"Once the thing's created you're not going to check each piece of hardware, and substituting a piece of hardware [with a] chip that has other routines on it would be fairly simple and innocuous - and almost impossible to tell unless it was checked in place."
The bug could then send anything on the network to an overseas website, which would relay the information to a more secret site. There, intelligence analysts could mine it for strategically useful information - probably not top secret but still potentially highly sensitive and, in the wrong hands, embarrassing for the New Zealand Government and businesses. It might sound fanciful, he says, but it's not. "The intelligence community is slippery, you know. They do stuff."
How to respond to that potential threat without causing a diplomatic uproar with our second-largest trading partner will have been exercising the minds of politicians and diplomats this week.
New Zealand looked as if it had been caught flat-footed as it emerged on Monday that Australia had blocked Huawei from bidding from its national broadband contracts because of security warnings over cyber attacks from China. The Chinese company is also likely to be dumped as one of the providers of a A$300 million ($381 million) fibre optic submarine cable from Perth to Singapore.
The United States has stopped doing business with Huawei because of similar security concerns. Congress blocked it from buying networking company 3Com in 2008 and from bidding on telecommunications gear for Sprint in 2010. This week the giant American software security company Symantec pulled out of a joint venture with Huawei, apparently afraid it would lose access to classified US Government information on cyberthreats.
Yet in New Zealand, Huawei has signed deals with Enable Services and Ultrafast Fibre Ltd, the New Zealand Government's private partners for the ultra-fast broadband (UFB) scheme in Christchurch and the central North Island. It has also signed a contract with Chorus to help roll out fibre lines in the rural broadband initiative and has previously supplied and built the 2degrees mobile network and Vodafone's fixed broadband network.
There are more tentative plans for a separate company Huawei Marine, which is 50 per cent owned by Huawei Technology Global, and another Chinese firm to build an undersea cable between Auckland and Sydney, although it now looks highly unlikely that Australia will allow the deal to proceed in this form.
The Government has so far hedged its response, suggesting no change without ruling it out. Prime Minister John Key said New Zealand was comfortable with its position, although he conceded the UFB contract began before Australia's stance was known and he had limited knowledge of the reasons behind it.
Communications and Information Technology Minister Amy Adams told Radio New Zealand that "as issues arise" the Government would work through them but defended the company's success in building similar systems in Britain and Singapore.
Huawei New Zealand public affairs manager Mark Champion describes trying to put the company's side of the story as "like going into this debate with one arm tied behind your back". He says Huawei New Zealand has to defer to the Government - which he adds was perfectly happy with its assurances as recently as October - and ministers are understandably reluctant to talk freely on potential security matters.
But he questions why a Chinese company has been singled out for so much attention by Australia and the US.
"I think this is more commercial than security."
As Adams indicated, Huawei globally may or may not be a front for Chinese espionage but it has to be taken seriously as a commercial giant with annual revenues of US$32 billion ($39 billion). It is soon expected to overtake Sweden's Ericsson as the world's biggest telecommunications infrastructure supplier.
So what's the evidence against Huawei? Writing in the Australian Financial Review, Chinese foreign policy expert John Lee argued China was the biggest source of cyber attacks on Western countries and their level of sophistication meant they could only be instigated by government agencies or large firms.
Chinese intelligence agencies were the chief suspects last year when hackers reportedly broke into computers in the offices of at least 10 federal government ministers, including those of Prime Minister Julia Gillard, former Foreign Minister Kevin Rudd and Defence Minister Stephen Smith.
Dr Lee, who is based at Sydney University's Centre for International Security Studies, said there was no solid evidence Huawei was linked to such attacks or had any plans to "build nasties" into the national broadband network, but a lack of trust based on past experience meant the onus of proof was now on the Chinese company.
Lee said telecommunications was one of seven strategic sectors, which the Chinese Government regarded as crucial for national security. As China's "national champion" in a strategic sector, Huawei benefited from privileged market access, tax incentives and other subsidies but was expected to return the favour by pursuing Beijing's strategic and political objectives as well as its own commercial goals.
Huawei founder and chief executive Ren Zhengfei was an officer in the Chinese army in the 1980s. More seriously, according to Lee, the company failed to disclose that its chairman, Sun Yafang, had been a senior official in the Ministry of State Security, the country's main foreign intelligence agency.
The Australian reported this week that Britain's Government Communications Headquarters, the country's top signals intelligence agency, had to check all servers, routers, chips and hardware installed by Huawei on the British broadband project. "And they still don't have any guarantee they picked everything up" said signals intelligence expert Des Ball. The newspaper said Britain's experience was a key factor in Australia's decision to exclude Huawei from any sensitive contracts.
The company has also faced flak for its actions in Iran. During the country's mass street protests of 2009 it joined forces with a British company to install location-tracking devices in the country's second-biggest mobile phone network. Critics said the deal enabled Iranian intelligence services to find and kill dissidents. Huawei, which has since reduced its presence in Iran, has defended the contract as standard technology.
Hugh White, Professor of Strategic Studies at the Australian National University, says governments on both sides of the Tasman have had to balance a legitimate security risk with the serious commercial and political consequences of saying no to Beijing.
"This is one of those genuine policy dilemmas. On the one hand, you think why take any risks with security? On the other hand, you think well boy, if we just turn our back on these guys, it will have major implications, technologically and in terms of the viability of the project on the one hand and diplomatically and politically on the other."
"I agree that there is a risk ... but I think the idea that the only way to manage that risk is to ban the company altogether seems to me to be a pretty extreme response."
He acknowledges this might be the only way if a compromise response turns out to be ineffective, as reports of the British monitoring experience suggest.
But the other suggestion in political circles is that Australia made its decision late last year within weeks of President Barack Obama's visit.
"Was the Australian decision motivated by American pressure?" muses White. "And was American pressure motivated as much by maximising differences between Australia and Beijing as concerns over the project?"
He says New Zealand may have simply weighed the same evidence as Australia and come to a different conclusion. "I don't think we should assume that the New Zealand Government got it wrong and the Australian Government got it right."
Robert Ayson, who directs the Centre for Strategic Studies at Wellington's Victoria University, also thinks we need to ask what we are really afraid of.
"How much of this is actually about assessing security risk in a more or less analytical sense, which is what our government agencies have to do, and how much of this is affected by our broader concerns about a very strong China, with a different kind of political system, perhaps having too much influence in the world?"
He says it would be naive to treat Huawei like any other multi-national company but also wrong to label it simply as a front for Chinese espionage.
"China doesn't run like a single closed box. There are debates and tensions in that system too."
Champion says it's significant that New Zealand has a free trade agreement with China, unlike Australia and the US. He suggests this gives us an edge by creating mutual obligations for good faith dealing - a point which Labour, the original architects of the deal, have missed in their enthusiasm to attack the Government this week.
Huawei has also dismissed claims by security analyst Paul Buchanan that the deal could give the Chinese Government access to New Zealand intelligence operations, including the US-run Echelon - the world's most extensive eavesdropping system. Buchanan suggested this could make the United States and Australia wary of sharing intelligence with New Zealand.
Huawei's global head of security, John Suffolk, told Radio New Zealand the company had nothing to hide and described the idea of it planting tracking devices on equipment as "a little bit James Bondy".
White and Wolfe say the prospect of any company - even with a legion of hackers - tapping into the highly protected Echelon system is unrealistic. But Wolfe says it would be relatively easy for a contractor bent on espionage to substitute legitimate hardware on a commercial network with a duplicate spy version.
That would bring hackers in at the base of the network, underneath both the operating system and detection software which dealt with imported threats like viruses.
"So targeting broadband at that level gives them the keys to the kingdom and makes it very difficult to detect what's going on."
He said the United States pulled a similar trick with the so-called Hagelin encryption machine, invented by Boris Hagelin in 1946 and sold to 130 duped countries through Swiss company Crypto AG. US, Swiss and German media reports in the 1990s said the US National Security Agency and German intelligence used a decryption device hidden in the code to read secret Libyan and Iranian messages in the 1980s.
Wolfe agrees that it could be disastrous for New Zealand to ban Chinese companies from such contracts as Australia has done and risk tit-for-tat retaliation in vital export markets such as milk powder.
But he thinks there are more subtle ways of influencing the outcome, based on a discreet word from the Government Communications Security Bureau or Security Intelligence Service during an otherwise open bidding process.
"To be seen to exclude the Chinese offhand would probably not be in our best trading interests, so they have to stand up against the other contenders and - depending on what GCSB and others say - they might not make it ... That way you don't impact on a potential trade situation."
However we choose to react, says Ayson, we should remember that China is not going away.
"China's going to be more and more involved in our economy, in our daily life. And New Zealanders are going to have to say, at what point do we draw some political lines - and this is what this debate is partly about."
Huawei in ...
... the United States
•Banned from buying networking company 3Com
Banned from bidding on telecommunications gear
Lost joint venture with software security company Symantec
... Australia
•Banned from bidding on national broadband contracts
Expected to lose Perth-Singapore submarine cable contract
... Britain
•Worked on broadband contract, monitored by intelligence service
... New Zealand
•Soon to provide ultra-fast broadband in Christchurch and the central North Island
Soon to provide rural broadband with Chorus
Has supplied and built the 2degrees mobile network and Vodafone's fixed broadband network
Parent company involved in proposed undersea cable link between Auckland and Sydney