Ep 7: Everything Everywhere All At Once

45m
The General Manager of an electric and water utility in Littleton, Mass. gets a surprise call from the FBI. At first he suspects the caller is a spammer, but soon he learns the agent is very real. Chinese hackers are lurking deep in his utility’s systems. And his is not the only one. Hundreds of other power, water and pipeline operations across the United States are getting hit. These targets have little to no intelligence value at all. But their potential for sabotage? Enormous.

In Episode 7, host and former New York Times cybersecurity reporter, Nicole Perlroth, revisits a hack, more than a decade ago, where the motive was not entirely clear at the time. In hindsight, it was the opening salvo.

Listen and follow along

Transcript

This is truly an everything,

everywhere, all-it-once scenario.

We see it in the transportation sector, we see it in the water sector, we see it in the communication sector, we see it in the energy sector.

And the worst day is an everything, everywhere, all-it-once scenario.

There's no reason for them to be in our water.

There's no reason for them to be in our power.

This is a decision by an actor to actually focus on civilian targets.

That's not what we do.

Russia is much like a hurricane.

They're aggressive and

come at us hard and fast.

But China is climate change.

I'm Nicole Perlaroth, and this is to catch a thief.

Imagine you're the general manager for a local utility.

Your company handles power and drinking water for a population of about 15,000.

It has for more than a century.

Even at this relatively small scale, there are still miles of pipes and untold numbers of valves to maintain and keep an eye on.

Like utilities across the country, you've enlisted the help of technology, software, to keep the power on and the water flowing smoothly.

And save for hurricanes and the occasional downed power line, it has.

And then one Friday afternoon, you get a call.

It's the FBI.

They tell you, you've been compromised.

This is not a hypothetical.

Meet Nick Lawler.

Yep, Nick Lawler, general manager of the Littleton Electric Light and Water Departments in Littleton, Massachusetts.

Littleton is about the last place you'd expect would be a target for advanced nation-state hackers.

It's a small farming community, about a 45-minute drive west of Boston.

Yeah, it was the Friday before Thanksgiving.

I remember it being a beautiful day.

It's funny how you can remember certain things on a certain day when something like that happens, right?

I was out doing yard work, and the call actually came through to our assistant general manager at the time, and he sent the call to me.

It was a call directly from FBI offices in Boston, Massachusetts.

Did you think that this was an actual FBI agent, or did you think this was a spam call?

No.

He wanted me to give him my personal email address and he wanted to send me an email with a link to click to kind of figure out what was going on on our networks in Littleton.

It reminded me a lot of the Microsoft spam calls that you get that

your operating system's out of date and, you know, please send us an email and we'll get it up to date for you.

That's what it seemed like.

So I obviously didn't trust him.

And he kept on saying he needed to get it on our personal email so that way the threat actors couldn't detect his presence

yeah right he was going to hand over his personal email and click on a link from some dude claiming to be from the fbi i really did not believe that it was real didn't believe him i asked him to repeat his name i then hung up the phone on him and then um looked up our local fbi boston office telephone numbered I called that directly, asked for that gentleman, and he was there, and he answered the phone and carried on the conversation like I didn't hang up the phone on him, which I still didn't give him my email address and still didn't think it was real, still thought it was some sort of scam.

And we said, you know,

if this is a real event and it's as serious as you say it is, then we'll see you in person.

On Monday morning, he was there at 10 o'clock sharp.

Then I got the call from the office and two gentlemen are here to see you.

One from Homeland Security and one from the FBI.

And I'm like, oh my God, this is real.

Okay.

From the X-Files?

Yeah, the X-Files.

The whole thing was like the movies.

And even at that point, you still don't believe it.

That's when they started talking about threat actors and really who they were.

They slid a document in front of us, you know, and head right on there, you know, a nation state actor,

Volt Typhoon.

And that's the first I ever heard of Volt Typhoon.

Volt Typhoon.

Volt Typhoon is industry code for Chinese state-sponsored hackers, but not just any hackers.

These guys were elite specialists tasked with one insidious mission, embedding themselves in our critical infrastructure.

The agents told him these specialists were inside his utility at that very moment and that it wasn't alone.

Some 200

other critical entities across the nation were hit too.

So they explained, they explained Vault Typhoon and I remember saying to him, so we're under attack from China.

And he's like, who said China?

And I'm looking at the pamphlet right on there.

It says

Volt Typhoon, a nation state threat actor from China.

I'm like, well, I don't know.

I mean, the paperwork says it.

But they're very diplomatic and very careful what they said.

They reiterated the 200 organizations that had been compromised.

They kept saying that we're the top priority of the federal government, which blew me away.

You know, because we're a small town.

You never would think that we were the focal point of the Chinese government trying to, you know, wreak havoc on our critical infrastructure.

Did you do one of these where you're just kind of like,

what are you saying?

Like, what are you talking about?

What do you mean the Chinese government is inside our utility?

Yeah.

I'm an extremely direct individual and I was very blunt with them in what I was saying.

Even then, I still didn't believe it.

It just seemed too fake to me, seemed like a movie.

I you start thinking are these guys the threat actors anybody can go buy a suit and you know print out some paste of paper and go show up the utility it come about saying how can we be the top priority of the federal government and we have pretty good contacts with the department of energy through our trade association american public power association so i called down to our contacts and just said you know and there's a lot they can't tell me because i'm not i don't have security clearances and i just said hey did this just happened Can you just tell me if Littleton is the top priority of the federal government?

And they laughed at me a little bit and then they said, well, what's going on?

And I mentioned Volt Typhoon.

And then it was just silence.

Like, okay.

Oh, my God.

By the time the two men from FBI and CISA, the cyber defense agency, arrived at Nick's office that Monday in 2023, Volt Typhoon had been in Littleton's networks for 10 months.

But beyond Littleton, they'd been burrowing into American infrastructure.

Ports, airports, railways, water, pipelines, the power grid for

years.

When you called up these other utilities and said, hey, this is what we've lived through.

This is real.

What was the response or range of responses?

Yeah, it is a range.

There's still some utilities that think they're too small, it'll never happen to them.

There's some utilities that think they're very good, and it won't happen to them.

But we need to be prepared and we need to have processes in place to be able to handle it and mitigate it as quickly as we can.

For Nick, the implications of this kind of infiltration are clear.

Chaos.

I mean, Americans can't live without power for 24 hours before they start losing their mind.

And we're very much involved in mutual aid, so we see firsthand after a hurricane hits how quickly you need to get the electricity restored to businesses and residents.

From what we can tell, Volt Typhoon is gaining access to multiple networks to be able to create havoc in the United States at a point in time.

And we could all guess what that point in time could be, and we'd probably all be wrong, but there was, you know, there's some thoughts that related to Taiwan.

The first inkling that the PRC might be pivoting into U.S.

infrastructure had surfaced well over a decade ago, buried in the noise of 2012.

Late that year, a Canadian company you've never heard of, in an industry that's as dry as they come discovered it had been hacked badly by China.

This wasn't huge news.

At the times, I was busy unspooling our own attack.

And remember, this was a period when every company with any data of interest was getting hacked by the CCP.

And at first glance, this case looked no different.

The victim was the Canadian division of a company called Telvent.

Telvent, a Madrid-based company, they make IT systems that monitor everything from electric utilities to traffic flow.

Televent makes information technology systems, so-called smart grids.

Televent's, quote, industrial automation software gives companies the ability to keep tabs on their oil and water pipelines and power lines from afar.

Using Televent software, engineers can detect a pipeline leak 100 miles offshore or a faulty circuit breaker in the grid.

A water utility worker could use Telvent software to detect a burst pipe or potentially any unhealthy fluctuations in chemicals like fluoride.

If you've ever heard techies talk about software eating the world, this is what they mean.

We have been baking software into everything from our gas and water systems to your Domino's pizza order with nary a care for how all this digital convenience and connectivity might one day be used against us.

I had never heard of Telvent until I got a call from a guy named Dale Peterson.

Dale has spent his early career doing cryptography at NSA.

These days, he's one of the world's leading consultants in industrial control security, an especially terrifying subset of the cybersecurity industry that examines the myriad ways hackers can break into our pipelines, water systems, chemical plants, and well, you get the picture.

If there's an incident brewing at a utility or a pipeline, chances are Dale knows about it.

I think as soon as I heard about it, just because we hadn't seen them go after a target like this on a stealthy manner.

And as you know, you don't get a lot of details from these companies when they're hacked, but the details they did provide indicated that there was more than just a casual intrusion, that they had been in there in a while and they were getting deep into their system.

Dale has a cryptographer's calm, careful way about him.

He's not easily spooked.

But when he rang me in late 2012, he sounded noticeably shaken.

The thing that really got my attention was these remote connections to these other sites that I've been on the other end with customers.

I know that from that location, they used to connect in to support projects that were being deployed.

So it was something that put a lot of large, important companies at risk.

Key to what Dale just said are two words, remote connections.

Telvent software didn't just monitor critical infrastructure.

It had direct remote access.

And now that access belonged to Beijing too.

As Dale spoke, I googled Telvent.

And there, in big bright letters on its website, was the following stat.

Telvent software connected into more than half of the pipelines in North America.

Now, it's critical to place ourselves here.

This was 2012.

Russia wouldn't hack Ukraine's grid for another three years.

At that point, it was still hard to fathom why China's hackers would even want direct access to our water and gas pipelines.

We had yet to see any serious cyber attack on critical infrastructure anywhere in the world, with one notable exception.

The story of what we know about the Stuxnet virus begins in June of 2010.

Stuxnet was launched several years ago against an Iranian nuclear facility, almost certainly with some U.S.

involvement.

It was discovered just a couple weeks ago, but has been worming its way undetected through hundreds of computers in Iran and elsewhere in the Middle East for at least two years.

To this day, Stuxnet remains the most sophisticated cyber attack on record.

For the uninitiated, Stuxnet was a joint U.S.-Israeli effort to sabotage Iran's nuclear program with code.

And it worked spectacularly for a time.

It was a computer worm that someone, we still don't know who exactly,

injected into the computers at Iran's Natan's nuclear plant with a thumb drive.

And what that thumb drive unleashed was a string of zero days that enabled the worm to jump the air gap from engineers' computers on the IT side into the actual operations network, where the worm buried itself inside Natan's nuclear enrichment operations, and specifically the computers that control Iran's uranium centrifuges.

Those centrifuges, they form the beating heart of Iran's nuclear aspirations.

Because to get weapons-grade uranium, you need to enrich uranium to a very high concentration of the isotope.

And that, that requires spinning thousands of centrifuges at unthinkable speeds.

We're talking more than 100,000 revolutions a minute.

But the rotors that spin these centrifuges, they're incredibly fragile and can be quite fickle.

They break all the time, and they're controlled by these specialized computers that monitor and dictate their speed.

And in 2009,

those very computers were now controlled by code, working at the command.

of two of the world's most advanced intelligence agencies.

StexNet got to work spinning centrifuge rotors up.

Then it would sit back for a few weeks and do nothing.

Then it would slow the rotors way down.

Sleep, speed up.

Sleep, slow down.

Sleep, repeat.

And all the while, there was this ocean's 11 quality to the whole operation.

If any of Natan's engineers happened to be watching their computer screens,

everything appeared to be spinning just fine.

When right under their noses, Stuxnet was actively destroying a fifth of Iran's uranium supply and pushing Tehran's nuclear ambitions back years,

all carefully choreographed to look like a natural accident.

Inside Natan's technicians couldn't make sense of it.

The centrifuges were breaking down, but careful inspection turned up nothing unusual.

Suspecting subterfuge, Natan's officials started turning on each other.

Several of the technicians were fired, and those remaining were told to physically guard the centrifuges with their lives.

And all the while, their computers told them, everything

was just fine.

The first inkling nuclear inspectors had that something was off here came in January 2010.

Security camera footage outside outside Natan centrifuge rooms showed frantic technicians in white lab coats and blue plastic shoe coverings carting out centrifuge after centrifuge.

By public accounts, 2,000 of their 8,700 centrifuges were taken out.

It was, in many ways, the Digital Manhattan Project,

only in reverse, because this

was a counter-nuclear proliferation effort, and it was a masterpiece until the day it got out.

How it got out, we still don't know exactly.

But sometime in 2010, Stuxnet fled the coupe, escaped Natans,

zoomed around the world, and infected hundreds of thousands of machines, including right here in the U.S.

at companies like Chevron.

Chevron says its systems were at one point infected with Stuxnet.

Nobody admits to it, but it's widely assumed the United States or Israel's defense forces created that virus.

Now there's Flame,

another virus apparently targeted at Iran.

It dwarfs Stuxnet.

Flame is 20 times the size of Stuxnet.

It spread all over the world.

Most of the infections that we saw were in Iran, but ultimately it escaped Iran and began to spread anywhere and everywhere.

If you had a Windows machine connected to the internet, you could get infected by Stuxnet, and it's still out there today spreading.

Now, it didn't do these systems any harm.

Our saving grace was that Stuxnet's code was clearly designed with lawyers standing over developers' shoulders.

The worm had been carefully calibrated to exact destruction only on the centrifuges at Natan's and nowhere else.

But once it was discovered, dissected, reverse engineered, Stuxnet showed the world, perhaps no one more so than our adversaries, the endless opportunities to use code for mayhem

and destruction.

And

it set new rules for the game.

You could now jump into another nation's most critical infrastructure, their nuclear labs.

And so long as you did it with code, you'd probably get away with it.

Here's Ralph Langner speaking at TED in 2011.

Ralph was among the first to dissect Stuxnet and to publicly point the finger at its makers, the U.S.

and Israel.

And he was the first to warn the world that this weapon we had just unleashed could come boomeranging back

on us.

This attack

is generic.

It doesn't have anything to do in specifics with centrifuge,

with uranium enrichment.

So it would work as well, for example,

in a power plant or in an automobile factory.

It's a cyber weapon of mass destruction.

That's the consequence that we have to face.

So unfortunately,

the biggest number of targets for such attacks are not in the Middle East.

They're in the United States, in Europe, and in Japan.

As Ralph spoke those words, Iran was already preparing its retribution.

One year later, Tehran's hackers came for Saudi Aramco, a key source of U.S.

oil.

And though they tried, they never did make the jump from Aramco's IT network into its pipelines.

Tehran's hackers were still light years behind those of the U.S.

and Israel, but they still managed to decimate 30,000 Aramco computers on their way out.

And just in case their motive wasn't clear here, they made a point to replace all that data with one unmistakable image, a burning American flag.

The attack using a virus called Shimoon did not disrupt oil production, calling it, quote, probably the most destructive cyber assault the private sector has ever seen.

Another volley in an increasingly high-stakes war going on in cyberspace.

But the Aramco attack still felt a world away when, one month later, Chinese hackers hit Telvent.

This wasn't Tehran.

This was Beijing.

And initially, at least, there was no reason to think its hackers were doing anything beyond the usual IP theft.

Automation had been listed high up on the CCP's latest five-year plan, and that would have put Telvent's industrial automation software firmly in CCP crosshairs.

But Dale suspected there was more to the story.

The hack got into their network in such a way that it could

do a couple things.

One, it could change some of the source code, deliver bad code with a back door or something of that nature.

And they also had, Intellivent's not unique, they had connections to a lot of their customers.

So potentially, It was the first example of an attack that could be highly leveraged, where you say, if I can compromise this one system, I then can compromise all these other systems.

That last bit bears repeating.

If I can compromise this one system,

I can compromise all these others.

Televent wasn't the end goal.

It was the gateway.

If someone wanted to map out America's pipeline network, shut us down, or God forbid, trigger simultaneous explosions across America, Televent was precisely the company to hack.

When I wrote out my Televent investigation for The Times in early 2013, I laid this all out, but I left the motive as a question mark.

Was this more Chinese industrial espionage?

Or was this the first sign of the unimaginable?

Twitter didn't like that very much.

Many accused me of fear-mongering.

The idea China would want to hack our pipelines for anything other than IP theft was simply beyond our imagination.

The US and China were so economically entangled, the idea the PRC would do anything to paralyze us was inconceivable.

They'd only be shooting themselves in the foot.

Or so the thinking went at the time.

Now,

with hindsight being 2020, I would have worded that article more strongly.

And if I hadn't been getting dunked in breaches every day, I might have been able to pull my face face out of the water, taken a deep breath, heard the warnings, and seen the televent attack for what it really was.

Countries and companies swipe our corporate secrets.

Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems.

We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.

That was Obama sounding the alarm in his 2013 State of the Union.

And here's former Defense Secretary Leon Panetta sounding an even more dire warning right around the time Telvent was in spooling its attack.

The collective result of these kinds of attacks could be a cyber Pearl Harbor, an attack that would cause physical destruction and the loss of life.

An attack that would paralyze and shock the nation and create a new profound sense of vulnerability.

Panetta's cyber Pearl Harbor speech was also derided as hyperbolic at the time.

But in retrospect, that stark vision he described of hackers seizing our critical switches, contaminating our water supply, it was clairvoyant.

It would take another nine years for U.S.

intelligence officials to declassify their findings that, yes, the Telvin attack, along with a dozen other Chinese incursions into America's pipelines over that same window, attacks that never even crossed my radar, were the beginnings of a strategic Chinese pivot.

The administration revealed that the China had been involved in hacking of U.S.

pipelines from 2011 to 2013.

Chinese-backed hackers targeted and in many cases breached nearly two dozen companies that owned such pipelines.

The FBI and DHS unveiled.

Over the next decade, Chinese hackers started coming for American targets with little to no intelligence value at all.

But their value for sabotage,

enormous.

And now with a program called Volt Typhoon, it's putting cyber time bombs on our critical infrastructure like our water, our grid, and our ports.

It's been boring into the networks of aviation, rail, mass transit, highway, maritime.

The program injected malware into U.S.

sectors like energy communications and water treatment.

And the bulletin reads, Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations, primarily in communications, energy, transportation systems, critical infrastructure.

Things like the cellular phone carriers are the target.

It wasn't just oil and gas pipelines.

Over the next decade, they started breaking into major logistics hubs like Houston Seaport, the critical artery for American oil, gas, and petrochemicals.

They broke into U.S.

airports and railway systems.

They broke into the Texas power grid.

And we don't even have to imagine what a shutdown of that looks like.

Water pipes are bursting in the frigid conditions, leaving behind a path of destruction.

Outages have now hit water treatment plants, triggering dozens of boil water advisories.

And with some grocery stores running out of essentials, people are lining up for help.

As Texans struggle, Republican Senator Ted Cruz was photographed heading to Mexico for a vacation, even though days before he pleaded with Texans to hunker down.

They started showing up in utilities that oversee power and water across the nation.

Some of these were obvious targets, others not.

like that one in Littleton, Massachusetts, and hundreds just like it.

Now, it's worth pausing here.

It's important to take a macro view of what China was doing over the very same time period its hackers were popping up in our infrastructure.

China this month celebrates the 10th anniversary of the Belt and Road Initiative, which ranks as the world's biggest development program ever undertaken by a single country.

Over the last 10 years, the BRI, as it's generally called, has seen Chinese financial institutions lending close to 1 trillion US dollars to finance infrastructure projects all over the developing world.

The Belt and Road Initiative.

In 2013, China announced Belt and Road, a trillion-dollar-plus investment in building out major infrastructure projects all around the globe with a focus on the developing world.

We're talking billions of dollars of Chinese investment into foreign railways.

The China-Europe Railway Express officially launched its unified brand with eight cities including Chongqing, Chengdu, Zhengzhou, Xi'an and Wuhan as the starting stations.

Ports.

The China Ocean Shipping Company or Costco has expanded this once sleepy wharf into a container city.

China started investing $2.5 billion in the Piraeus container terminal seven years ago.

This has since become a key part of the One Belt One Road initiative.

Highways and bridges.

Montenegro decided to build a motorway to open up the country.

A Chinese bank provided a $1 billion loan in 2015.

40 bridges and 90 tunnels are expected to be built and financed by the Chinese.

China is expanding the world's highest international paved road, the Karakoram Highway.

This is part of a $43 billion project called the China-Pakistan Economic Corridor.

Major oil and gas pipelines.

Prior to his visit to China, the Saudi Crown Prince was in Pakistan, where a $10 billion oil refinery investment deal was made.

The refinery is in Pakistan's Gwadar port.

The deep water port is one of the projects that China and Pakistan have worked on under the Bautan Road framework.

The leaders of China and Pakistan have agreed to build new a new route to strengthen ties between their economies they've signed a deal worth 28 billion dollars on energy and infrastructure projects dms cambodia is now one of the fastest growing economies in the world a major factor in such remarkable growth is this hydropower plant which meets around 20 percent of the country's electricity needs the dam is part of the belt and road initiative china's trillion dollar investment in infrastructure across Asia, Africa and Europe.

The Guinean government is promising to help farmers adapt and find new sources of income.

Power plants.

China is building over 200 coal-fired power plants through Belt and Road, so we need to look at providing renewable energy to these countries.

Argentina is set to boost its energy production after announcing a major contract with China to build a new nuclear power plant in the Buenos Aires province.

But a couple years into Belt and Road, China quietly announced a new initiative under the same umbrella, the Digital Silk Road.

And a big piece of the One Belt One Road is this digital silk road that ties together China to all of these countries in Africa in the Middle East, and they're exporting these telecommunications cables.

But going forward, China is wanting to establish what it calls more of a digital silk road, that is, things like telecoms and 5G investment in infrastructure.

Officially, the Digital Silk Road was to help usher developing nations into into the internet age.

But by providing them with cheap fiber optics cables, networks, routers and switches, it also guaranteed the PRC permanent footing in the world's digital backbone.

Chinese companies like Huawei and ZTE sold these companies on the promise of total digital optimization at sweet subsidized bargain basement prices.

As Jim Lewis puts it, you know, the old joke is that the Americans show up with lectures, the Chinese show up with money.

They frequently quote 20, 30, even 40% cheaper pricing than Western competitors like Cisco and Ericsson.

This all but guaranteed global adoption.

And in terms of the number of people reliant on Huawei telecom infrastructure, probably it's more of the world's population than on anyone else.

Has Huawei stolen trade secrets from Cisco?

Well, first of all, I mean, they are our biggest competitor on a global basis.

Huawei didn't become the biggest telecom equipment manufacturer in its segment by itself.

It did it because it stole Cisco technology and the technology of other companies, and Beijing really pushed it around the world.

So this is really.

And they're still stealing, right?

I mean, to the tune of $600 billion a year, Gordon.

Well, it's hundreds of billions of dollars a year.

And that pricing made it mighty easy to ignore Washington's admonitions about potential security risks.

Robert O'Brien, President Trump's national security advisor, is warning the Canadian government not to allow Huawei to participate in our 5G network, saying it was frightening and terrifying, a Trojan horse that would allow the Chinese government to gather information and micro-target Canadians.

U.S.

Secretary of Defense Mark Esper said Huawei was the poster child for China's nefarious strategy, quote, to infiltrate and dominate crucial Western infrastructure.

The Trump administration is still urging U.S.

allies to shun Huawei, claiming the Chinese telecom giant gives confidential information to China's government.

The Justice Department indicted Huawei last month on 23 criminal charges, including wire fraud, money laundering, and stealing trade secrets.

The American envoy warned Brazil against ignoring U.S.

advice on Huawei.

U.S.

officials have been especially quick to note that Huawei's founder, Ren Zheng Fei, started his career as an engineer in the Chinese military, the PLA.

Ren's PLA background consumed Huawei's entire culture, even its vernacular.

Sales guys were known as guerrillas.

Ren called his engineers soldiers.

Their managers, generals.

Altogether, Huawei's employees were Ren's, quote, iron army.

Even their salaries,

rations.

And in Huawei's earliest days, Ren had a saying,

a country without its own program-controlled switches is like one without an army.

As Ren himself alluded, what companies like Huawei, and it wasn't just Huawei, but ZTE and others, what they were doing, building out the world's digital backbone, it gave China the keys to global data flows.

And those keys didn't just give China the ability to intercept data,

it theoretically gave them the ability to hit a kill switch at any time.

Huawei reportedly has even more access to information, possibly about you, than previously thought.

Intel sources say that they've known for years that Huawei builds covert access for the Chinese government into its mobile mobile hardware, software, and systems known in the cyber world as back doors.

Now, we should note that U.S.

officials have never offered any proof that the PRC has used Huawei or ZTE systems for espionage or sabotage.

And Huawei has emphatically denied it has ever or would ever give the Chinese government any information or freely hand its equipment over for all-out cyber war.

Huawei founder and CEO Ren Zhengfei spoke with Bianca Golodrig at the company's headquarters in Shenzhen, China.

Have you ever given any information to the Chinese government in any way, shape, or form?

For the past 30 years, we have never done that.

And the next 30 years to come, we will never do that.

Could Huawei possibly have a back door without your knowledge?

It is not possible.

Because across our entire organization, we've stressed once and again that we will never do that.

But it's very much worth noting that in 2017, China passed a suite of intelligence laws requiring: quote: any organization or citizen shall support, assist, and cooperate with state intelligence work.

In effect, Chinese companies are required by law to give the PRC access to these systems or turn over data at any time.

No warrant, no oversight,

no due process.

But with Snowden as a backdrop over the same time period, the U.S.

didn't exactly have moral standing to be warning other countries about foreign surveillance and back doors.

In fact, in 2014, my former Times colleague David Sanger and I reported that at one point, the NSA had actually broken into Huawei and used it as a conduit for its own spy ops.

All of which made Washington's warnings even easier to ignore.

And just as the U.S.

has failed to convince the 170 million Americans to stop using TikTok, their admonitions on Huawei have been to meagre effect.

As a matter of Chinese law, the Chinese government can rightfully demand access to data flowing through Huawei and ZTE systems.

Why would anyone grant such power to a regime that has already grossly violated cyberspace?

Today, we're talking about Huawei.

This company has also been accused, ready for this, of working with the Chinese government to spy on its users.

That has led the United States to ban American firms from doing business with Huawei.

Google has warned that if Washington moves ahead with its sweeping ban on Huawei technologies, it risks compromising national security.

By 2020, Huawei wasn't just selling phones and routers anymore.

They were selling the entire stack.

5G networks, data centers, satellite systems.

The future of the internet is being built by Huawei.

The tech giant spending billions to gain the edge in 5G, the next generation wireless network.

An edge the U.S.

government is trying hard to stop.

They were building out smart cities.

A nervous system with connected neurons makes a human body an integrated being full of wisdom.

At Huawei, we are now using our 30 years of experience to create nervous systems for cities.

We call them smart city ICT networks.

They analyze transportation data.

They are helping to improve urban medical services.

They help to improve tourism management and services.

Huawei is now building the central nervous system for urban brains.

And then safe cities, complete with AI-enabled surveillance cameras, facial recognition technology, crowd monitoring, behavioral analytics.

Huawei, for example, is taking smart cities, what they call safe city solutions, into around the world.

And that plays a crime prevention and emergency response role, but they're also playing public security roles.

Closed circuit cameras feed into a database with advanced artificial intelligence.

And facial recognition can identify everyone, cross-reference license plates, and analyze unlimited information.

And all of it came with Chinese hardware, firmware, and software that could be remotely accessed or frequently maintained with updates from China.

Software was eating the world.

China was baking its digital sensors and software into cities, bridges, traffic systems, waste collection, water treatment, hospitals, homes, cars.

And nobody paused to think about how all this digitization might come back to eat us.

Now, here's where I should tell you that I am among those who thought U.S.

warnings about Huawei were totally over the top.

If there were actual instances of Chinese spies intercepting data through Huawei or ZTE, ZTE, my personal feeling here is that the U.S.

intelligence community should present them.

Same goes for TikTok.

Listen, I'm sensitive to the need to protect sources and methods here, but if the Chinese government is using TikTok to spy on Americans or somehow tweaking the algorithms to spoon feed CCP propaganda to Gen Z, the U.S.

government should declassify that because we know their finger wagging doesn't work.

And the reason we know it doesn't work is because all you have to do is travel to any major European city these days.

And you will see Huawei all over the place.

In downtown Kyiv, in downtown Copenhagen, they are running hundreds of smart city pilots around the globe.

Huawei's equipment is baked into 5G networks in Germany and even cell towers in rural America, many of them uncomfortably close to our most sensitive missile sites in places like Wyoming, Nebraska, and Montana.

In the last couple of years, Huawei has managed to install and maintain a handful of networks in U.S.

rural markets, including a vast quadrant of southwestern Kansas.

The FBI knew that these small rural telecommunications companies out in the Midwest were using Chinese-made Huawei equipment on top of their cell towers in places like Colorado and Nebraska that were close to sensitive military installations, including U.S.

nuclear missile silos.

Now, last year, Germany said it would start excluding Huawei and ZTE from its 5G networks.

But ripping these systems out isn't easy.

Under Biden, Congress allocated billions of dollars to rip and replace these Huawei systems from rural America.

And that wasn't nearly enough.

These These small rural telecom companies have been mandated by the FCC to rip and replace the equipment, but the amount of money Congress has appropriated to reimburse them is about $3 billion short of what it's going to cost all these companies to get the job done.

And again, I maintained what I still believe is a healthy skepticism about U.S.

concerns on Huawei and other Chinese suppliers throughout the 2010s.

But all of that went out the window when, in 2020, Chinese hackers started coming for U.S.

infrastructure with unnerving frequency.

What started with these Chinese hacks of U.S.

pipeline operations and their software suppliers became an all-out assault on U.S.

critical infrastructure.

By 2020, Volt Typhoon was turning up across the country.

And the fact that anyone picked these up at all was a tiny miracle.

These weren't smash and grab hacks, far from it.

They weren't even hacking in anymore.

They were logging in in low and slow attacks, lending in like any other employee.

They didn't use malware.

They didn't siphon much out.

They were careful to delete their tracks.

Their primary goal appears to have been to get in, stay in, and ensure they had the ability to come back any time.

Experts have a name for this style of attack.

They call it living off the land.

All of a sudden, we see Chinese threat groups since about late 2020, at least from my observables, hack in and we don't know why because they're not the tank through the cornfield.

They're hacking in and just that's it.

There's no other activity.

And then you're like, why are they there?

They're here, lying quiet.

The only question now is what's the trigger and what happens when they pull it.

My usual line is you don't hack infrastructure for fun, right?

It's reconnaissance.

It's target reconnaissance for the event of a conflict between the United States and China.

That's next on To Catch a Thief.

Follow To Catch a Thief to make sure you don't miss the next episode.

And if you like what you hear, rate and review the show.

To Catch a Thief is produced by Rubrik in partnership with Pod People, with special thanks to Julia Lee.

It was written and produced by me, Nicole Perleroth, and Rebecca Shasson.

Additional thanks to Hannah Pedderson, Sam DeBauer, and Amy Michado.

Editing and sound design by Morgan Foos and Carter Wogan.