U.S. national security advisor Robert O’Brien recently sought to shut down debate about whether China tech giant Huawei installs “backdoors” in its gear. “We have evidence,” O’Brien announced on February 11, 2020, that wireless networks around the world have been compromised with access points that Beijing mandates. Well known are the concerns this raises for sensitive public and private sector data. Less understood is just how comprehensive Beijing’s strategy is—and how extensive its reach.

Issue

The Communist Party of China (CPC) directs the insertion of economy-wide commercial and communication infrastructure with “embedded and reserved interfaces [内部嵌入和预留接口]” that wire the world for access by PRC intelligence and security forces in service of Beijing’s technological and geostrategic goals.

    Implications

    Beijing’s potential to command and control key economic and information flows compromises public and private sectors and alters the character and trajectory of open markets and honest global governance.

      Actions

      Commercial entities need to assess their connectivity to PRC entities from a continuity of operations perspective and for information security purposes. Governments need to illuminate and effectively communicate CPC disruptive capabilities to the private sector, forging opportunities to act on shared interests.

        WE SAY BACKDOORS, BEIJING SAYS RESERVED INTERFACES

        The CPC is using internal government directives to mandate that Peoples Republic of China (PRC) manufacturers of information and communication hardware embed and reserve access for CPC agents at times of its choosing into a wide swath of sectors, including major infrastructure, industrial, and service systems. “Backdoors” is the common parlance in English. The CPC refers more explicitly to “embedded and reserved interfaces [内部嵌入和预留接口],” or close derivative terms, which likely include other vulnerabilities beyond backdoors that can be inserted and exploited by CPC actors.

        These interfaces hard wire an information-technology dependent world for seamless access and abuse by PRC intelligence and security forces. Here’s what we know:

        • Since about 2015 and in conjunction with CPC General Secretary Xi Jinping’s Military Civil Fusion (MCF) program to make PRC defense and intelligence an all-of-society enterprise, Beijing’s central and provincial commissions and military commands have issued directives mandating the structural tapping of devices and systems across economic sectors.
        • The CPC’s official daily from March 2015 calls for “the implementation of defense requirements through embedded and reserved interfaces” [内部嵌入和预留接口]. This report follows remarks that month by Xi to a PLA delegation at the National People’s Congress where he called for the in-depth implementation of MCF strategy in the interest of building a strong and resurgent military.
        • “Reserved interfaces” or “interfaces” are common terms in computing and IT literature, but here the term defies the common technical engineering objective of assuring interoperability. The backdoors Xi mandates must grant CPC agents convenient future data collection and operational access across transportation, information and communication, Internet of Things (IoT), and other “smart” infrastructure.

        ECONOMIC, NATIONAL SECURITY IMPLICATIONS FOR THE U.S. AND OTHERS

        “Reserved interfaces” provide Beijing with global capabilities to command and control key economic and information flows. They also allow for penetration of U.S. and allied systems and institutions to collect intelligence, disrupt operations, steal economic advantage, and co-opt them for the PLA’s operational purposes whenever requested. A raft of PRC laws and strategies—like MCF, which also includes relevant economic mobilization for defense plans, and Made in China 2025–require it.

        These actions and laws in turn facilitate Beijing’s economic development and geostrategic strategies. For example, the “Innovation Driven Development Strategy,” a keystone PRC plan to boost China’s status as a technological superpower, benefits from industrial-scale acquisition of foreign technology and know-how, by any and all means.

        Embedded and reserved interfaces threaten the United States and the global economy much more than simply providing the CPC additional espionage and data accumulation opportunities. Intent is also a significant factor. Recall in 2019 when electric vehicle pioneer Tesla, a commercially resourced company, remotely added battery capability to cars in Hurricane Dorian’s path. But imagine what a state-resourced actor with malevolent intent could accomplish. With backdoors, for example, the CPC now has the capability to attenuate systems that connect to a wide range of remote controllers.

        • Through embedded interfaces a remote actor could stop a ship bridge from raising as ocean traffic approaches and cause a collision that catastrophically interrupts ocean to river or port traffic.
        • Remote controllers could cause engines in power plants to overspeed, overheat, and damage their capability to generate electricity for hospitals, factories, storage facilities, server farms, offices, and neighborhoods.
        • Potentially fatal catastrophes attach to systems that manage access to traffic lights, tunnels and bridges, airports, and dams.

        NEXT STEPS FOR PRIVATE, PUBLIC SECTORS

        All of this puts the reported security vulnerabilities in Huawei gear in a new light.

        For example, in a 2019 report, the UK’s Huawei Cyber Security Evaluation Centre warned that Huawei had failed to address concerns about its software development and engineering practices. It also noted that the country’s National Cyber Security Centre did not “believe that the defects identified are a result of Chinese state interference.”

        “Believing” is no longer good enough. Both business and government should revisit assessments like this given what we now know about “reserved interfaces.”

        And until further information comes to light on the extent the CPC has succeeded in implementing its plans, any PRC part, product, firm, subsidiary, or partner should be viewed as a potential vector, wittingly or not.

        So where to focus efforts and what to do?

        • Companies should review the extent they are dependent on PRC firms, not only for supply chain risks but also for vulnerabilities in their command and control, economic, technology, and information security.
        • Traditional infrastructure like ports and associated logistics operations should review and address vulnerabilities in sensitive transportation information, to include U.S. military movements.
        • Infrastructure operations—airports, power plants, subways, bridges, financial exchanges, etc.—could suffer annoying to catastrophic impairments due to foreign sovereign interference. They must balance hardening systems with assuring resilience as well.
        • Both private and public sectors must increasingly engage with each other constructively to understand and respond to this shared risk.