You spell it Huawei and say it wah-way and it's all over the news. But what does it mean for the security of your data when, as the Wall Street Journal put it, "A U.S. Congressional report has labeled Chinese telecommunications company Huawei Technologies a national security threat"?
As we will see, the implications for your data are largely determined by the type of data we're talking about. But first, some details of this report, entitled: "Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE" (.pdf file).
There is a sub-title of sorts: "House Permanent Select Committee on Intelligence, Chairman and Ranking Member Investigative Report on The U.S. National Security Issues Posed by Chinese, Telecommunications Companies Huawei and ZTE." The report was authored by Chairman Mike Rogers and Ranking Member C.A. Dutch Ruppersberger of the Permanent Select Committee on Intelligence.
If you're still awake after all that, the opening statement of the report is well-worth quoting as an articulate statement of why telecom supply chain security matters:
"The threat posed to U.S. national-security interests by vulnerabilities in the telecommunications supply chain is an increasing priority given: the country's reliance on interdependent critical infrastructure systems; the range of threats these systems face; the rise in cyber espionage; and the growing dependence all consumers have on a small group of equipment providers."
In other words, a supply chain vulnerability exists when your suppliers can't be trusted. When the people who make your country's telecom equipment turn against you, you're in big trouble. There is no cheap or easy fix for an attack carried out at the switch and router level. And if your nation's telecom suppliers can't be trusted there is a risk of them using their hardware and software to purloin intellectual property, and other data in transit, for nefarious purposes; not to mention serious potential for playing havoc with the nation's commerce and governance. This risk is very hard to eliminate by technical means alone, hence the need for trust.
Trust But Frustrate
The problem here is the information security community knows all this already. We've known this for a long time. And while the first 5 pages of the report itself, after the summaries and recommendations on pages i-iv, do a good job of articulating these concerns, I found myself sputtering, "If only the government had acted on this 10 years ago!" Maybe then we would not be faced with the reality of Huawei being one of only a handful of companies in the world that can deliver certain critical telecom hardware and software (e.g. Alcatel-Lucent, Ericsson, Siemens, IBM and Cisco, the last two of these being the only American vendors in the bunch, and I'm pretty sure even they got a lot of their kit build in China).
The reality of the current telecommunications supply chain makes the following recommendations particularly frustrating to read:
"Private-sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE or Huawei for equipment or services. U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects. Based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems."
A lot of network providers and systems developers will be asking "If not Huawei, then whom?" That's whom as in "whom can we trust?" The report provides no list of trusted vendors and actually provides a critique of vendor/product certification (see below). I can't avoid the imagery of a bunch of generals standing in a shell crater among the mud and trenches and barbed wire of WWI saying "This is terrible, who's responsible?"
Today's report will likely cause fallout and "discussions" at the highest levels of government and diplomacy, but the immediate implications for consumers and small business owners are less predictable. You may want to think twice before buying Huawei or ZTE equipment, but normally you will not know if your telecom or network service provider uses their stuff. If you handle valuable data that could be useful to a foreign government then you might want to ask your service providers where they stand on using Huawei.
I'm not saying that I'm convinced Huawei is a tool of the Chinese government. I am saying that it is quite feasible for a determined telecom vendor to be or become a very effective tool for a government or other entity that wanted to engage in data espionage or communications mayhem.
Critique of Telecom Device Testing
As you can tell, I found this report to be frustrating reading. There was no "documented backdoor" smoking gun to prove Huawei was rigging its devices to "phone home" to China. But there was a surprisingly articulate assessment of the limitations of device testing as a way to alleviate concerns about such matters:
"A security evaluation of a complex device is useless if the device is not deployed precisely in the same configuration as it was tested...The evaluation of products prior to deployment only addresses the product portion of the lifecycle of networks. It is also important to recognize that how a network operator oversees its patch management, its trouble-shooting and maintenance, upgrades, and managed-service elements, as well as the vendors it chooses for such services, will affect the ongoing security of the network."
That's some good stuff. Better than I expected to read in a congressional report.
