American businesses got a wakeup call this month from the House Intelligence Committee about everyday risk to their intellectual property and other confidential data. Let’s hope they heed the call.
Earlier this year, concerns began to emerge over a possibly overly intimate relationship between Huawei Technologies, a top maker of telecom equipment, and the Chinese military. The founder of Huawei, Ren Zhengfei, retired from the Chinese military in 1984, and started the company three years later.
The CBS News program 60 Minutes offered a good account of the congressional investigation into the potential a national security threat posed by Huawei. But that story is partial.
Here’s a more complete version.
Late in 2011, the U.S. Commerce Department released an unusual statement banning Networking equipment-maker Huawei from use in a nationwide emergency network, with no clear reason given. Huawei’s US-based spokesman criticized the announcement as “ungrounded.”
This was the first in a chain of events culminating in a report this month by the House Permanent Select Committee on Intelligence, concluding that Huawei is a threat to US security, and a threat to the intellectual property of U.S. companies.
Huawei responded with an unusual open letter to the U.S. government. They denied charges of poor data security. Huawei asked for a full investigation into the security of Huawei equipment.
This was a very odd request, in my view. Governments are almost always laggards when it comes to data security; they are reactive, not proactive. They’re effectively incapable of independent evaluation.
Perhaps Huawei management, steeped in the Chinese Communist Party culture, did not understand the traditionally adversarial relationship in the U. S. between results-focused businesses and politically focused government bureaucracies.
The House Permanent Select Committee on Intelligence started hearings and an investigation in response to Huawei’s request.
Meanwhile, in the EU, a security researcher who uses hacker handle “FX,” started testing the “front door” security of Huawei equipment. A German national, FX demonstrated the results of his research this summer at the annual DefCon security conference that’s held in Las Vegas each year.
Huawei’s competitors — Cisco, HP, Alcatel-Lucent, and others — routinely send security experts to this show, and others like it, to learn from such demonstrations, and to cultivate relationships with independent security researchers.
In this cooperative spirit, ethical security researchers follow the practice called “responsible disclosure.” They will not release a road map to attack a system without first contacting the company that made the equipment. The practice gives a company the time to correct the flaws, and issue a fix.
Huawei is not a company with a visible presence in the security community, and did not receive this courtesy.
In his presentation, FX demonstrated security flaws and holes so numerous, that he said there was no reason for Huawei to build in electronic back doors. With some penetration skills, an attacker could silently compromise the Huawei devices. When FX was asked if he followed responsible disclosure of his research, he said he could not locate any appropriate Huawei personnel for responsible disclosure.
On October 8, The House Committee released a 60-page report describing the threat posed by Chinese networking companies. The report states that, “China has the means, opportunity and motive to use telecommunications companies for malicious purposes,” and, “…[B]ased on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems.”
Strictly as an aside, I’ve been told that unnamed sources in the Pentagon have told reporters that Huawei could add electronic “back doors” that allow eavesdropping on emails, phone calls, faxes, and confidential files that are commonly transmitted via a “secured connection.” If reporters were informed, they were given a teaspoon full of information scooped from a barrel, doled out sparingly either out of caution, or out of ignorance. (Most likely caution, since Pentagon personnel are also regular DefCon attendees.)
All of this should raise more general data security alarms than the activities of just one company. Let’s hope American business hears the wakeup call.
No matter where a company or a government buys its IT equipment, due diligence by the buyer is critical. The takeaway for you is to check on the following:
1. Which labs and testers have tested the equipment and software for security and resistance to penetration attacks?
2. Is the manufacturer of equipment encouraging the community of security researcher to find and report security flaws?
3. What is the track record of responses to flaws that are uncovered by the security community?
4. Does the company admit errors, or does it spend its energy on statements that the flaws are only possible in “rare cases,” or only show up “in a controlled laboratory.”
5. How fast does the company act to correct flaws and alert customers
Until Huawei’s concern for security matches that of its competitor, the comment from researcher FX this summer remains true, “I would not put any of this [Huawei] equipment on my network.”
NOTE: This column was written by Ira Victor for the private NNN newsletter, and is posted here for the benefit of CyberJungle Radio listeners.