May 9, 2019
Huawei has been in the news quite a bit recently, primarily for the alleged risks the Chinese telecommunications company poses to broad national security and commercial interests in the United States and elsewhere. But we want to focus here on three risk factors that have been at times dangerously conflated in media coverage and analysis, including just last week in Bloomberg: vulnerabilities, backdoors, and bugdoors.
Conflating the three isn’t just some minor technical misunderstanding. It has far more expansive implications, and can fundamentally alter one’s risk assessment of Huawei’s presence in 5G systems around the world.
Vulnerabilities refer broadly to security flaws in software and hardware systems, and every system has them. These flaws could arise for a number of reasons, such as poorly written code or misconfigured hardware circuitry. A quick online search will reveal that vulnerabilities are discovered all the time—in laptops, smartphones, cars, manufacturing plant machinery—and that virtually no digital device is immune to them.
What’s key to understand here, though, is that vulnerabilities is a broad term; it doesn’t distinguish between whether these security flaws exist accidentally or deliberately. Most often, in fact, the vulnerabilities are accidental. Human beings make mistakes, and when humans are programming or architecting complex pieces of software that may have hundreds of thousands or millions of lines of code, they’re going to make errors or omissions. Further, many companies prioritize making software functional, and doing so quickly, over making the software secure. Code might undergo little or even no security testing to probe for these vulnerabilities before the system is widely released. Hence, every system will have at least some vulnerabilities.
Backdoors are different from regular old vulnerabilities in a couple ways, most of which have to do with utility and intent. First, backdoors aren’t just vulnerabilities. They’re a combination of a vulnerability and an exploit—an additional piece of software that allows an attacker to take advantage of the vulnerability to perform some sort of function on the system in question. Second, backdoors leverage vulnerabilities that have been placed there intentionally. These vulnerabilities—typically used by hackers to bypass encryption and authentication protocols—have no function beyond giving a non-user access to a system. They involve adding additional code or hardware specifically to create the vulnerability in the system. Put it like this: If you hear backdoor, think vulnerability, but there on purpose.
Bugdoor’s meaning is similar to backdoor in that it implies not only vulnerability, but also the capacity to exploit it for a functional use. Bugdoors also require a certain amount of intent from the software or hardware vendor. Still, they differ from backdoors in one subtle but crucial way: Whereas backdoors exploit vulnerabilities in code that were designed and “bolted on” for the explicit purpose of providing illicit access, bugdoors exploit found vulnerabilities in code that are there as a result of the natural coding process. These vulnerabilities, found by either a third party or the vendor itself, are then left in place for exploitation. This makes bugdoors potentially more difficult to detect, and they provide more plausible deniability for both the vendor and potential attackers because the code they leverage most often serves a legitimate purpose in the system. (Consider how some vulnerabilities are left in code because they pose no clear threat to the functioning of the system itself or aren’t exploitable. The same can’t be said for backdoors and bugdoors, which imply exploitability.)
Why do these differences matter? Calling every vulnerability a backdoor is imprecise, and the distinction between backdoors, bugdoors, and regular vulnerabilities is a vital one for unpacking the risk around Huawei’s presence in 5G systems.
Over the last year, the U.S. government has attempted to highlight the risk that Huawei, operating out of a country with unchecked executive power, poses to countries with adversarial relationships with the Chinese government. According to parts of the U.S. government, Huawei could be compelled to help Chinese government entities spy on, manipulate, or entirely deactivate 5G systems in other countries, especially during a war-like scenario. If true, that could have devastating consequences, but it’s difficult to know whether Huawei is providing the Chinese government with untoward access.
What we do know, though, is that Huawei code has a lot of vulnerabilities. The United Kingdom’s Huawei Cyber Security Evaluation Center (HCSEC), a testing facility that reviews Huawei-made equipment for security flaws, exposed in its 2019 annual report that Huawei systems contain “many vulnerabilities ... [of] high impact.” There are “serious and systematic defects in Huawei’s software engineering and cyber security competence.” One explanation for these defects is bad programming practices, likely compounded by a high-pressure work environment that quickly pushes out products, which have led to many vulnerabilities in the code and delays in patching those vulnerabilities. Another explanation offered by some is that these vulnerabilities are evidence of backdoors or bugdoors.
But this is also where conflating terms becomes a problem and clouds the judgement of those trying to understand and manage risks posed by Huawei. Every telecom provider’s system has vulnerabilities—last month, University of California at Berkeley researcher Nicholas Weaver called this the “dirty secret” of most of the world’s computing infrastructure. It’s therefore the reality that these systems can be leveraged by intelligence agencies around the world to spy, manipulate, or shut down networks. The issue at play with regard to Huawei and the Chinese government is whether Huawei is enabling of, complicit in, or apathetic to Chinese government attempts to exploit telecom network in adversarial countries.
If Huawei is providing backdoors to Chinese intelligence agencies, they’re enabling Chinese government cyber efforts. If Huawei is leaving bugdoors in their systems, they’re complicit. If they’re just really bad at writing software (also a possibility), they’re apathetic actors. The way to manage each of these possibilities for countries deciding whether to let Huawei provide some of their 5G infrastructure will differ.
For instance, if Huawei is enabling or complicit, the best way to manage the risk of Chinese government spying or manipulation is likely a blanket ban on Huawei equipment until Huawei proves a clear change in behavior. However, there exists no public evidence to suggest the known vulnerabilities in Huawei equipment are there to enable backdoors. Of course, just because you haven’t found evidence of intent doesn’t mean there was no intent, or that there’s no evidence to be found. (Think Donald Rumsfeld’s unknown unknowns). But nobody has publicly found evidence of intent yet. Until such time that backdoor or bugdoor evidence is found, then, all we know is that Huawei systems have vulnerabilities.
The real challenge, then, is in distinguishing whether some of the vulnerabilities discovered by HCSEC were left in intentionally as bugdoors. In this case, distinguishing between bugdoors and common vulnerabilities is nearly impossible without good human sources of information in the communication chain between Huawei and the Chinese government. Because of this lack of certainty, many countries are considering a risk management approach that allows Huawei to build certain portions of their 5G networks while keeping them out of sensitive or core parts of their national networks (what’s been referred to as a “partial ban”).
Using these terms—each of which has a precise meaning—interchangeably threatens to skew one’s assessment of the risk from Huawei. Unlike with regular vulnerabilities, which everyone could find and exploit, backdoors or bugdoors would provide the Chinese intelligence services a unique and disproportionate advantage—one that adversaries would loathe to hand them.
Indeed, access to 5G systems can provide valuable signals intelligence for espionage, and knowledge of how to access that intelligence therefore amplifies that advantage even further. Chinese spy agencies would therefore be in a better “starting position” than other countries’ spy agencies if they knew and could exploit backdoors and/or bugdoors, as opposed to searching Huawei code for regular vulnerabilities. This is to say nothing of the benefits beyond espionage that could be available to Chinese military services, should knowledge of backdoors or bugdoors be desired to manipulate 5G traffic or to manipulate or shut down 5G systems themselves. As a result, vulnerabilities, backdoors, and bugdoors fold differently into the risks at play of 5G network espionage, manipulation, or sabotage.
Policymakers and other analysts ought to be identifying high-priority risks associated with reliance on foreign telecommunications equipment providers, and the best ways to mitigate those risks. However, conflating simple—and often benign—vulnerabilities with nefarious intent on the part of the provider could serve to undermine the credibility of claims around the real risks at hand, including the presence of real backdoors.