The equities of telco cyber exploitation: 5G and the Huawei ban – Observer Research Foundation10 minutes read

My article for the Observer Research Foundation:

The Indian government has commenced the trials of 5G technology, but the Chinese company Huawei is notably absent from the list of approved vendors. The Indian strategic community is almost unanimously supportive of the decision, concerned about the emerging Chinese hegemony around 5G standards and architecture. Although think tanks and experts have delved into some of the technical intricacies of 5G, the commentary remains largely polemical and rooted in the complicated verbiage of Sino-Indian geopolitics.

It would be worthy to briefly deconstruct the nature of the threat posed by the telco networks, why they are deemed so critical when it comes to Indian national security imperatives, and the kind of exploits and vulnerabilities which cyber adversaries have used to subvert them. It may paint a slightly different picture and offer a more nuanced take on China’s forays into 5G.

In the words of General Michael Hayden, cyber, as a domain of intelligence and military operations, remains “hideously over-classified.” And because of the lack of empirical data points, the  explanations presented here are based on past precedents.

Cyber operations, vulnerability discovery, and exploitation do exhibit a kind of incrementalism as well as evolutionary traits. Specialised exploit engineers and cyber operators work in an epistemic bubble where knowledge is circulated among a select group of peers. And the nature of the threat landscape has remained eerily consistent over the last two decades for us to be able to make some projections and guesswork by relying on that kind of incrementalism.

Hence, the extrapolation of past precedents is consistent enough for us to broadly understand the technical security dynamics underpinning the rhetoric of 5G.  The argument put forth is also inspired by a related exchange of ideas with an officer of the Indian Army who was working on an approach paper on 5G. The fact that he left the discussion by being even more unconvinced than he initially was about the popular narrative on 5G threats could be deemed as a pyrrhic victory.

Past cyber infiltration operations

Telco networks are generally riddled with cyber implants of foreign intelligence services. The malware Regin—discovered in 2014 and attributed to the famed Tailored Access Operations (TAO) team of the US intelligence agency, National Security Agency (NSA)—sat at the base station and master station controllers of Indian mobile operators for years.

Another likely NSA operation backdooring Cisco routers was discovered at the edge network of India’s largest mobile operator in 2015—with the intrusion possibly going undiscovered for years.

A Tailored Access Operations (TAO) counterintelligence operation during the 2004 Summer Olympics at Athens to compromise Vodafone later went rogue and turned into a murder mystery.

SECONDDATE was another of NSA’s brilliant operations to hack into the National Telecommunication Corporation, the government-owned telco of Pakistan. It specifically targeted the backbone switching network running on ZTE and catering to VIP communications (similar to India’s encrypted RAX).

APT 41, a cyber-espionage group linked to the Chinese state, was recently seen loitering around on a Linux network acting as the Short Message Service Centre of a mobile operator. APT 10, another Chinese group backed by the Ministry of State Security, has been linked to global telco intrusions. As per CrowdStrike, Iran and Russia, too, have “heavily targeted the data-rich telecommunications sector.”

Telco security researcher Emmanuel Gadaix once discovered a live cyber intrusion in a mobile network and gave a detailed, nail-biting account at a conference.

The significance of telcos to espionage

But the question arises, why are spies so attracted to telcos? The answer is simple—they provide the most crucial vantage point allowing one to pivot from mass surveillance to targeted operations.

Telephony and data have long converged, so the billing databases, the routing information, the downstream networks and even the lawful interception apparatuses (managed by the telcos on behalf of their host governments) provide mounds of intelligence.

Cyber intrusions at scale are all about balancing the cost-benefits. Large-scale operations are unstable and ephemeral by their very nature—their targeting and reach need to be limited to hide the signal within the noise.

Cyber espionage is also recursive and self-fulfilling in a way. The idea, sometimes, is not to gather topical intelligence but to keep on increasing the “compromise boundary,” thus expanding target selection and coverage in an exponential manner, ad infinitum.

Jason Kichen, a former cyber operator with the US government and a respectable figure within the US Intelligence Community, carries a certain obvious fascination for telco targeting. In Kichen’s words, telco exploitation is “upstream targeting” and “at some point, [upstream telco] targets of immense value will present opportunity to collect the most sensitive [down]streams of intelligence imaginable.”

Even the lawful interception infrastructure—maintained by the telcos as a prerequisite to obtain an operating license—can provide an invaluable insight into the intelligence imperatives of the host government. It is exactly why the NSA held a roundtable on “Exploiting Foreign Lawful Intercept.”

To borrow from spymaster James Jesus Angleton, telco networks are a veritable wilderness of mirrors. They are a hodgepodge of TCP/IP networks, flavours of Unix-based operating systems, commercial database and traffic analytics software, and specific signalling and switching equipment for 2G, 3G, 4G, and 5G. Their heterogeneity and backward compatibility become the most potent attack surfaces.

At this juncture, it becomes crucial to demolish a prevalent notion that 5G is some kind of technological monolith. 5G, too, is a mishmash of the old and the new.

At this juncture, it becomes crucial to demolish a prevalent notion that 5G is some kind of technological monolith. 5G, too, is a mishmash of the old and the new.

In a timely coincidence, the US government has just released a report, “Potential Threat Vectors to 5G Infrastructure”. Almost all the systemic risks cited by the report like the subversion of standards, supply chain and architecture squarely comply with the prevalent threat perceptions related to telco networks. The vulnerabilities have been well known.

It is a truism that vulnerabilities are a product of complexity, and complexity alone. They are the unexpected outcomes of operating a complex, heterogenous network wherein billions of layers of abstraction at the hardware and software levels toss data around. As a result, the behaviour of the complex system acquires an ‘emergent property’—,i.e., complexity itself becomes the driver of the architecture. In his keynote at NATO Cycon 2018, celebrated Malware Reverse Engineer, Thomas Dullien, goes at lengths to explain the nature of such complexity.

To the outside world, software and hardware seem to operate with mathematical precision; in reality, they are mostly a statistical approximation of the expected states. It is almost impossible to predict how the data may end up as it passes through billions of layers of abstraction and the interfaces between them. A hacker or an exploit engineer experiments with this ambiguity to throw the system into states never even intended by its designer of programmer, thus becoming “weird machines” in hacking parlance.

Resultingly, the line between vulnerability and expected behaviour becomes so thin that the evaluation of the security of a computing system—or understanding whether it is compromised in the first place—becomes mathematically impossible.

Chikermane writes, “New Delhi has made it mandatory that 5G telecom equipment should be tested and certified by the Telecom Engineering Centre.” It becomes amply clear that testing an isolated piece of equipment in a lab would never reproduce the complex networked state, which becomes the wellspring of vulnerabilities.

Dullien also makes a pivotal, extremely crucial observation that the emergent property seeds the starkest dichotomy: Ownership and control of assets in cyberspace do not necessarily overlap. Proving that the concept of “one  controls what one owns” becomes a fundamental computer science problem, as the data gets manipulated by layers upon layers. In that sense, absence of the Chinese government or Huawei from the network may not mean that it has relinquished control.

There are only two possible home-field advantages when, say, a government is able to exercise hegemony on a technology like 5G; the first being access. Access is a crucial enabler for intelligence. The last two decades of US cyber dominance—nostalgically dubbed as “the golden age of surveillance”—were singularly catalysed by the access-based advantages offered by American IT vendors dominating the global networking standards and business.

But access-based advantages are somewhat rudimentary and are subject to the volatility of geopolitics. They, certainly, are not treated as the mainstay for surveillance. In fact, it would be safe to assume that reliance on access-based operations leveraging standards, vendors, and equipment under ones control becomes an undesirable risk or dependence for the cyber operator.

It is exactly why the playing field for cyber espionage gets levelled by expeditionary operations, which are meant to compensate for dwindling or no access. It is exactly why NSA’s TAO existed in the first place—despite the US boasting of global dragnets of passive collection; or how China, Russia, Iran, and North Korea, lacking any access-based advantage, still managed to meet their regimes’ imperatives with spectacular success.

Barring Huawei for another vendor offers little respite as far as the rapidly evolving and aggressive scene of expeditionary cyber operations goes. It becomes mere picket-fencing as vendor bans may not even minimise attack surfaces or threat perceptions in a complex, internetworked environment. China has developed a critical mass of exploit engineers and is globally respected for breaking into all kinds of systems.

The second home-field advantage is the ability to introduce backdoors in the equipment. As is evident from the SolarWinds hack, that is definitely not limited to the host government. And backdoors are a double-edged sword. Dumb or simple backdoors (the likes of which the Chinese government is often accused of) are easy to detect. Making the backdooring process complex also does not alleviate the risk of discovery or, worse, exploitation by a third-party.

The Dual EC DRBG backdoor introduced by the NSA in the equipment of Juniper Networks is a case in point. It was later discovered that a foreign intelligence service (possibly Chinese) had gotten a whiff and actively exploited it to target American corporations; Ben Buchanan offers a riveting account in The Hacker and the State. Nonetheless, carefully engineered, harder-to-detect hardware or software Trojan horses may certainly be advantageous for blended or close access operations—but their instantiation needs to be severely curtailed to avoid exposure.

Backdoors simply may not work when you desperately want them to. It is exactly why they are assigned the highest security classification NOBUS (Nobody but Us) in the US government, considering their fragility and how crucial they are for its signals intelligence missions.

The conclusions of this brief detour into the esoteric world of exploitation are simple: The Indian security establishment must create an equities process to calculate and weigh telco vulnerabilities against its national security risks and foreign policy estimations. It may then realise that the solutions may not be as simple as banning Huawei—that just makes the job of Chinese hackers a bit harder.

Solutions may not be as simple as banning Huawei—that just makes the job of Chinese hackers a bit harder.

In fact, crucial emphasis must be laid on systemic, whole-of-government capacity building initiatives on extremely vital technological areas like cryptanalysis (deemed as the ultimate tier of strategic capability at par with nuclear), cyber electromagnetic activities and exploit engineering.