, organizations may be authorized to deploy defensive measures that will prevent the vulnerability from being exploited but not actually patch the underlying vulnerability, so as to avoid a patch having unintended consequences for either the application in question or for other applications/services that currently rely on either outdated or bespoke programming interfaces.

In the Canadian context, there aren’t equivalent levels of requirements that can be placed on Canadian federal departments. While Shared Services Canada can strongly encourage departments to patch, and the Treasury Board Secretariat has published a “Patch Management Guidance” document, and Canada’s Canadian Centre for Cyber Security has a suggested patch deployment schedule,3 final decisions are still made by individual departments by their respective deputy minister under the Financial Administration Act.

The Biden administration is moving quickly to accelerate its ability to identify and remediate vulnerabilities while simultaneously lettings its threat intelligence staff track adversaries in American networks. That last element is less of an issue in the Canadian context but the first two remain pressing and serious challenges.

While its positive to see the Americans moving quickly to improve their security positions I can only hope that the Canadian federal, and provincial, governments similarly clear long-standing logjams that delegate security decisions to parties who may be ill-suited to make optimal decisions, either out of ignorance or because patching systems is seen as secondary to fulfilling a given department’s primary service mandate.


  1. For a discussion of the Executive Order, see: “Initial Thoughts on Biden’s Executive Order on Improving the Nation’s Cybersecurity” or “Everything You Need to Know About the New Executive Order on Cybersecurity.” ↩︎
  2. For more, see CISA’s “Vulnerability Remediation Requirements“. ↩︎
  3. “CCCS’s deployment schedule only suggests timelines for deployment. In actuality, an organization should take into consideration risk tolerance and exposure to a given vulnerability and associated attack vector(s) as part of a risk‑based approach to patching, while also fully considering their individual threat profile. Patch management tools continue to improve the efficiency of the process and enable organizations to hasten the deployment schedule.” Source: “Patch Management Guidance↩︎

The Roundup for December 1-31, 2019 Edition

Alone Amongst Ghosts by Christopher Parsons

Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.


This month’s update is late, accounting for holidays and my generally re-thinking how to move forward (or not) with these kinds of posts. I find them really valuable, but the actual interface of using my current client (Ulysses) to draft elements of them is less than optimal. So expect some sort of changes as I muddle through how to improve workflow and/or consider the kinds of content that make the most sense to post.


Inspiring Quotation

Be intensely yourself. Don’t try to be outstanding; don’t try to be a success; don’t try to do pictures for others to look at—just please yourself.

  • Ralph Steiner

Great Photography Shots

Natalia Elena Massi’s photographs of Venice, flooded, are exquisite insofar as they are objectively well shot while, simultaneously, reminding us of the consequences of climate change. I dream of going to Venice to shoot photos at some point and her work only further inspires those dreams.

Music I’m Digging

I spent a lot of the month listening to my ‘Best of 2019’ playlist, and so my Songs I Liked in December playlist is a tad threadbare. That said, it’s more diverse in genre and styles than most monthly lists, though not a lot of the tracks made the grade to get onto my best of 2019 list.

  • Beck-Guero // I spent a lot of time re-listening to Beck’s corpus throughout December. I discovered that I really like his music: it’s moody, excitable,and catchy, and always evolving from album to album.
  • Little V.-Spoiler (Cyberpunk 2077) (Single) // Cyberpunk 2077 is one of the most hyped video games for 2020, and if all of the music is as solid and genre-fitting as this track, then the ambiance for the game is going to be absolutely stellar.

Neat Podcast Episodes

  • 99% Invisible-Racoon Resistance // As a Torontonian I’m legally obligated to share this. Racoons are a big part of the city’s identity, and in recent years new organic garbage containers were (literally) rolled out that were designed such that racoons couldn’t get into them. Except that some racoons could! The good news is that racoons are not ‘social learners’ and, thus, those who can open the bins are unlikely to teach all the others. But with the sheer number of trash pandas in the city it’s almost a certainty that a number of them will naturally be smart enough and, thus, garbage will continue to litter our sidewalks and laneways.

Good Reads

  • America’s Dark History of Killing Its Own Troops With Cluster Munitions // Ismay’s longform piece on cluster munitions is not a happy article, nor does the reader leave with a sense that this deadly weapon is likely to be less used. His writing–and especially the tragedies associated with the use of these weapons–is poignant and painful. And yet it’s also critically important to read given the barbarity of cluster munitions and their deadly consequences to friends, foes, and civilians alike. No civilized nation should use these weapons and all which do use them cannot claim to respect the lives of civilians stuck in conflict situations.
  • Project DREAD: White House Veterans Helped Gulf Monarchy Build Secret Surveillance Unit // The failure or unwillingness of the principals, their deputies, or staff to acknowledge they created a surveillance system that has systematically been used to hunt down illegitimate targets—human rights defenders, civil society advocates, and the like—is disgusting. What’s worse is that democratizing these surveillance capabilities and justifying the means by which the program was orchestrated almost guarantees that American signals intelligence employees will continue to spread American surveillance know-how to the detriment of the world for a pay check, the consequences be damned (if even ever considered in the first place).
  • The War That Continues to Shape Russia, 25 Years Later // The combination of the (re)telling of the first Russia-Chechen War and photographs from the conflict serve as reminders of what it looks like when well-armed nation-states engage in fullscale destruction, the human costs, and the lingering political consequences of wars-now-past.
  • A New Kind of Spy: How China obtains American technological secrets // Bhattacharjee’s 2014 article on Chinese spying continues to strike me as memorable, and helpful in understanding how the Chinese government recruits agents to facilitate its technological objectives. Reading the piece helps to humanize why Chinese-Americans may spy for the Chinese government and, also, the breadth and significance of such activities for advancing China’s interests to the detriment of America’s own.
  • Below the Asphalt Lies the Beach: There is still much to learn from the radical legacy of critical theory // Benhabib’s essay showcasing how the history of European political philosophy over the past 60 years or so are in the common service of critique, and the role(s) of Habermasian political theory in both taking account of such critique whilst offering thoughts on how to proceed in a world of imperfect praxis, is an exciting consideration of political philosophy today. She mounts a considered defense of Habermas and, in particular, the claims that his work is overly Eurocentric. Her drawing a line between the need to seek emancipation while standing to confront and overcome the xenophobia, authoritarianism, and racism that is sweeping the world writ large is deeply grounded on the need for subjects like human rights to orient and ground critique. While some may oppose such universalism on the same grounds as they would reject the Habermasian project there is a danger: in doing so, not only might we do a disservice to the intellectual depth that undergirds the concept of human rights but, also, we run the risk of losing the core means by which we can (re)orient the world towards enabling the conditions of freedom itself.
  • Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai // This very curious article explores the recent problem of ships’ GPS transponders being significantly affected while transiting the Yangtze in China. Specifically, transponders are routinely misplacing the location of ships, sometimes with dangerous and serious implications. The cause, however, remains unknown: it could be a major step up in the (effective) electronic warfare capabilities of sand thieves who illegally dredge the river, and who seek to escape undetected, or could be the Chinese government itself testing electronic warfare capabilities on the shipping lane in preparation of potentially deploying it elsewhere in the region. Either way, threats such as this to critical infrastructure pose serious risks to safe navigation and, also, to the potential for largely civilian infrastructures to be potentially targeted by nation-state adversaries.
  • A Date I Still Think About // These beautiful stories of memorable and special dates speak to just how much joy exists in the world, and how it unexpectedly erupts into our lives. In an increasingly dark time, stories like this are a kind of nourishment for the soul.

Cool Things

  • The Deep Sea // This interactive website that showcases the sea life we know exists, and the depths at which it lives, is simple and spectacular.
  • 100 Great Works Of Dystopian Fiction // A pretty terrific listing of books that have defined the genre.