MARCH 22, 2014
NEW YORK TIMES
WASHINGTON — American officials have long considered Huawei, the Chinese telecommunications giant, a security threat, blocking it from business deals in the United States for fear that the company would create “back doors” in its equipment that could allow the Chinese military or Beijing-backed hackers to steal corporate and government secrets.
But even as the United States made a public case about the dangers of buying from Huawei, classified documents show that the National Security Agency was creating its own back doors — directly into Huawei’s networks.
The agency pried its way into the servers in Huawei’s sealed headquarters in Shenzhen, China’s industrial heart, according to N.S.A. documents provided by the former contractor Edward J. Snowden. It obtained information about the workings of the giant routers and complex digital switches that Huawei boasts connect a third of the world’s population, and monitored communications of the company’s top executives.
One of the goals of the operation, code-named “Shotgiant,” was to find any links between Huawei and the People’s Liberation Army, one 2010 document made clear. But the plans went further: to exploit Huawei’s technology so that when the company sold equipment to other countries — including both allies and nations that avoid buying American products — the N.S.A. could roam through their computer and telephone networks to conduct surveillance and, if ordered by the president, offensive cyberoperations.
“Many of our targets communicate over Huawei-produced products,” the N.S.A. document said. “We want to make sure that we know how to exploit these products,” it added, to “gain access to networks of interest” around the world.
The documents were disclosed by The New York Times and Der Spiegel, and are also part of a book by Der Spiegel, “The N.S.A. Complex.” The documents, as well as interviews with intelligence officials, offer new insights into the United States’ escalating digital cold war with Beijing. While President Obama and China’s president, Xi Jinping, have begun talks about limiting the cyber conflict, it appears to be intensifying.
The N.S.A., for example, is tracking more than 20 Chinese hacking groups — more than half of them Chinese Army and Navy units — as they break into the networks of the United States government, companies including Google, and drone and nuclear-weapon part makers, according to a half-dozen current and former American officials.
If anything, they said, the pace has increased since the revelation last year that some of the most aggressive Chinese hacking originated at a People’s Liberation Army facility, Unit 61398, in Shanghai.
The Obama administration distinguishes between the hacking and corporate theft that the Chinese conduct against American companies to buttress their own state-run businesses, and the intelligence operations that the United States conducts against Chinese and other targets.
American officials have repeatedly said that the N.S.A. breaks into foreign networks only for legitimate national security purposes.
A White House spokeswoman, Caitlin M. Hayden, said: “We do not give intelligence we collect to U.S. companies to enhance their international competitiveness or increase their bottom line. Many countries cannot say the same.”
But that does not mean the American government does not conduct its own form of corporate espionage with a different set of goals. Those concerning Huawei were described in the 2010 document.
“If we can determine the company’s plans and intentions,” an analyst wrote, “we hope that this will lead us back to the plans and intentions of the PRC,” referring to the People’s Republic of China. The N.S.A. saw an additional opportunity: As Huawei invested in new technology and laid undersea cables to connect its $40 billion-a-year networking empire, the agency was interested in tunneling into key Chinese customers, including “high priority targets — Iran, Afghanistan, Pakistan, Kenya, Cuba.”
The documents offer no answer to a central question: Is Huawei an independent company, as its leaders contend, or a front for the People’s Liberation Army, as American officials suggest but have never publicly proved?
Two years after Shotgiant became a major program, the House Intelligence Committee delivered an unclassified report on Huawei and another Chinese company, ZTE, that cited no evidence confirming the suspicions about Chinese government ties. Still, the October 2012 report concluded that the companies must be blocked from “acquisitions, takeover or mergers” in the United States, and “cannot be trusted to be free of foreign state influence.”
Huawei, which has all but given up its hopes of entering the American market, complains that it is the victim of protectionism, swathed in trumped-up national security concerns. Company officials insist that it has no connection to the People’s Liberation Army.
William Plummer, a senior Huawei executive in the United States, said the company had no idea it was an N.S.A. target, adding that in his personal opinion, “The irony is that exactly what they are doing to us is what they have always charged that the Chinese are doing through us.”
“If such espionage has been truly conducted,” Mr. Plummer added, “then it is known that the company is independent and has no unusual ties to any government, and that knowledge should be relayed publicly to put an end to an era of mis- and disinformation.”
Blocked at Every Turn
Washington’s concerns about Huawei date back nearly a decade, since the RAND Corporation, the research organization, evaluated the potential threat of China for the American military. RAND concluded that “private Chinese companies such as Huawei” were part of a new “digital triangle” of companies, institutes and government agencies that worked together secretly.
Huawei is a global giant: it manufactures equipment that makes up the backbone of the Internet, lays submarine cables from Asia to Africa and has become the world’s third largest smartphone maker after Samsung and Apple.
The man behind its strategy is Ren Zhengfei, the company’s elusive founder, who was a P.L.A. engineer in the 1970s. To the Chinese, he is something akin to Steve Jobs — an entrepreneur who started a digital empire with little more than $3,000 in the mid-1980s, and took on both state-owned companies and foreign competitors. But to American officials, he is a link to the People’s Liberation Army.
Acting to Block a Chinese Telecom Giant
Over the past seven years, the United States government has taken steps to block the Chinese telecommunications and internet giant Huawei from gaining a foothold here, fearing that the company could act on behalf of the Chinese military to gain access to government and corporate secrets. The company was founded in 1987 and by the mid-90s had begun making inroads into the U.S. telecom equipment market.
U.S. RELATIONS WITH HUAWEI
2003–4 Cisco sues Huawei for stealing source code; the suit is settled with neither side revealing terms.
2005 The Air Force hires the RAND corporation to examine threats from Chinese networking firms; it concludes there is a “digital triangle” of Chinese military, state research groups, and companies like Huawei.
2007 The National Security Administration begins its “Shotgiant” effort to pierce Huawei’s networks and exploit its systems.
2008 The U.S. blocks Huawei from buying 3Com on national security grounds.
2010 The U.S. persuades Australia to kill a plan to let Huawei build a national broadband network.
2011 In an open letter to the U.S., Huawei denies that it is a front for the Chinese government, and invites investigation.
2012 The House Intelligence Committee produces a long report urging the U.S. to “block acquisitions, takeovers or mergers” with Huawei, and to exclude its equipment from U.S. systems.
2013 The U.S. approves purchase of Sprint Nextel by Softbank Corporation, but under conditions that probably exclude Huawei equipment.
Vice President Joseph R. Biden Jr., on a trip to Seoul, urges South Korea to kill a contract for Huawei to build an advanced telecom network for Seoul.
They have blocked his company at every turn: pressing Sprint to kill a $3 billion deal to buy Huawei’s fourth generation, or 4G, network technology; scuttling a planned purchase of 3Com for fear that Huawei would alter computer code sold to the United States military; and pushing allies, like Australia, to back off from major projects.
As long ago as 2007, the N.S.A. began a covert program against Huawei, the documents show. By 2010, the agency’s Tailored Access Operations unit — which breaks into hard-to-access networks — found a way into Huawei’s headquarters. The agency collected Mr. Ren’s communications, one document noted, though analysts feared they might be missing many of them.
N.S.A. analysts made clear that they were looking for more than just “signals intelligence” about the company and its connections to Chinese leaders; they wanted to learn how to pierce its systems so that when adversaries and allies bought Huawei equipment, the United States would be plugged into those networks. (The Times withheld technical details of the operation at the request of the Obama administration, which cited national security concerns.)
The N.S.A.’s operations against China do not stop at Huawei. Last year, the agency cracked two of China’s biggest cellphone networks, allowing it to track strategically important Chinese military units, according to an April 2013 document leaked by Mr. Snowden. Other major targets, the document said, are the locations where the Chinese leadership works. The country’s leaders, like everyone else, are constantly upgrading to better, faster Wi-Fi — and the N.S.A. is constantly finding new ways in.
Hack Attacks Accelerate
Chinese state attacks have only accelerated in recent years, according to the current and former intelligence officials, who spoke on condition of anonymity about classified information.
A dozen P.L.A. military units — aside from Unit 61398 — do their hacking from eavesdropping posts around China, and though their targets were initially government agencies and foreign ministries around the world, they have since expanded into the private sector. For example, officials point to the First Bureau of the army’s Third Department, which the N.S.A. began tracking in 2004 after it hacked into the Pentagon’s networks. The unit’s targets have grown to include telecom and technology companies that specialize in networking and encryption equipment — including some Huawei competitors.
For some of its most audacious attacks, China relies on hackers at state-funded universities and privately owned Chinese technology companies, apparently as much for their skills as for the plausible deniability it offers the state if it gets caught. The N.S.A. is tracking more than half a dozen such groups suspected of operating at the behest of the Chinese Ministry of State Security, China’s civilian spy agency, the officials said.
Their targets, they noted, closely align with China’s stated economic and strategic directives. As China strove to develop drones and next-generation ballistic and submarine-launched missiles in recent years, the N.S.A. and its partners watched as one group of privately employed engineers based in Guangzhou in southern China pilfered the blueprints to missile, satellite, space, and nuclear propulsion technology from businesses in the United States, Canada, Europe, Russia and Africa.
And as China strove to make its own inroads on the web, officials said another group of private hackers infiltrated Google, Adobe and dozens of other global technology companies in 2010. Lately, the officials said, that group and its counterparts are also going after security firms, banks, chemical companies, automakers and even nongovernment organizations.
“China does more in terms of cyberespionage than all other countries put together,” said James A. Lewis, a computer security expert at the Center for Strategic and International Studies in Washington.
“The question is no longer which industries China is hacking into,” he added. “It’s which industries they aren’t hacking into.”