- BlogInfoSec.com - https://www.bloginfosec.com -

Huawei and National Availability … um … Security

Siobhan Gorman wrote a front-page article “China Tech Giant Under Fire – Congressional Probe Says Huawei Poses National-Security Threat to the U.S” on the front page of The Wall Street Journal of October 8, 2012. The next day, she and Juro Osawa wrote an article with the not-unexpected title of “Huawei Fires Back at the U.S.” A third related Wall Street Journal article appeared on October 10, this time by Spenser E. Ante, with the title “Huawei’s Ally: IBM.” And I’m sure that this is far from the last word on the subject

The first article describes a scathing 52-page document, “Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE” by the U.S. House of Representatives Permanent Select Committee on Intelligence, published on October 8, 2012. The report has the following five recommendations:

1. View the penetration of the U.S. telecommunications market by Chinese companies with suspicion

2. Consider the long-term security risks associated with doing business with such companies for equipment or services

3. Investigate unfair trade practices of the Chinese telecommunications sector

4. Exhort Chinese companies to become more open and transparent

5. Consider potential legislation to better address the risk posed by telecommunications companies with nation-state ties

On the surface, these recommendations, though harsh, would appear to make some sense. However, if we dig deeper, we see that the recommendations do not solve the underlying security and dependability problem and may indeed make some situations, such as resiliency and availability, worse. Basically, we need to be testing all software and hardware products used in the critical infrastructure for security and integrity, whether they originate offshore or domestically. Today you cannot be sure of the pedigree or full provenance of any product or service. Why not set up facilities to certify all products to be used in the critical infrastructure, regardless of origin?
The Committee report mentions an article in The Economist of August 4, 2012 with the title “Huawei: The Company that Spooked the World.” I happen to mention the same article in my upcoming book “Engineering Safe and Secure Software Systems” (see … http://www.amazon.com/Engineering-Safe-Secure-Software-Systems/dp/1608074722/ref=la_B001HPTIAA_1_1?ie=UTF8&qid=1349916158&sr=1-1 [1] ). It describes a laboratory that Huawei set up in the U.K. to demonstrate the security and integrity of their products so as to assuage concerns by potential customers. Such a testing facility is a step in the right direction and something that the U.S. government might consider not only for telecommunications products originating in other countries but for all categories of computer products, of foreign or domestic origin. This is needed since U.S. companies build products offshore as well as onshore using components, such as processor chips, which are regularly manufactured abroad. Not only that, but a domestic name does not assure one that the product hasn’t been hacked or otherwise tampered with. I refer you to Russ Handorf’s May 6, 2008 BlogInfoSec column “VAR does it come from? CISCO Hardware Espionage” available at http://www.bloginfosec.com/2008/05/06/var-does-it-come-from-cisco-hardware-espionage/ [2]

We also need to consider the benefits of diversifying products used in telecommunications and other critical sectors. The main advantage of acquiring products from several manufacturers is that, if you don’t, you have monoculture issues as described in my BlogInfoSec column of March 30, 2009 with the title “Are System Monocultures More or Less Secure? Yes!” see http://www.bloginfosec.com/2009/03/30/are-system-monocultures-more-or-less-secure-yes/ [3]  If an attack were launched to bring down the Internet, then the attackers might go after a particular ubiquitous brand of equipment. Therefore, in order to avoid total disaster, it is advantageous to have a number of different makes and models of network software and hardware.
“Trust, but verify” is a basic rule in security. It is incumbent upon us to verify the trustworthiness of all IT products and services, particularly those used in the Nation’s critical infrastructure. It is also important not to become overly dependent on a limited number of suppliers. And finally, one needs to diversify in order to reduce the potential risks of monocultures. These goals won’t be achieved by targeting a couple of companies. In order to be assured of secure infrastructures, it is necessary to develop a comprehensive program of testing and certification of critical products and services covering products and services from all sources of origin.