Rogue Country, Rogue Company

Huawei's access to 5G expands China's surveillance state

By Joseph Marks

A surveillance camera is seen next to a Huawei sign outside a shopping mall in Beijing on Jan. 29. 

The United States’ top cyber diplomat just offered an unusually blunt warning to other nations: Allowing Huawei and other Chinese companies into their next-generation telecommunications networks would allow Beijing to expand its surveillance state around much of the globe.
The argument from Rob Strayer, the State Department’s top cyber official, was the most elaborate public case a U.S. official has made against Huawei’s inclusion in 5G networks.
It follows a months-long pressure campaign by U.S. officials to ban the Chinese telecom giant from 5G in Canada, Britain, Europe and elsewhere.
“A country that uses data in the way China has — to surveil its citizens, to set up credit scores and to imprison more than 1 million people for their ethnic and religious background — should give us pause about the way that country might use data in the future,” Strayer said Wednesday at the Center for Strategic and International Studies think tank.
“It would be naive to think that country, [given] the influence it has over its companies, would act in ways that would treat our citizens better than it treats its own citizens.”
The Trump administration is considering an executive order that would effectively allow it to ban Huawei and other Chinese companies from U.S. telecom systems, but even that wouldn't fully protect U.S. information because data moves so easily across national borders.
Even sensitive U.S. government information would remain vulnerable if officials were communicating with allies who allowed Huawei on their 5G networks, Strayer said.
“There’s so much data flowing around the world, it’s impossible to just isolate one country’s networks and think: ‘That’s okay, I’m fine,' " he said.
The transition to 5G, which is in its earliest stages, will mark a massive development in mobile technology.
It will offer far faster download speeds and the ability to run billions more devices on mobile networks, including smart devices such as autonomous vehicles and powerful artificial intelligence systems.
While it will be five or more years before the sytem is fully operational, a lot of the contracts to create its basic building blocks will be negotiated this year.
That exponential increase in connectivity, however, will also “dramatically increase the networks’ threat vectors and attack surfaces,” Michael Wessel, a member of the U.S.-China Economic and Security Review Commission, told me — especially if a U.S. adversary controls large portions of it.
China could leverage Huawei’s position in 5G networks to steal trillions of dollars of intellectual property and to implant malware on adversaries’ networks. 
It could even shut down parts of those networks amid geopolitical conflicts. 
Strayer’s concerns would apply to any Chinese company, though Huawei is, by far, the most prominent example.
The move against Huawei isn’t limited to 5G developments.
Congress banned the company from U.S. government networks last year amid fears it would be used as a Chinese government spying tool and the Federal Communications Commission has proposed a rule that would allow it to ban the company from smaller networks that accept federal grants, where the company has its strongest foothold.
The Justice Department also indicted Huawei’s chief financial officer and two affiliates in January, alleging a host of crimes, including stealing robotics technology from T-Mobile and violating sanctions against Iran.
But the United States’ international lobbying campaign against Huawei goes a step further, seeking to restrict China from playing a key role in an entire generation of digital development.
Its success or failure could determine the fate of Internet security for years, Strayer said.
“We’re talking to partners around the world about this as they upgrade to 5G. We’re raising it at the highest diplomatic levels,” Strayer said.
“The generational nature of 5G, the transformational nature of it means there will be a whole generation of lock-in.”

Chinese Peril

Chinese-made Metro car could spy on us
By Robert McCartney and Faiz Siddiqui

Metro tests out its 7000-series subway cars in 2014 at the Shady Grove station in Maryland. 

The warnings sound like the plot of a Hollywood spy thriller: The Chinese hide malware in a Metro rail car’s security camera system that allows surveillance of Pentagon or White House officials as they ride the Blue Line — sending images back to Beijing.
And sensors on the train secretly record the officials’ conversations. 

Or a flaw in the software that controls the train — inserted during the manufacturing process — allows it to be hacked by Chinese agents and terrorists to cause a crash.
Congress, the Pentagon and industry experts have taken the warnings seriously, and now Metro will do the same. 

The transit agency recently decided to add cybersecurity safeguards to specifications for a contract it will award later this year for its next-generation rail cars following warnings that China’s state-owned rail car manufacturer could win the deal by undercutting other bidders.
Metro’s move to modify its bid specifications after they had been issued comes amid China’s push to dominate the multibillion-dollar U.S. transit rail car market. 

The state-owned China Railway Rolling Stock Corp., or CRRC, has used bargain prices to win four of five large U.S. transit rail car contracts awarded since 2014. 

The company is expected to be a strong contender for a Metro contract likely to exceed $1 billion for between 256 and 800 of the agency’s newest series of rail cars.
CRRC’s success has raised concerns about national security and China’s growing footprint in the U.S. industrial supply chain and infrastructure.
“This is part of a larger conversation about this country and China, and domination of industries,” said Robert J. Puentes, president of the Eno Center for Transportation. 

“We don’t want to get trapped into a xenophobic conversation . . . but we also don’t want to be naive.”
No U.S. company makes subway cars, so China competes in that market against companies from Asia, Europe and Canada. 

But U.S. companies build freight rail cars, such as boxcars and tank cars, and they fear China will target them next.
That could cost U.S. manufacturing jobs. 

It also could increase the risk of a cyberattack that cripples domestic rail transportation in a military confrontation or other national emergency.
“China’s attack on our rail system is insidious and ingenious,” retired Army Brig. Gen. John Adams wrote in an October report distributed by the Rail Security Alliance, a U.S. industry group. “We must retain the know-how and technology to . . . safeguard against disruption of this strategically vital sector of our economy.”
China makes no secret of its desire to dominate the global rail car industry. 

Its “Made in China 2025” economic strategy proposes to seek competitive advantage in that sector, among others.
Both the U.S. Senate and House have sought to block further Chinese penetration of the transit vehicle market. 

Each chamber has inserted language in annual transportation appropriations bills to impose a one-year ban on new purchases of mass transit rail cars or buses from Chinese-owned companies if the procurement uses federal funding. 

The ban is not yet law, as final action has been put off until this year.
Sen. John Cornyn (R-Tex.) sponsored the Senate ban. 

His spokeswoman said it reflected his “concern over China’s market distorting practices and their whole government effort to dominate industries sensitive to our national security.” 

Texas is home to Trinity Industries, a leading U.S. rail car company.
A ban on purchases from China could penalize financially pressed transit systems such as Metro, which may want to take advantage of CRRC’s low prices. 

The Chinese company is able to underbid competitors because of state subsidies. 

CRRC did not respond to emails requesting comment.
Rep. Gerald E. Connolly (D-Va.) said Metro should be willing to pay extra if necessary.
“Saving a buck isn’t worth compromising security in the nation’s capital,” Connolly said. 

“If there are valid security concerns about sourcing rail cars from a Chinese state-owned company, then find another option.”

New requirement
In picking the winner of the contract, Metro is legally required to follow guidelines it set in a lengthy request for proposals, or RFP, which it issued in September and will now revise to include the cybersecurity safeguards. 

The changes are expected to require the winning bidder get its hardware and software certified as safe by a third-party vendor cleared by the federal government.
“We are working on amended language right now that will require certain security assurances,” said Kyle Malo, Metro’s chief information security officer. 

He declined to single out China as a threat but noted, “There are countries that are far more aggressive with cyberattacks than others.”
Bids for the Metro contract are due April 4. 

The original deadline, in late January, was extended because Metro received more than 300 questions from potential bidders.
Metro decided to revise the RFP after questions were raised by board member David Horner, who represents the federal government and is a former U.S. deputy assistant secretary of transportation.
“My concern is that state-sponsored enterprises can serve as platforms for conducting cyberespionage against the United States,” Horner said. 

“These risks are today not widely understood, but their significance is becoming apparent very quickly.”
Horner’s concerns were reinforced in a Nov. 16 online article by Andrew Grotto, a former senior director for cybersecurity policy on the National Security Council. 

It warned that Metro’s RFP did not allow the transit agency to reject a bid because of cybersecurity worries.
“The risk of espionage is uniquely high in our nation’s capital,” Grotto, now a fellow at Stanford University’s Center for International Security and Cooperation, said in an email. 

“Malware could divert data collected from the high definition security cameras. An adversary with that data could then use facial recognition algorithms to track riders, potentially right down to the commuting patterns of individual riders.”
The Pentagon also is concerned China could use infrastructure such as rail cars for spying. 

It pointed to recent U.S. charges of the massive, Beijing-backed hacking of business secrets as evidence of the country’s bad practices.
“As illustrated by the Dec. 20 Department of Justice indictment against the Chinese Ministry of State Security, the Chinese Communist Party’s use of predatory economic practices like illegal state-sponsored cybertheft reinforce concerns about Chinese companies playing a role in critical infrastructure — whether it be rail cars or 5G telecommunications networks,” said Air Force Lt. Col. Mike Andrews, a Defense Department spokesman.
China has previously been accused of embedding spying technology in its products. 

In May, the Pentagon directed service members on military bases to stop using phones made by the Chinese companies ZTE and Huawei because of security risks. 

In 2017, the Department of Homeland Security found that Chinese made security cameras had a “back door” loophole that left them vulnerable to hackers. 

The Wall Street Journal reported that that Chinese company’s cameras have been used at a U.S. Army base in Missouri and the U.S. embassy in Afghanistan.

City contracts
CRRC’s first big success in the U.S. subway market came in 2014, when it won a contract to build rail cars for the Boston transit authority. 

In 2016, it landed deals with systems in Chicago, Los Angeles and Philadelphia.
Agencies said CRRC had the most competitive bids — sometimes besting competitors by hundreds of millions of dollars. 

Since then, officials in some cities have complained their rail car costs may rise because of a 25 percent tariff on Chinese-made rail car components imposed by the Trump administration as part of its trade conflict with Beijing. 

Such tariffs could be removed if current U.S.-Chinese trade talks are successful.
The four transit systems said they have taken significant steps to ensure their rail cars are not outfitted with spyware or other suspicious technology. 

Critics questioned whether the safeguards were adequate.
Brian Steele, a spokesman for the Chicago Transit Authority, said the agency received bids from CRRC and Canada-based Bombardier for the construction of 846 rail cars in 2016, along with a $40 million final-assembly facility in Chicago creating 170 jobs.
“The biggest difference in the two proposals was cost,” Steele said. 

He said CRRC’s $1.3 billion bid was $226 million lower than Bombardier’s offer, a difference equivalent to 146 more rail cars.
Steele said none of the rail cars’ computer or software components will be made by a Chinese firm. He said U.S. and Canadian companies are supplying the car’s Ethernet and router components, while the “automatic train control” system will be supplied by a Pennsylvania firm.
The Massachusetts Bay Transportation Authority has awarded more than $840 million for the construction of 404 new subway cars at CRRC’s manufacturing plant in Springfield, Mass. 

That plant, a $95 million facility, comes with 150 jobs, according to media reports. 

CRRC won the initial award with a $567 million bid, which was $154 million lower than the nearest competitor, according to an Eno report.
An MBTA spokesman said none of the new vehicles’ software components are being produced in China.
“The MBTA has robust controls in place to maintain the security of the system,” spokesman Joe Pesaturo said in an email.
Pesaturo said MBTA’s design process for new rail cars includes a cybersecurity analysis based on a U.S. Department of Defense military system safety standard.
Grotto, the former National Security Council official, said the security measures described by the transit agencies were “appropriate” but expressed concern about how they would be implemented.
“Who is responsible and held accountable for seeing these results through? How will monitoring and auditing work?” Grotto said.
Erik Olson, vice president of the Rail Security Alliance, called the assurances “overly simplistic and naive.”
“Do we really want our municipal transit agencies to take these kinds of cyber-risks, knowing that China has deployed some of the most advanced facial recognition technology, has been responsible for hacks into our critical infrastructure, and has laid out a plan to decimate many of our industries by 2025?” Olson said in an email.

The Chinese Thief Crying about Theft

China, Addicted to Bootleg Software, Reels From Ransomware Attack
By PAUL MOZUR

A PetroChina pump in Beijing. The hacking caused electronic payment systems at gas stations run by the state oil giant to be cut off for much of the weekend. 

HONG KONG — China is home to the world’s largest group of internet users, a thriving online technology scene and rampant software piracy that encapsulates its determination to play by its own set of digital rules.
But as the country scrambles to recover from a global hacking assault that hit its companies, government agencies and universities especially hard, the risks of its dependence on pirated software are becoming clear.
Researchers believe large numbers of computers running unlicensed versions of Windows probably contributed to the reach of the so-called ransomware attack, according to the Finnish cybersecurity company F-Secure. 

Because pirated software usually is not registered with the developer, users often miss major security patches that could ward off assaults.
It is not clear whether every company or institution in China affected by the ransomware, which locked users out of their computers and demanded payment to allow them to return, was using pirated software. 

But universities, local governments and state-run companies have networks that depend on unlicensed copies of Windows.
Microsoft and other Western companies have complained for years about widespread use of pirated software in a number of countries that were hit particularly hard by the attack. 

A study last year by BSA, a trade association of software vendors, found that 70 percent of software installed on computers in China was not properly licensed in 2015. 

Russia, at 64 percent, and India, 58 percent, were close behind.
Zhu Huanjie, who is studying network engineering in Hangzhou, China, blamed a number of ills for the spread of the attack, including the lack of security on school networks. 

He said piracy was also a factor. 

Many users did not update their software to get the latest safety features because of a fear that their copies would be damaged or locked, while universities offered only older, pirated versions.
“Most of the schools are now all using pirate software, including operation system and professional software,” he said. 

“In China, the Windows that most people are using is still pirated. This is just the way it is.”

On Monday, some Chinese institutions were still cleaning computer systems jammed by the attack. Prestigious research institutions like Tsinghua University were affected, as were major companies like China Telecom and Hainan Airlines.
China’s securities regulator said it had taken down its network to try to protect it, and the country’s banking regulator warned lenders to be cautious when dealing with the malicious software.
Police stations and local security offices reported problems on social media, while university students reported being locked out of final thesis papers. 

Electronic payment systems at gas stations run by the state oil giant PetroChina were cut off for much of the weekend. 

Over all, according to the official state television broadcaster, about 40,000 institutions were hit. 

Separately, the Chinese security company Qihoo 360 reported that computers at more than 29,000 organizations had been infected.
At China Telecom, one of the country’s three main state-run telecommunications providers, a similar scramble occurred over the weekend, according to an employee who was not authorized to speak on the matter. 

When a company-provided software patch did not work, the employee was told to use one from Qihoo 360, which supports pirated and out-of-date versions of Windows, the person said. 

A spokesman for China Telecom did not immediately respond to a request for comment.
On Monday, the main internet regulator, the Cyberspace Administration of China, quoted an unidentified person in charge of internet security saying that the ransomware was still spreading but the speed of transmission had slowed. 

It said that regulators overseeing banks, schools, the police and other groups had given orders to stop the risk and that it had instructed users on how to avoid exposure.
Using copied software and other media has become embedded in China’s computing culture, said Thomas Parenty, founder of Archefact Group, which advises companies on cybersecurity. 

People are under the impression that using pirated goods in China is legal, while others are simply not used to paying for software, he said.
Mr. Parenty cited an instance when he was working at the Beijing office of an American client. 

“It turned out every single one of their computers, all the software, was bootlegged,” he said.
The twin problems of malware and the unwillingness to pay for software are so ingrained that they have led to an alternative type of security company in China. 

Qihoo 360 built its business by offering free security programs; it makes money from advertising.
The issue has led to political battles between Microsoft and the Chinese government.
In a bid to get more organizations in China to pay for their software, Microsoft, which is based in Redmond, Wash., has tried education and outreach. 

It has also stopped distributing Windows on discs, which are easy to copy.
One effort in 2014 put it at loggerheads with Beijing.
At that time, Microsoft cut off support for Windows XP, an operating system that was about 14 years old but that was still widely used by the government and by Chinese companies. 

Many in China complained that the move showed that the country still relied on decisions made by foreign companies. 

An article by the official news agency Xinhua said that such corporate behavior could be considered anticompetitive. 

Microsoft later agreed to offer free upgrades and reached a deal with a state-run company that often works for the military to develop a version that catered to China.
The Chinese government has been less focused on software piracy — and more on building local alternatives to Microsoft. 

After leaks by the former intelligence contractor Edward J. Snowden about American hacking attacks aimed at monitoring China’s military buildup, leaders in Beijing accelerated a push to develop Chinese-branded software and hardware that would be harder to breach.
For now, however, much of China relies on Windows. 

And for all of the impact of the weekend’s cyberattack, Mr. Parenty said he did not think that there would be a big effect on attitudes toward pirated software.
“The only way I see this changing things is if the central government decides there is a risk to critical infrastructure from this threat and force people to buy legitimate software,” he said. 

“But I don’t see that happening right now.”

Theft Empire

Three Chinese accused of hacking law firms, insider trading
By Nate Raymond | NEW YORK

Three Chinese have been criminally charged in the United States with trading on confidential corporate information obtained by hacking into networks and servers of law firms working on mergers, U.S. prosecutors said on Tuesday.
Iat Hong of Macau, Bo Zheng of Changsha, China, and Chin Hung of Macau were charged in an indictment filed in Manhattan federal court with conspiracy, insider trading, wire fraud and computer intrusion.
Prosecutors said the men made more than $4 million by placing trades in at least five company stocks based on inside information from unnamed law firms, including about deals involving Intel Corp and Pitney Bowes Inc.
The men listed themselves in brokerage records as working at information technology companies, the U.S. Securities and Exchange Commission said in a related civil lawsuit.
Hong, 26, was arrested on Sunday in Hong Kong, while Hung, 50, and Zheng, 30, are not in custody, prosecutors said. 

Defense lawyers could not be immediately identified.
The case is the latest U.S. insider trading prosecution to involve hacking, and follows warnings by U.S. officials that law firms could become prime targets for hackers.
"This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals," U.S. Attorney Preet Bharara in Manhattan said.
Prosecutors said that beginning in April 2014, the trio obtained inside information by hacking two U.S. law firms and targeting the email accounts of law firm partners working on mergers and acquisitions.
Prosecutors did not identify the two law firms, or five others they said the defendants targeted.
But one matched the description of New York-based Cravath, Swaine & Moore LLP, which represented Pitney Bowes in its 2015 acquisition of Borderfree Inc, one of the mergers in question.
The indictment said that by using a law firm employee's credentials, the defendants installed malware on the firm's servers to access emails from lawyers, including a partner responsible for the Pitney deal.
Cravath declined to comment. 

In March, Cravath confirmed discovering a "limited breach" of its systems in 2015.
Prosecutors also accused the defendants of trading on information stolen from a law firm representing Intel on the chipmaker's acquisition of Altera Inc in 2015.
Intel's merger counsel on the deal was New York-based Weil, Gotshal & Manges LLP. 

The law firm declined to comment.
In Beijing, Chinese Foreign Ministry spokeswoman Hua Chunying said she was aware of the reports about the case but knew nothing about it.
The case is U.S. v. Hong et al, U.S. District Court, Southern District of New York, No. 16-cr-360.