Huawei Proposes Independent Cybersecurity Testing Labs
Independent bodies would be funded by vendors, customers and government agencies, and validate products performance, security and overall trustworthiness.
The world needs independent testing labs that can review off-the-shelf IT products and rate their trustworthiness -- not only on the performance front but also from an information security standpoint.
Thats the pitch being advanced by $35 billion Chinese multinational networking and telecommunications equipment and services company Huawei. Over the past couple of months there have been a number of revelations that have created a crisis of confidence in the information security industry, said Bill Plummer, Huaweis VP of external affairs, speaking by phone. If the industry is to move forward, its in all of our best interests to come up with common solutions.
Huawei officials detailed the companys testing proposal as part of the release of the companys
Cybersecurity Perspectives whitepaper
Thursday. It includes the companys vision for a very sophisticated, comprehensive, end-to-end assurance program, Plummer said, that touches on everything from research and development and supply chains, to human resources processes and internal audits.
The publication describes -- in response to customers related queries -- Huaweis own, internal processes for tackling those essential security lifecycle components, according to Huawei USAs chief security officer, Andy Purdy. They want to be able to trust what they buy, and have confidence that theyre getting what they want, when they buy, Purdy said by phone. We hope that others will call on other vendors to say what theyre doing.
[ Do government agencies have a false sense of security?
NIST Security Standards: Fallacies And Pitfalls
. ]
The whitepaper also outlines Huaweis proposal for businesses, vendors, policymakers and lawmakers to come together to create public-private partnerships that would empower third parties to vet and attest to the security and reliability of IT gear. Such testing programs already exist, for example in the form of the U.S. governments
Common Criteria
. Meanwhile, DARPA last year said it was launching a
Vetting Commodity IT Software and Firmware (VET) program
to find innovative, large-scale approaches to verifying the security and functionality of commodity IT devices that might be used by the Department of Defense.
But those approaches are designed for certain government agencies, Purdy said, and may be overkill -- and overly expensive -- for business use. Theres a growing recognition by people in government and the private sectors that things like Common Criteria arent scalable, he said. In addition, such programs havent been set up to gather and run the types of evaluations businesses would want to see.
Enter Huawei, which is now calling on businesses and government agencies to fund independent bodies that could vet software products for buggy code -- or backdoors -- as well as performance. But what do vulnerability testing professionals think about the idea?
Huawei is left with [few] other options, since they cannot prove [the] absence of bugs and backdoors themselves, said
Felix FX Lindner
, who heads Berlin-based Recurity Labs, via email. Generally, Im in favor of governmental institutions that perform such reviews. However, discovered backdoors -- in a very narrowly defined sense -- should also result in consequences for the vendor, e.g. in the form of penalties and fines.
In other words, why just pool resources to fund testing firms? Why not also demand that lawmakers require any vendor submitting its products for testing to attest to its security trustworthiness first? Vendors are not accountable at all, so far, Lindner said. Keep in mind that there is no product liability for software products. Therefore, there is little hard incentive to produce secure products, only the soft incentive of public perception. As long as there is no business case for secure code, vendors will continue to do the bare minimum.
Furthermore, just as with the challenge of keeping supply chains secure, ensuring testing environments stay locked down could be difficult -- especially given the
value of some zero-day bugs
. Many governments run or gear up offensive computer security operations, Lindner said. Findings such as bugs and backdoors are very valuable to them. The institution reviewing the products must be legally bound to not hand findings over to offensive units, [as] is the case with the German Federal Office for Information Security.
Of course, its impossible to discuss Huaweis proposal that vendors submit their products to independent testing labs without acknowledging the October 2012
U.S. House of Representatives Permanent Select Committee on Intelligence report
, which warned -- without citing any evidence -- that Huawei and ZTE -- also headquartered in China -- cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems. Plumber responded to questions about that report by citing an
Economist
article
that said the House study appears to have been written for vegetarians, since there was no meat to the allegations. Here in the U.S. weve experienced some unfortunate discrimination based on the heritage of our company, he said. Furthermore, he noted that 70% of Huaweis business happens outside China, and the company buys one-third of its components -- spending about $7 billion annually -- from U.S. businesses. Huaweis CEO, furthermore, broke his usual prohibition on media interviews in May 2013 to publicly deny that his employees were
forced to spy for China
or that his company was somehow involved with Chinas intelligence agencies.
In July, Michael Hayden, former head of the NSA and CIA, raised the issue again, by
saying that based on his intelligence experience
, he believed that Huawei would have at least shared intimate and extensive knowledge of the foreign telecommunications systems it is involved with with the Chinese government. In a worst case, some commentators worried that Huawei might have built backdoors into its products at the behest of the Chinese government, although many hacking experts have long argued that there are
so many bugs
in todays software applications and hardware firmware that any would-be attackers -- nation state or otherwise -- need not bother building backdoors.
Needless to say,
a lot has happened in the world
since then. Leaked details of National Security Agency (NSA) surveillance programs -- the breadth, extent and
depth
of which have surprised even the worlds
most respected information security experts
-- have called into question the extent to which U.S. technology hardware, software and service vendors -- or the cryptographic standards on which their products rely -- can be trusted to be free from NSA influence or tampering.
Faced with this trust deficit -- and evidence that the NSA analyzes their every communication -- some governments and national telecommunications providers have reacted with plans that just six months ago would have seemed laughable. Brazil, for starters, has proposed laying its own fiber cable to Latin America. Germanys Deutsche Telekom, meanwhile, launched an Email Made In Germany program in August that
promises
to automatically encrypt data over all transmission paths and offers peace of mind that data are handled in compliance with German data privacy laws.
Given that information security and trust landscape, is the time right for businesses, at least, to begin funding independent testing and certification labs, backed by policymakers holding technology vendors accountable for the quality of their code?
Tags:
Huawei Proposes Independent Cybersecurity Testing Labs