After launching an investigation into the two leading Chinese telecommunications equipment manufacturers in Nov. 2011, last week the U.S. House of Representatives Permanent Select Committee on Intelligence released its Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE.
The report, which was based on both classified and unclassified materials, found that the two companies "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." As a result, it "strongly encouraged" U.S. businesses "to seek other vendors for their projects."
What's the potential security risk facing businesses who use the company's products? Here are four related arguments:
1. Deduce risk via corporate behavior.
The Congressional report is notable for what didn't get investigated. "The Committee took seriously recent allegations of backdoors, or other unexpected elements in either company's products, as reported previously and during the course of the investigation," it read. "But the expertise of the Committee does not lend itself to comprehensive reviews of particular pieces of equipment."
[ How should Huawei and ZTE respond to U.S. security concerns? For one perspective, see What Huawei, ZTE Must Do To Regain Trust. ]
Instead of a code review, the Congressional report reviewed the Chinese companies' business practices and found that in particular, "Huawei has exhibited a pattern of, at the very least, reckless disregard for the intellectual property rights of other entities," such as U.S.-based Cisco. Furthermore, it said that the company's denials that it had done business with Iran when it was doing business with Iran "is an important indicator of the company's ability to comply with international standards of corporate behavior and to abide by U.S. laws irrespective of China's influence or interests."
2. Treat all Chinese goods as suspect?
In an attempt to highlight what he's branded as "protectionism" by the United States, John Suffolk, the head of cyber security for Huawei--who from 2006 and 2011 served as the U.K. government's CIO and senior information risk owner--responded to the report by asking if all Chinese-made computer goods would now be suspect.
"As many people connect their iPhone to their corporate network, no doubt the Committee will also recommend these are banned given that they are manufactured in China," Suffolk told Forbes, suggesting that Huawei was being used as a political football between the U.S. and Chinese governments. "As you can see, the logic of the Committee bears little resemblance to a debate about how we limit the threat from cyber security."
3. Existing code bugs pose breach risk.
Still, what backdoor allegations was the Congressional report referring to? For starters, F. Michael Maloof, a former senior security policy analyst in the Office of the Secretary of Defense, claimed in July 2012 that the Chinese government now enjoys "pervasive access" to 80% of the world's networks, thanks to backdoors installed in Huawei and ZTE devices.
But the Chinese government--or any other interested party--likely wouldn't need backdoors to spy on networks using Huawei or ZTE devices, according to Felix "FX" Lindner, who heads Berlin-based Recurity Labs. Indeed, at this year's Defcon conference in Las Vegas, Lindner detailed his teardown of both the Huawei AR8 and ARE 29 series routers--although not any high-throughput, telco-level gear, which he was unable to obtain--and found that "the code quality is pretty much from the '90s," reported IDG News Service. In addition, the devices' firmware contains numerous exploitable vulnerabilities, such as making over 10,000 calls to sprintf, which can be used to trigger a buffer overflow if it's been incorrectly implemented.
So why bother building in backdoors? "If you have so many vulnerabilities, they are the best form of [attack] vector," Lindner told Cnet.
4. Forget spying, focus on quality.
During his Defcon presentation, Lindner also dinged Huawei for not offering a clear way to report vulnerabilities in its products. "If I don't know who to contact, I can't tell you about your bugs, and this happens," he said, referring to his public analysis of vulnerabilities in Huawei products.
Lindner, who's conducted extensive research into other types of networking devices, including Cisco-made gear, has said that even after a thorough code review--for example, of the Huawei networking devices--security researchers wouldn't necessarily be able to spot any built-in backdoors. Regardless, when it comes to the Congressional investigation, he told IDG News, "I'm somewhat in support of what the report says, not for the reasons the report says but simply because of quality assurance. I'd rather have Cisco build government networks than Huawei," he explained, "not because Huawei is Chinese, but because in comparison, Cisco has higher-quality devices."
Organizations challenged by meeting the requirements of multiple regulatory mandates are increasingly looking at the alignment of governance, risk, and compliance under a unified framework, GRC.In our report, A Security Pro's Guide To GRC, we examine where the security professionals figure into the mix and recommend the steps organizations should take to align IT GRC with existing security programs and processes. (Free registration required.)