He who looks behind the door hath hid there once himself.
I assume US officials know all about the home countries of telecom companies getting backdoors installed into the stuff exported to foreign countries.
The Los Alamos National Laboratory, home of some US research into nuclear weapons, has replaced networking kit from Chinese vendor H3C over security concerns, according to Reuters. Reuters says it has read internal correspondence suggesting the removal of the H3C devices was undertaken as part of a wider review of risks posed …
Most systems are exploitable, they question is, "can they be secured?"
Or in this case, I suspect, "who gave the largest political donation?"
What's more sensible, subverting the code and putting all sales at risk, or compromising someone at the outsourced management company?
You would have thought that with John Suffolk now Global Head of Cyber Security at Huawei that such suspicion would begin to evaporate. Particularly after such an illustrious career:
http://cn.linkedin.com/pub/john-suffolk/0/b72/b21?trk=pub-pbmap
Then again....
even connected to the InterNet?
Seems kind of dumb. But we are talking about American 'security' (think Manning).
I know some companies that do development work on a cut-out Intranets whose only common "interconnection" is the electrical power source. Another uses floppies for working data which are destroyed each night.
I don't quite get it.
Surely if you operate a "secure" or "sensitive" operation then you MONITOR all your outgoing traffic and you know what is going where (otherwise known as Data Leakage Prevention). You can see packets that are being routed to unknown or untrusted destinations. That is if your secure element is even connected directly to the outside world.
Or do they think the Chinese have pioneered the subspace ether used in Star Trek that allowed transmission beyond the speed of light?
Now, who do you buy network monitoring gear from? qui custodit custodes
But, overall I think they'll have a hard time finding a supplier that isn't owned by and doesn't employ citizens from all countries they might have a bit of a disagreement with during the lifetime of the kit.
If they are going to be properly paranoid, they should keep quiet about their suspicions, buy the kit, reverse engineer it, find the backdoors and use them for feeding disinformation.
They couldn't simply be trying to (mis)lead other companies and governments into buying overpriced Chinese made crap that's passed through a good ol' Merkin middleman? Perhaps in a last-gasp attempt to protect their economy from the cataclysm of having to mint that TREEEEELION dollar coin they're getting all excited about ATM!
Bless.
The Risky Business podcast makes the point that the main problems with networking kit from PRC are:
1) the code quality is *awful* (think IOS in the 1990s) along with all services turned on by default, 12 bit authentication cookies for web interfaces &c
2) all the debug commands only produce output in mandarin making it necessary to have Chinese technicians that may spend a lot of time hanging around in their embassy.
I wonder if any have actually looked at the circut patterns in many of the chips coming out of the Pacific Rim countries? - Not just China. Anyone with an eye for schematics and design, can obviously see chip doping going on. Apple was a victim of this once from a vendor, that put doped chips in the keyboard circuit for Mac Air Laptops. This is a regular repeating news item folks; it doesn't take a rocket scientist to see the brazen obvious.
It makes as much sense to rely on foreign-made equipment for the critical infrastructure of your nation's defenses as it does to outsource your spy network. If you want it done in a way you trust, you do it yourself.
No one should have raised an eyebrow when China announced the Red Flag Linux initiative. Nor should people be surprised by other nations' objections to RIM being in charge of their communication, or the US dictating their Internet access.
It all boils down to: who do you trust? Anyone who is trusting the Chinese these days are fools.
And I keep trying to get THAT past the stupid beancounters every time there is a discussion of how IT outsourcing can save money.
Once the discussion has degraded into a free-for-all, and lots of name calling; usually this question stops the beancounter dead in his (or her) tracks: "Are you willing to be your entire pension on the outcome of this outsourcing proposal?" The answer to date has always been the same: "No".