Huawei Hacking is a Security Scandal

You probably won’t be surprised to learn that people who are neither naïve nor who hate freedom can reasonably disagree with Edward Lucas and his post from this morning on this blog. Indeed, security experts, lawyers, and reporters have repeatedly explained why it is “in the public interest to reveal how democracies spy on dictatorships” and why nuclear security, “cyber-war” rhetoric, and other Cold War ideas are poor models for modern network security.

The reasons include:

  • that the techniques we use to spy harm security for Americans and the rest of the globe;
  • that the same tools we use to spy on China we also turn against our allies and our citizens (target creep); and
  • that spying initially justified for national security purposes becomes about less worthy things, or even improper, goals—like economic espionage (mission creep).

Of course, we aren’t just spying on Huawei or China, or “dictatorships”. We are spying on our allies, too.  As the Times reported:

But the [NSA’s] plans went further: to exploit Huawei’s technology so that when the company sold equipment to other countries — including both allies and nations that avoid buying American products — the N.S.A. could roam through their computer and telephone networks to conduct surveillance and, if ordered by the president, offensive cyberoperations.

And of course it is important to know that we have lots of access to Huawei systems, but nevertheless no evidence the company is in bed with the Chinese government. This revelation is at least as important as all the prior stories about Huawei being untrustworthy. If those stories are false, the public should know and our government should correct the record.

But most importantly, this and other stories about NSA hacking reveal how our government is breaking the Internet for everyone.

In the Cold War days, breaking cryptography and cracking communications networks might have made sense for national security. Military groups used encryption to hide their activities. Different countries created and used different codes. If the U.S. National Security Agency broke Russia’s codes, that gave us access to their military planning. But it didn’t weaken the U.S. codes. And it didn’t affect U.S. businesses or people.

Today, people around the globe rely on the same cryptographic algorythms, operating systems, and Internet routers that nation-states use. Secure routers, software, and encryption are what keep our online banking secure. They are what make sure people don’t change what our emails say before they get to the recipient. They are what let us shop confidently online. They are what confirm that we actually are talking with the person we think we are talking to. They are what ensure the grandkid photos we share with Grandma don’t end up in the hands of perverts. They are what protect human rights activists from oppression at the hands of their governments, including China.

When the U.S. government breaks network security, exploits vulnerabilities, or fails to report a vulnerability so that it can potentially spy on our allies, or exploit the flaws later, it makes Americans, our allies—everyone who uses the Internet or a telephone—less secure.

Even former NSA Director Michael Hayden has weighed in on this matter. Hayden has argued that NSA, when it comes across security vulnerabilities, makes a judgment call on whether to fix the problem or to use it. “NOBUS” means the belief that only the U.S. could exploit the hole. Says Hayden:

You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there’s a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think “NOBUS” and that’s a vulnerability we are not ethically or legally compelled to try to patch — it’s one that ethically and legally we could try to exploit in order to keep Americans safe from others.

This is naïve. Security professionals have long agreed that the public disclosure of vulnerabilities is the only consistent way to improve security. As a result, modern security practices rely on professionals independently testing software and networks and publishing information about vulnerabilities in software, operating systems, cryptographic algorithms, and products like heart monitors and ATM machines.

Indeed, the NSA’s own documents show that other nations are catching up to us in exploiting network vulnerabilities that NSA has either developed or maintained. As First Look reported, one of the NSA’s primary concerns appears to be that its clandestine tactics are being adopted by foreign rivals:

“Hacking routers has been good business for us and our 5-eyes partners for some time,” notes one NSA analyst in a top-secret document dated December 2012. “But it is becoming more apparent that other nation states are honing their skillz [sic] and joining the scene.”

When the U.S. uses router vulnerabilities to spy on China, rather than fixing the routers, that helps China spy on Americans. And it helps thieves steal trade secrets and break into our bank accounts. As Bruce Schneier has explained so well:

The more we choose to eavesdrop on the Internet and other communications technologies, the less we are secure from eavesdropping by others. Our choice isn’t between a digital world where the NSA can eavesdrop and one where the NSA is prevented from eavesdropping; it’s between a digital world that is vulnerable to all attackers, and one that is secure for all users.

Nicolas Weaver, Ph.D. and researcher at the International Computer Science Institute in Berkeley and U.C. San Diego wrote in Wired after reviewing the Quantum documents, “The NSA does not have a monopoly on the technology, and their widespread use acts as implicit permission to others, both nation-state and criminal.”

So, what we’ve learned from NSA’s hacking stories is that our government is making us less, not more secure.  To my mind, these revelations are the most important, the most disturbing, and the most difficult technologically for the U.S. to back away from. In secret, with no debate and no oversight, the NSA has endangered us all. 

About the Author(s)

Jennifer Granick

Surveillance and Cybersecurity Counsel at the ACLU's Project on Speech, Privacy and Technology Follow her on Twitter (@granick).