Hacked - The Huawei Hullabaloo
Episode Date: July 28, 2020Jordan Bloemen & Scott Francis Winder chat about the past, present, and future of one the most scrutinized, and least understood, companies in modern tech. If you like the show and want to make sure ...we can keep making it, please subscribe and if you can visit https://www.patreon.com/hackedpodcast and show us some love. Also - don't forget to check out our loving sponsors. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
If you were driving through the English countryside, you'd probably cruise right by the main offices of H.C. SEC without batting an eye.
This is this big red brick building off the highway on the outskirts of a town called Banbury, nestled in a scene one, seen-em-all kind of office park.
But if you were to pop into town, sit down at a pub somewhere, and you were to find one of the 40 or so people who work there,
You were to get them talking?
Maybe a little loose-lipped.
But what it is they do at HCSEC?
Well, the first thing you'd probably notice is they do not call it that.
Everyone who knows just calls that building the cell.
In 2005, British Telecom is doing a $10 billion upgrade to the telecommunications infrastructure in the country.
And they made this pretty significant buy from a then-little-known Chinese telecommunications company called
Huawei. One piece of equipment Huawei was responsible for is called a core switch. Essentially,
it's a directory for information within the cell network. Over the years that followed,
British telecoms started noticing a disproportionate amount of what one employee called
chatter coming from these Huawei core switches. They were sending something, some data,
somewhere. Without digging deep into the code of that hardware, they couldn't
figure out what. See at the time, there was technically no law saying the British telecom
had to tell the British government that they were buying equipment from a company that could have
potential ties to a foreign government. But when the authorities found out what these boxes were
doing and who they had bought them from and that they were already installed and in use all over
the country, well, the government decided that if the only way to know what this equipment
we've already bought and installed is doing is to peel it apart,
that's what we're going to do.
The cell, the nickname of the Huawei Cybersecurity Evaluation Center,
was the operation tasked with hunting for back doors and security vulnerabilities
inside of Huawei equipment.
And the cell was funded by Huawei.
The logic was, since this is a problem caused by this company,
we're going to make them pay for the solution.
A cybersecurity task force funded by the organization
they were tasked with investigating.
And over the years that followed,
as scrutiny into Huawei spread around the world,
some pretty obvious questions began to emerge
as to whether this arrangement
was basically just Huawei policing themselves.
With customers in Europe, the Americas, Africa, and of course China,
Huawei claims to connect a third of the world's population.
They are a global superpower
knit into the fabric of modern communications
in the digital age all over the world.
And they're also a really easy case study
into this much larger question
of what it means to get our technology
from a company with allegedly very deep ties
to a government with a robust technological surveillance network.
I don't know if that pub and Banbury is open right now.
And if it is, if there's anyone sitting at the bar.
But if it is and if there is,
and they're one of the 40 or so people who work at the cell,
they're almost certainly talking about one thing.
The fact that just this week,
the United Kingdom placed a blanket ban on 5G infrastructure
from Huawei across the country.
And the stuff that's already installed
is going to be purged by 2027.
We wanted to understand a little bit more about this company
that's become an emblem for this much bigger question.
So this is our brief history of Huawei.
and their quest to connect that last two-thirds of the world.
Here, on Hacked.
1938, in the suburbs of Palo Alto,
Bill Hewlett and David Packard formed a company we now call HP.
They founded that company in their garage.
April 4th, 1975, Bill Gates and Paul Allen founded Microsoft in a garage.
In 1976, in a garage in Palo Alto, Jobs and Wozniak started Apple.
Huawei doesn't have a myth set in a garage in Menlo Park.
But just because they don't market themselves around a garage myth
doesn't mean they're not of the size and influence globally
to warrant that kind of an origin story.
For context, today, Huawei is a bigger smartphone manufacturer than Apple is.
You can find plenty of news on the hour-to-hour day-to-day drama unfolding with Huawei on the world stage,
but Scott and I wanted to go back to the beginning.
to take you through a bit of a history of this company right up to today,
to give you a little insight into this monolith that most of us probably don't know much about.
It starts with this guy named Wren.
Yeah, I think that's an interesting story because the founder, Ren,
was an ex-soldier in the People's Liberation Army
and left military command to go off to found one of the international largest tech companies
in the world. I think he claims that he was just always a low-level soldier, but he also claims that he's
a bad businessman. So either both of those are wrong or... I think to like figure that out, we need
and maybe this is just me projecting, but let's say like a guy who sounds conspicuously like Johnny
I've explaining the corporate history of Huawei and specifically of its founder run. Do we have
have that kicking around anywhere?
And extra points if it's set to like really, really emotional stock music.
Most people think that Huawei has come from nowhere.
When in actual fact, it's taken 30 years to get to where they're going.
Yeah, exactly.
That's exactly what I was talking about.
Mr. Wren, the founder, lived through a very difficult time in China's history,
which included famine, the cultural revolution.
It had a pretty hard life.
Yeah, so Huawei, I think, was founded in 1987.
and I think they started manufacturing PBM systems, which is kind of like an old school.
Well, I guess it's still used today, so it's not that old school.
But a phone switchboards, like a way for corporate companies to have switching between, you know,
when you dial in you hit extension 301, it's a PBX system that jumps you to that phone.
You know, and then in 1999 they started doing, or they claimed to have started doing their own kind of independent research and commercialization,
and developing their own IP around the PBIX systems, you know, getting into R&D in like 92,
looking at ways to expand telecommunication infrastructure across China.
Then they start getting, you know, pretty substantial and pretty big.
They start, you know, I don't think anybody cares about revenue milestones.
So this is from audio of an interview with, like, Ren himself.
He's a pretty normal-looking, wealthy 75-year-old guy.
And he's telling this, it's really interesting.
He's not telling a garage origin story,
but he is telling kind of this uniquely Chinese tech company myth.
He's telling the story of his childhood
before the Cultural Revolution,
how he was lucky because his family could afford salt.
But it's interesting to hear him talk about his transition
later in life, out of the army,
and into what was becoming kind of the modern Chinese economy.
He says,
after leaving the army, we are no longer tied to it.
Retired soldiers had quite a hard time adapting to the market economy.
We'd gotten so used to the planned economy.
He later says, I had no experience when I started Huawei at 44.
97, I think they got big into GSM, which was kind of a pre-3G cell code or telco cell phone infrastructure.
I think they started expanding that across China.
So I know in the late 90s, Europe and Asia specifically started to ramp up their cellular infrastructure even faster than we did in the Western world.
And it was probably big for them as they started blowing up and expanding it across Asia.
That was pretty early.
Well, like I remember, I was in Asia in the early 2000s, and cell phone infrastructure was crazy.
I'm talking about like, you know, middle of nowhere in Myanmar.
And there's perfect cell reception, the middle of a river.
And they just didn't have the physical infrastructure installed like we did here.
So they just went straight to wireless.
Huawei basically started very, very small.
This is Professor David de Kramer from the National University of Singapore Business School.
And David is talking about this kind of bigger narrative in the rise of Huawei.
It's connection to what he calls the opening up of the Chinese economy.
And warning, the stock music, she continues to be very emotional.
1987, Shenzhen in an apartment.
And Shenzhen was labeled what we would call today,
special economic zone.
It's only 1988 that formally private companies were allowed in China.
But there was no real good ideas yet about what it takes to be a company.
It's impossible to untangle Huawei from both like the literal,
and sort of abstract idea of what China calls special economic zones.
Special economic zones are basically designated areas in China
where the formerly, purely communist, centrally planned country
could experiment with like a little hit of capitalism on the side.
It's companies that are typically born in these areas
that went on to be exported to the rest of the world.
And it was in 2000 where I think they really started to push out of their own national borders
and they established a research center in Stockholm and Sweden.
And they also capped over 100 million U.S. in international sales.
So I think that was kind of their big push into the international markets.
And it's kind of like in the mid-2000s when they started like heaving into the states.
Yeah, because in 2001, they established four R&D centers in the United States.
So furthering pushing their growth outside of China.
2005, they followed that up with all international orders exceeding their domestic sales.
So essentially, everything outside of China was more than their Chinese sales.
So it was about 2005, and they went from being a predominantly Chinese company
to a predominantly international company.
Which is where our timeline kind of connects back up with our opening story.
As Huawei's footprint in the UK and the U.S. just continues to expand throughout the 2000s.
In 2005, British Telecoms then selected them to be like a preferred vendor and supplier for British Telecom, which is a big deal.
And in 2007, the rest of Europe followed.
So essentially every cell infrastructure and telco infrastructure in Europe had Huawei equipment in it.
And it's probably still there in most cases.
Bringing us in a cool 12 minutes or so back to the 2010s, where our opening story about the United Kingdom, H.C.Sec and the cell picks back up.
Where the modern tale of Huawei, of this company embroiled in this much larger fight about China's role in the international economy.
where that really begins in earnest.
Yeah, so the 2010s, I think, you know, a big, interesting milestone there is the
establishment of the Cyber Security Center in the UK, also known as the Cell.
Such a good name.
Such a good name.
You let Spy's name stuff, and they're going to name it in a spy-eway.
Yeah, I don't hate it.
No, I like it.
I'm here for it.
I dig a little cloak and dagger.
Yeah, sure.
That really, I think, sets the tone for sentiment to,
towards major telcos being like,
and national infrastructure security commissions
and councils and stuff being like, huh.
You installed what, where, doing what?
What company with strong ties to what country's government
is in charge of what of ours?
I think that becomes a real strong question,
especially because, you know, telecommunications, obviously.
We become more dependent on it in the last 20 years
than we ever have, especially with things like smartphones.
But like I think telecommunications and communications between people has always been seen as a
critical infrastructure piece.
And like, you know, disaster preparedness, war preparedness, economy, everything requires communication.
So to hand the keys to that over to a party that you might not trust.
I'm not saying you should or shouldn't, but might not.
Maybe not the best idea.
And that's when things just like completely take off.
You know, I think that's kind of, you know, you start to see the hockey stick go up.
You know, in 2012, the U.S. congressional panel has an official warning about the company and also ZTE,
both them posing a national security risk.
Like, that's a big deal.
Kind of didn't really hear much dialogue and discussion about it.
The CIA comes out in 2013 and openly states that Hawaii is spying on.
on behalf of the Chinese government.
Now that they've rolled out to most major infrastructure,
teleco infrastructures across the world,
that's a pretty big claim,
especially when they have so much footprint.
Since the very first 1G systems in the early 80s,
there's been a new generation of wireless mobile telecom tech
coming out every decade or so.
There's 2G in the 90s, 3G in the odds,
4G in the 2010s, you know, the decade when
Scott just explained why we was really starting to be screwinized in the West.
So it's right as that, I like the hockey stick metaphor of Scots,
right as that hockey stick of attention is really starting to angle up in 2018
when the battleground in which modern trade tips with Huawei are being fought emerged.
Talking about 5G.
Yeah, at the same time in 2018, that's kind of when, you know,
we're living in 4G world and we start talking about 5G.
5G world. We start talking about broadband cable speeds in our phones. We start looking at all this
good stuff and Huawei's got the key for it and that and all of a sudden you've got a bunch of
national security councils being like, uh, maybe not. So after a decade or so of investigating
Huawei technology while still using it in their infrastructure, all at once, a whole bunch of
different governments around the world start taking tangible action in 2018. They start making formal
statements about their findings and hard decisions about using Huawei gear and their infrastructure.
And it's like I feel like at that point, you know, you started to see discussions of the
company in the public discourse as kind of like an exponential growth. Like it wasn't very much back
then. Nobody was really talking about it. And then, you know, once you hit 2017, it comes up much
more and like today I feel like it's an endless stream it's like I can just literally
Google their company name hit Google news and get like 20 articles in the last hour
because it's such a relevant topic right now you know the UK government had a
report in 2018 that said they had limited assurance that Hawaii's broadband and
mobile infrastructure wasn't posing a threat limited assurance I think that kind of
begins the the headache August 2018
Australia comes out and says Huawei and ZTE will both be excluded.
I've always forget about ZT, but they were a large player in this too.
Huawei and ZTE were excluded in the 5G rollout in Australia.
Wouldn't be included, so that was 2018.
I know they've officially come out, and that's a hard line of the quote-unquote five eyes now,
or most of them except for Canada.
While Canada hasn't passed any kind of official legislation against Huawei Tech,
the next big kind of milestone in the story does involve Scott in my homeland.
And we show up on the scene in a very, very dramatic way.
It is the arrest that sent shock waves around the world and through markets as Mounties arrested Meng Wang Zhou, the chief financial officer of Huawei, the Chinese tech giant.
And then I think the big, like especially for us here in Canada and the states, wherever you're listening to this, is one of the major news stories of 2018 around this, is Canada on the request of the Department of Justice in the United States, arrests this.
CFO and daughter of Huawei's founder at the Vancouver airport.
Meng is often called the Queen of China's tech industry, but the RCMP arrested her as
she tried to change planes in Vancouver earlier this month.
Pretty controversial. We executed it, arrested her. She's still here in Canada. She hasn't
been deported to the States, I don't believe, even though she's still essentially
being held on a house arrest.
Meng is now facing extradition to the U.S.
China has denounced the arrest as a serious human rights violation.
So why did Canada make the arrest and will China retaliate?
So basically what happens is the United States charges Huawei CFO Meng Huai
Tsiao with wire fraud violating American sanctions against Iran.
Meng is passing through Canada, which has an extradition agreement with the U.S.
So in an airport in Vancouver, the RCNB arrestor.
As of right now, she's here in Canada awaiting trial.
for extradition, but the arrest is a major point of conflict between Canada, China, and the U.S.
Well, I think if what's happened is a request was sent in through the U.S. for extradition,
we take that very seriously, no matter who it is.
I think sometimes we cringe knowing that there will be political ramifications,
reverberations, but this is how we operate.
There's been a bunch of weird things, like there was a bail hearing or like a trial or something,
like a small court proceeding in relation to the trial,
and a random third-party numbered company
hired a bunch of actors to go fake protest,
this bail hearing, holding signs being like,
free man, and like, this is oppression and all of this stuff.
So they hired this group of, like, young millennial actors
to go essentially protest and told them that it was essentially a motion pitcher
or like a tryout.
So weird things like that.
And then?
To put a pin in a truly buckwild year for Huawei,
we kick it back over to the UK one last time
when Defense Secretary Gavin Williamson got sacked over charges
that he leaked information regarding Huawei's push
to provide 5G infrastructure within the country.
Williamson, for what it's worth, denies the accusations.
It was kind of shocking just because their technology
was going to be used in the critical infrastructure.
That was big enough that somebody needed to leak it
and also because they thought he leaked it, they fired him or like removed him from office or forced him to step down.
I'm not sure what the terms were.
But yeah, kind of a big, a lot of big things happening without a lot of discussion about why.
You know, we're arresting CFOs.
We're firing ministers.
There's whistleblowers.
There's, you know, all of these things going on.
And not a lot of people coming out to say why.
Nobody's saying why.
So when you're reading about this stuff, about what it would mean to have compromised cellular
infrastructure installed in your country, the word threat comes up a whole lot.
And it's not immediately intuitive what that actually means.
Like no one thinks that 5G towers are going to blow up, like they represent a physical
threat.
No reasonable person thinks they could, you know, I don't know, cause a pandemic.
So when we say threat, what is it we?
we actually mean when we're talking about Huawei. We're going to talk about that right after the
break. Think about the last time you heard a breach story on this show. It always starts the same way.
Someone somewhere saw something too late. An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world
where attackers are already using AI. They created the Aurora superintelligence platform,
fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions
and keep everything trustworthy, and all of this is just off running on their secure operations
graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events
every week and over a decade of real-world incident response.
The system reasons on real signals and real context not.
synthetic training data. And the result is the new Aurora agent SOC. It's the first
SOC that is agent led by design. You get agents that coordinate, agents that investigate, agents that
respond at machine speed, and hundreds more that automate the repetitive work that normally
buries human analysts. Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the
model entirely. What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the place.
platform so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind. If you want to see what trustworthy
production-ready AI and security operations actually looks like, go to arcticwolf.com
slash hacked. Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks to turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unforeforefore.
pack not just what happened, but why these attacks succeeded, and most importantly, what businesses
can do to fortify their defenses for it's too late. You're going to walk away with real insights
and how threat actors are evolving, how defenders are responding, and what strategies can help
you stay ahead of the next big breach. It's not fear mongering. It's practical, actionable,
intelligence from experts in the trenches. Register now at arcticwolf.com slash hacked.
That brings us to the current moment. And what we basically seen is like there's like you put it,
which I really like, of like, we've got a bunch of people that ostensibly know a lot about what's going on,
behaving as though they're very, very concerned about something, but we don't really have a great
sense of what it is they're concerned about.
Sure. A lot of confidential reports I'd love to read.
Yeah. So I guess my question is, like, when we talk about mobile infrastructure,
when we talk about mobile infrastructure as a security vulnerability, what does that look like?
Well, it looks pretty grim. I think there's three major categories there.
You know, I think there's, you know, active surveillance.
Like if you're in control of telco infrastructure, you could be actively surveilling.
You have passive surveillance.
So instead of being active and, like, listening into my calls, maybe they determine that I'm a target,
and then they start going into my history and going through that stuff,
because that would all be captured on the infrastructure.
And then I think your third and most powerful one would be, like, you know,
the ability to turn off a state's telecommunications.
And like, you know, when you come to crisis and war preparedness,
if one country had the ability to push a button and just disable another country's telco,
you know, all internet access, just essentially halt their nation,
that's a pretty big, pretty big tool, yeah.
Huawei is like a very, very real company.
It's not like a front operation.
Like they're making technology that's meant to be competitive
and of like a certain quality level.
And it does by all accounts work.
like it's been installed for decades at this point.
The fear here is that within this working stuff,
there's this incredibly well-hidden, like, secret backdoor,
some kind of like hardware code combination,
some way of making all of that, like,
established working technology and infrastructure
do something very, very secretly that it's not supposed to.
I guess I'm kind of curious,
like, what is it that these 40 people in this room
are actually looking for?
What does that back door look like?
Wow.
that is a very complicated question,
but you'd be talking about a lot of hardware-level things.
You know, it could be something as small as inside of anything that has, you know,
cryptography in it, so anything that's encrypted or has the ability to encrypt or any of that,
all of that stuff is based on random number generation.
So if you installed a random number generator that was predictable,
if you knew exactly how it functioned, but presented itself as random number generation,
random, you could essentially bypass cryptography. So, you know, things, like, there would be a number of
ways you could do it, you know? You know, we go to hardware vulnerabilities. Like, there could be code
inside of some of those boxes that doesn't even present. Like, I'm sure the 40 people paid to rip
apart infrastructure are pretty good at looking for, for all of the variations of it. But I don't
no, it's just, it is what it is.
You can no offense to the 40 people sitting in a room tearing stuff apart.
But like, something like a 5G rollout, they would have had to start tearing that stuff apart
five years ago or three years ago.
Like they, your country would be behind the curve if you expected everything to go through
security protocols before it got installed.
So it's like, yeah, it's an interesting, it creates an interesting.
interesting predicament.
And I guess it's kind of worth like a little bit thinking about what that
predicament looks like depending on where you are in the world.
Because if you live in a place where like your country is in a trade war with China,
where your government started this dedicated branch to investigating Huawei equipment,
like you are in a very different position using this technology than any number of dozens
of other countries that are buying and installing Huawei tech.
Like because you live in a place that has the resources to hold this.
company accountable, you know?
And correct me if I'm wrong, but the UK is the only country that I've ever heard of
that has a cybersecurity center that literally just rips apart Huawei gear and goes through it.
So that means the, you know, X 100 million people that are UK residents might be relatively
safe to obvious vulnerabilities.
But how many other countries out there are just wholesale Huawei infrastructure?
Because I'm sure if you're Sudan,
Huawei can show up and install your entire telco infrastructure.
They probably have every single piece of the pie
and can probably outbid most companies.
And they show up and set it all up.
And there's no field of hyper-technical,
well-trained cybersecurity people ripping through the pieces of hardware,
going through every line of machine code
to make sure that it's acting in a responsible way.
So much of that skepticism and caution around Huawei
is like rooted in like a really explicit skepticism around the CCP, around the Chinese state.
And I guess kind of like what they could theoretically do if they had to backdoor into all of this mobile traffic all around the world.
But I think that anyone who's listening to this conversation knows that like the governments that are making these criticisms also practice a lot of that stuff.
We talked about the five eyes countries.
That's literally a euphemism born out of global surveillance.
I want to talk about the difference.
Is it that the Chinese state isn't an ally in the same way geopolitically?
Like what accounts for that difference in the way we think about these things?
Like truthfully, I think all governments have, not all, most governments probably have a tendency to use technology to surveil people.
Except for this was one where it went from being maybe a democratic country to being a non-democratic country.
as well as China was going through huge booms of growth.
They started to become a real superpower, like in the early 2000s.
Like now we just accept them as a superpower,
but I think that's probably a pretty recent in the last 20, 30 years.
So as they were growing in global authority,
they were also growing in influence in critical infrastructure.
I think one last thing that we've got to talk about if we're talking about all this,
just to sort of end on is the idea that by modern standards of state-sponsored cybercrime and cyber espionage,
this feels kind of really old-fashioned.
Like when I think about the nature and volume of data that's getting piped through mobile infrastructure, 5G towers,
and you compare it to the sort of targeted data you'd get off a social media platform like Facebook and Google,
if I am China and I'm looking for companies that could give me like a leg up in some future,
or sci ops type situation.
I'm going to be trying to build the next Instagram,
not the next Cisco, you know?
Yeah, well, we're just talking about TikTok.
Yeah, we're just talking about TikTok.
But it's like if you had a, if you had a full team of like behavior hackers,
they could the amount of data that you would be pulling out about psychographics and people.
Sure.
Based on TikTok behavior.
Sure.
Because they're consuming so much content.
You would know you, you would be able to make a beautiful map of what you would need to.
to do to resonate with specific demos and specific psychographics. So if you're hell-bent on
fucking with the world and especially fucking with specific parts of the world, like, you know,
conservative-leaning white males of America, like knowing exactly what resonates with those
people would be very valuable. Sure. And TikTok will tell you exactly what resonates for those
people. Sure. So it's like even if it's not tracking their location or giving you access to their
email or any of that stuff, just psychographically being able to successfully model such a
large data set would give you so much fucking power.
How many times in that did we mispronounce the word?
Huawei.
Find us on Twitter at hacked podcast.
Let us know.
Maybe you counted.
Maybe had a little clicker.
Maybe you were keeping track.
You can find us on Twitter.
And if you love this show, you can find us on Patreon.
Patreon.com slash hacked podcast.
Thanks again for listening.
Catch you on the next one.
Thank you.