Support The Bulwark and subscribe today.
  Join Now

When Is Cyberwar Real War?

by Ian Smith
April 26, 2019
When Is Cyberwar Real War?
(Photo by Scott Nelson/Getty Images)

Recently a vulnerability was disclosed that affected millions of Huawei-manufactured laptops. The Chinese manufacturer claimed the vulnerability was a mistake and, in January, patched the affected software. Speculation was rife that this vulnerability might have been injected intentionally with the goal of allowing the Chinese government to exploit it in order to take control of laptops globally at a time of their choosing.

Huawei’s claims of innocence are falling on increasingly deaf ears as the U.S., Canada, and some E.U. countries have considered banning Huawei products’ use in new mobile telephony networks. These bans are due to fears that the Chinese government could use this equipment for espionage purposes. (Full disclosure: I was very peripherally involved in the Cisco/Huawei lawsuit in the early 2000s.)

Other Chinese firms such as ZTE have also faced bans of various kinds from various countries, but the Huawei bans are the most widespread.

As of right now, Huawei is selling at least three different models of laptop that would have had this potential “backdoor,” save for the patch issued by the company. On Amazon, these machines range in price from about $900 to $1,500 and can be purchased literally by any person America.

What if the vulnerability had not been detected by Microsoft? Clearly the government in Beijing could have had the ability to take control of many laptops deployed in the United States, although Huawei denies that the backdoor was left open intentionally. If the backdoor was known to the government of China, it would be the cyber-warfare equivalent of having sleeper cells, in every corner of the United States, all of which could be activated at a millisecond’s notice.

So let’s say that you’re a parent in Ohio looking to buy a decent laptop for your daughter before she goes away to college in the fall. Should your decision be determined by the marketplace or by military doctrine? If it’s the latter, then how sweeping should the considerations be? Should any product made in China, or composed of Chinese parts, be banned, in the interest of security, if it could be capable of being used in a cyber attack?

(It is worth noting here that Taiwan maintains its lead in manufacturing electronics in no small part because it is viewed as less risky than trusting Chinese manufacturers.)

The Chinese government is more worried about this issue than we are. They see Microsoft’s operating system as representing precisely the same threat that their hardware presents us. Partly this is projection: In China, the government maintains extremely close ties to its tech industries.

And the Chinese aren’t necessarily wrong. In 2017 the NSA was revealed to have authored the EternalBlue exploit that has been used in numerous attacks. And the NSA didn’t just build the exploit—it kept Microsoft in the dark about the vulnerability. The NSA officially denied that this exploit was theirs, but most experts now accept the claims of provenance made by a group known as the Shadow Brokers that initially attempted to sell the exploits, but eventually just released them.

If we take as given that Huawei is working with the Chinese government to allow espionage and attacks through its products, and that the United States has the NSA stockpiling exploits for use against our adversaries at some future date, are the drums of cyber-war beating? Well, hackers from Russia attacked our election in 2016 and North Korean groups have attacked banks and other U.S. institutions recently. Maybe the war has already started.

Ian Smith

Ian Smith has a Ph.D. in Computer Science from Georgia Tech. Follow him on Twitter @iansmith.