The Dangers of Allowing an Adversary Access to a Network

Schoolchildren learn the tale of the Trojan Horse, the giant gift in which Odysseus and a platoon of 30 Greek soldiers hid to gain access to the heavily defended city.

Thousands of years later, it remains a thoroughly modern concept that is increasingly found at the heart of cyberwarfare strategies. Modern Trojan horses are computer code or vulnerabilities hidden in software or hardware that would allow a spy or an attacker to gain access to an adversary’s computers and networks. Find a way to be invited into the computers of your enemy’s weapons and military systems and you can render them useless in the face of an attack.

For more than a decade, Pentagon officials have been anxious about the growing reliance by the United States electronics industry on Chinese manufacturers. As the Internet has become the nation’s critical infrastructure weaving together commerce and power systems and even military command and control, it has become increasingly unthinkable to have a foreign presence in the network. Their fear is that those building and maintaining the network could build in a Trojan horse.

Thus it was striking that the word “Trojan” was not mentioned in a 52-page report issued Monday by the House Permanent Select Committee on Intelligence focusing on the activities of two giant Chinese telecommunications firms, Huawei and ZTE, which have long been suspected of having links to the Chinese government. Beijing has been suspected of trying to steal American corporate and government secrets through computer espionage.

Stuxnet, a surreptitious program that was reportedly designed by United States and Israeli intelligence agencies to afflict the Iranian nuclear enrichment program, had many of the properties of a highly sophisticated Trojan horse. The program was at the heart of a concerted effort to delay or destroy the Iranian Natanz nuclear fuel facility. The attack damaged centrifuges and might have provided a surveillance window into Iranian activities by giving Western intelligence agencies unfettered access to the desktop computers of Iranian project managers.

The program acted as a Trojan horse, perhaps delivered first on a USB memory stick, that then spread through computer networks inside the secret facility before reaching the outside world. A striking map of the paths followed by Stuxnet infection created by researchers at Symantec, the Silicon Valley computer security firm, indicates that Stuxnet actually broke out of Natanz, rather than breaking in, just as the Greek soldiers climbed out of the horse at night.

Possibly because the United States is making Trojan horses, that term — if it exists in the House report on Huawei and ZTE — is said to be found only in a classified annex to the report that has not been made available.

The published report consists of a series of allegations about the activities of the companies, including bribery and surveillance, but little hard evidence. Reports of “suspicious” incidents, including an ostensible case of “beaconing” from Cricket, a Texas wireless operator that uses Huawei equipment, have been heatedly denied by Huawei.

If this issue is important enough, said Richard A. Clarke, who served as the nation’s counterterrorism overseer in both the Clinton and George W. Bush administrations, there should be ways of declassifying the information. “They’re making important accusations,” he said. “Important accusations require important proof.”

According to several former government officials, the real issue is not what has happened in the past but rather what might happen if Huawei gear were widely used in American telecommunications networks. Such use would mean that the company would have to serve and fix the network, requiring extensive access for its technical personnel to telecommunications networks in the United States.

The danger in letting your potential adversary maintain your network has already been demonstrated, according to Mr. Clarke, who wrote in “Cyber War: The Next Threat to National Security and What to Do About It.” In 2007, a remarkably sophisticated computer attack by Israel rendered Syrian antiaircraft radar useless. Israeli aircraft were able to destroy a Syrian nuclear reactor without any response from the country’s military. He says it was vulnerable because the Syrians had relied on outsiders to maintain the network.

Mr. Clarke disputes a recent New Yorker article that asserted that the bombing attack was supported by conventional electronic warfare, which involves jamming or deceiving an enemies’ radar with high-powered radio waves. “Regular electronic warfare fills the frequencies with static and overpowers the frequencies,” he said. “That wakes people up. That didn’t happen. The Syrians didn’t notice the jamming of their radars.”

In 2009, The New York Times reported that an American semiconductor industry executive who claimed to have direct knowledge of the operation said that technology for disabling the radars had been supplied by Americans to the Israeli electronic intelligence agency, Unit 8200.

If his account is true, it may be the real reason that the government has worked so hard to make sure that American computer networks are not made in China.