Huawei and National Availability … um … Security

The Committee report mentions an article in The Economist of August 4, 2012 with the title “Huawei: The Company that Spooked the World.” I happen to mention the same article in my upcoming book “Engineering Safe and Secure Software Systems” (see … http://www.amazon.com/Engineering-Safe-Secure-Software-Systems/dp/1608074722/ref=la_B001HPTIAA_1_1?ie=UTF8&qid=1349916158&sr=1-1 ). It describes a laboratory that Huawei set up in the U.K. to demonstrate the security and integrity of their products so as to assuage concerns by potential customers. Such a testing facility is a step in the right direction and something that the U.S. government might consider not only for telecommunications products originating in other countries but for all categories of computer products, of foreign or domestic origin. This is needed since U.S. companies build products offshore as well as onshore using components, such as processor chips, which are regularly manufactured abroad. Not only that, but a domestic name does not assure one that the product hasn’t been hacked or otherwise tampered with. I refer you to Russ Handorf’s May 6, 2008 BlogInfoSec column “VAR does it come from? CISCO Hardware Espionage” available at https://www.bloginfosec.com/2008/05/06/var-does-it-come-from-cisco-hardware-espionage/

We also need to consider the benefits of diversifying products used in telecommunications and other critical sectors. The main advantage of acquiring products from several manufacturers is that, if you don’t, you have monoculture issues as described in my BlogInfoSec column of March 30, 2009 with the title “Are System Monocultures More or Less Secure? Yes!” see https://www.bloginfosec.com/2009/03/30/are-system-monocultures-more-or-less-secure-yes/  If an attack were launched to bring down the Internet, then the attackers might go after a particular ubiquitous brand of equipment. Therefore, in order to avoid total disaster, it is advantageous to have a number of different makes and models of network software and hardware.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*