Has our security been compromised before the shrink wrap is even off the box?

The U.S. House of Representatives went on record this month with a warning to U.S. industry of the danger of compromised supply chains. But getting to the bottom of the supply chain threat will require more than just tough talk.

Here's a scary thought: what if the biggest threat to the economic- and physical security of our country came not from malicious code circulating online, but from secret software and hardware, buried deep inside brand new consumer and business systems shipped to us from assembly lines in China and other nations? What if the phones, laptops, servers - the routers and switches that power our economy were "certified, pre-owned": compromised from day 1 with super stealthy firmware or hardware that secretly gave our enemies a secret backdoor through even the most capable computer defenses?

That was the scary scenario that the U.S. House of Representatives took on in recent months, with a high profile inquiry into the ties between high flying telecommunications firms like Huawei and ZTE and the Chinese government. Ater hours of testimony and contentious hearings featuring executives from both companies the Committee didn't find a smoking gun. But it didn't need one. In a blistering report released on October 8, the Committee all but accused both companies of being tools of the Chinese Communist Party and the People's Liberation Army and the backing of China's Communist Party, while outright accusing executives of violating U.S. laws - including allegations of bribery, back channel deals with the government of Iran and absconding with U.S. companies' intellectual property.

You know things haven't gone well for your company when the Committee investigating you says that it will hand over its notes to the Justice Department for further review. But that's exactly what Huawei and ZTE heard from the House Permanent Select Committee on Intelligence. In the meantime: U.S. companies should consider themselves fairly warned.

"Private-sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE or Huawei for equipment or services. U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects. Based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems," the report said.

How well founded are the Committee's fears? That's another question, entirely.

What we do know is that Huawei has long been a thorn in the side of U.S. companies like Cisco Systems. That San Jose firm has tangled with Huawei both in the marketplace and in the courts, where Cisco accused its Chinese rival of illegally copying its patented technologies for use in its own lower priced networking gear. And it’s no secret that Cisco, Juniper, HP, 3COM and others have steadily lost market share to lower cost competitors like Huawei and ZTE, especially in emerging markets like China, India, Africa and South America in the last decade. In recent years, however, firms like Huawei and ZTE set their sights on North America and Europe: testing those vendors on their home turf.

Looked at through this lens: rumors about secret government back doors and the high profile House investigation smack of protectionism: an official stamp of veracity - if not authenticity - on hard-to-prove rumors and an official "thumbs down" from the U.S. Congress to tip the scales in favor of domestic rivals. Huawei all but accused the U.S. Government of protectionism in its official response, which said the House Committee's report was filled with inaccuracies and set out to reach a predetermined conclusion. Reports this week lend support to that view. According to Reuters, a separate White House review of Huawei found no evidence of spying, though plenty of evidence that Huawei's products contained exploitable vulnerabilities that could pose a serious security risk if exploited.

To be fair: the House Committee made clear that it found no evidence to prove or disprove the rumors about Chinese government or military back doors in equipment by the two vendors. "The Committee did not attempt a review of all technological vulnerabilities of particular ZTE and Huawei products or components," the report read. And, in perhaps one of the great understatements of all time: "the expertise of the Committee does not lend itself to comprehensive reviews of particular pieces of equipment."

And it’s not like the House of Representatives is the only organization ringing the alarm about threats from the supply chain. In a semi-yearly Security Intelligence Report released on the same day as the House Committee's report on Huawei and ZTE, the software giant Microsoft also warned about the danger of malware introduced into the technology supply chain. Citing an investigation by the company's Digital Crimes Unit of the Nitol Trojan horse program, Microsoft warned that malware was making its way onto newly manufactured and configured PCs that were then sold to buyers in China, North- and South America. Microsoft recommended that companies developed disciplined internal procurement teams with consistent processes for cleaning and reformatting newly purchased systems, and installing anti malware and intrusion detection software.

That's good advice, but like the ever-present Communist Menace of Cold War America, the threat of cyber saboteurs and a software-based fifth-column that takes its orders from China, Russia, North Korea or some other nation is unsettling because it seems to be ever-present and almost impossible to prove. But, as the security luminary Bruce Schneier pointed out in a New York Times op-ed yesterday, cranking up the fear machine often has unintended consequences that reduce our security, not increase it. Better than "loose talk" about back doors and compromised supply chains, the government and its private sector partners should be forthright in detailing the specific threats that have been identified so far and how to best mitigate them. The U.S. government can't disintermediate Chinese suppliers from their U.S. customers - the economic incentives for tapping China's low-wage workforce and sophisticated manufacturing sector are just too strong. Nor can the government scare firms like Huawei and ZTE into turning their back on their sponsors within the Chinese Military and Communist Party.

However, specific intelligence culled from private sector firms and from the intelligence community about incidents of pre-installed malware, compromised firmware or hardware, private sector, NGOs, state and federal agencies and others could formulate plans to mitigate their risks that are appropriate for them. That might include steps such as Microsoft suggested, or even more in-depth vetting and audits of hardware and software suppliers, especially where there's reason to be suspicious of influence from foreign actors.

Shadows lurk everywhere. But without specific guidance to what to look for, or what a compromise might look like, warnings do little more than instill fear - and the kind of "nameless, unreasoning, unjustified terror" that President Roosevelt famously warned "paralyzes needed efforts to covert retreat into advance." That kind of fear didn't work in the grip of the Great Depression, and it won't work now, as the country faces up another great challenge.

About Paul Roberts

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe, Salon.com, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Comments (1)

Ben | October 18, 2012 3:16 pm

Bear in mind that there is a broader issue here beyond just embedded malware. CNCI #11 (http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative) is specifically targeted to managing supply chain risk, and it grew out of legitimate issues with the supply chain. In particular, there have been massive issues with reused/blacktopped chips that greatly reduce system reliability.

More info on some of the history in this slide deck:

Also, MITRE has a practice on the topic of SCRM:


Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.