Real Questions about Huawei for US Rep. Frank Wolf

Tuesday, April 03, 2012

Joel Harding

94ae16c30d35ee7345f3235dfb11113c

I attended a briefing on March 26th and sat three rows behind  Congressman Frank Wolf (R-VA), as I had previously blogged about. 

He gave an impassioned speech to the US-China Economic and Security Review Commission, in which he reiterated all his previous points.  Rep. Frank Wolf carefully crafted a position in which anyone defending Huawei was painted to be ‘out of your mind’.

I checked with one of the panelists, another former military intelligence officer with whom I worked with in the 1990s, and he agreed that the Congressman made some very strong allegations but failed to make his case.

Rep. Frank Wolf’s argument basically states that because Huawei is surrounded by bad guys and TWO of their people (the founder and the chairwoman of the board), in a previous lifetime, worked for or with the government, surely Huawei could not be trusted.

Representative Wolf cited an article printed in the Washington Post, where Australia had banned Huawei from installing equipment in their telecommunications networks.  Therefore the Congressman plans to introduce legislation asking for the same in the United States.

The Commissioners, bless their souls, were nodding in agreement. There was no opportunity for Huawei to respond, no opportunity for questions, no chance at having an objective hearing. I checked with Huawei and two of their representatives attended, although I did not see them.

I write this blog as objectively as possible.  The Congressman was obviously attempting to either persuade the US China Economic and Security Commission or reassure them, his objective was not clear. 

In his short amount of time, he passionately made a one-sided statement but failed to provide any evidence aside from one news report in that day’s Washington Post.

I still have a few easy softball questions for Congressman Frank Wolf:

  • Do we have hard intelligence linking Huawei with the PLA or the PRC, requesting or even taking them to gather intelligence?
  • Do we have any hard evidence that software or hardware in Huawei’s equipment is designed to allow surreptitious access by Chinese intelligence gathering?

Now the hard questions for Representative Wolf, to which the answers are ALL NO.

  • Rep. Frank Wolf, was every chip in your computer checked for embedded and hardwired code for backdoors or other malicious software? How about your iPad or smartphone? How about your staff?
  • Was your computer inspected for malicious software hardwired onto the system or embedded in any hardware?
  • Are any computers coming into the United States from China checked for embedded software with a backdoor?
  • Are any smartphones coming into the United States from China checked for embedded software with a backdoor?
  • Are any iPads coming into the United States from China checked for embedded software with a backdoor?
  • Does the United States have a program to determine if any chips, boards, computer systems or network devices have any embedded backdoors?
  • Does the United States have similar programs to examine remote software upgrades or updates for security purposes?

My purpose for these questions is to ask the Congressman to help establish a program looking for malicious software embedded in incoming hardware, be it computers, chips, network devices, whatever.  The cost will be high, but will we, once again, wait until it is too late to protect ourselves? Not only is the Congressman asking the wrong questions but he’s asking them of the wrong people.

During the hearing, immediately preceding the Congressman’s testimony, the panelists were questioned and it was established that software updates or upgrades make all telecommunications equipment de facto indefensible.  Anytime a corporation remotely installs an update or an upgrade, as most companies do, a backdoor can be installed.  Again, there is no monitoring system for these upgrades.

To make things worse, the US has mandated all US telecommunications equipment be Communications Assistance for Law Enforcement Act of 1994 (CALEA), Pub. L. No. 103-414, 108 Stat. 4279 compliant.  Therefore the US does not comply with the standards to which we expect the Chinese to adhere – all US telecommunications equipment must have a built in backdoor to enable surveillance.

The internet was established based on a few basic principles: trust and openness.  Since the explosion of the internet both principles have been superseded by paranoia, mistrust and closed networks. Our demand for security has been met with deaf ears except for the defense of government and military systems. 

Only a fraction of the corporations have a dedicated security program, the vast majority of businesses and almost all individuals in the United States are completely unprotected.

Mr. Congressman, Representative Frank Wolf, if you say you are concerned for our “National Security”, don’t you think you have a responsibility to protect the vast majority of America?  What have you done for “We the People” lately to address the concerns I just outlined?

Cross-posted from To Inform is to Influence

Possibly Related Articles:
5359
Network->General
Hardware
China Cyberwar Hardware USCC Congress National Security backdoor Huawei Cyber Espionage Frank Wolf
Post Rating I Like this!
Default-avatar
Chris Parker Interesting article, thank you. A quick scan of the world wide wobbly reveals many interesting and fact based stories about the US Government and companies. I am not looking to defend anyone, but it does look like Huawei are suffering from American protectionism. No offence to the congressman but I think he needs to get out more.

“Leaked e-mails provide a tantalizing glimpse of life behind the security curtain. HBGary and HBGary Federal were small players in this space; indeed, HBGary appears to have made much of its cash with more traditional projects, like selling anti-malware defence tools to corporations and scanning their networks for signs of infection. If rootkits, paranoia monitors, cartoons, and fake Facebook personas were being proposed and developed here, one can only imagine the sorts of classified projects underway throughout the entire defence and security industry. But the e-mails also remind us how much of this work is carried out privately and beyond the control of government agencies. We found no evidence that HBGary sold malware to nongovernment entities intent on hacking, though the company did have plans to repurpose its DARPA rootkit idea for corporate surveillance work. ("HBGary plans to transition technology into commercial products," it told DARPA.)”

Military Networks ‘Not Defensible,’ Says General Who Defends Them. “Gen. Keith Alexander, head of both the secretive National Security Agency and the military’s new U.S. Cyber Command, has tens of thousands of hackers, cryptologists, and system administrators serving under him. But at the moment, their ability to protect the Defence Department’s information infrastructure — let alone the broader civilian internet — is limited. The Pentagon’s patchwork quilt of 15,000 different networks is too haphazard to safeguard”

Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees). “We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who ­purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the ­explicit ­intention of invading or disrupting the computers and phones of crime suspects and intelligence targets

“No end-user or organisation would contemplate leaving the front door to their home or office unlocked as their private property and confidential information could be exposed to theft. However, many are still leaving themselves at risk from another angle. By not addressing vulnerabilities (errors in software installed on end-points that can be exploited), these very same end-users and organisations are effectively leaving their ‘windows’ wide open as entry points for cybercriminals to compromise sensitive financial/employee/personal data. Indeed, everyone who uses the Internet – 31% of the Earth’s population – is a potential victim of cybercrime.”

“Exclusive: Google, Amazon, and Microsoft Swarm China for Network Gear”. “Google, Amazon, Microsoft, and Facebook buy more networking hardware than practically anyone else on earth. After all, these are the giants of the internet. But at the same time, they’re buying less and less gear from Cisco, HP, Juniper, and the rest of the world’s largest networking vendors.”. “Over the past few years, the giants of the web have changed the way they purchase tens of thousands of the network switches inside the massive data centers driving their online services, quietly moving away from U.S.-based sellers to buy cheaper gear in bulk straight from China and Taiwan”
http://www.wired.com/dangerroom/2012/01/nsa-cant-defend/
http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/
http://secunia.com/resources/reports/
http://www.wired.com/wiredenterprise/2012/03/google-microsoft-network-gear/

I would add a few questions of my own:

• It appears that the design and development of hacking exploits is a commercial activity understood and accepted by Governments and Government agencies around the world. Should Governments really be surprised that they themselves are hacked when they are stimulating a market to build such capability.
• Has the Australian Government just bowed to pressure from the USA? 3 days after Huawei told the USA announces moving troops into northern Australia… forgive me coincidence?
• It is clear that some of the world’s largest cloud providers to the USA are directly buying servers and network equipment from China. In what way is this channel protected and in what way does it differ from buying equipment and services from Huawei.
• From the Forbes article it is alleged that Northrop Grumman builds zero day exploits for Government, yet they are also a major supplier to the American Government. Is this behaviour acceptable and are these exploits used to penetrate other Government establishments?
• In what way is that the safety and security of Ericsson products different to Chinese based vendors? Is BYT is Huawei China based when two thirds of their work is outside of China, just a though?
• Given that Huawei claim to be privately owned by its employees who have a substantial stake in its success as their personal investment and pensions are locked into the success of the company, what is the greatest security risk, an employee owned company or a Chinese Government backed company such as Alcatel-Lucent or Cisco
• As we can see all international technology companies, including Microsoft, have research and development centres in China. Surely if there is a perceived risk from Chinese products the risk must be the same if not greater for other companies. I suggest greater because everyone examines Chinese products and services and does little validation on other vendors
• There is much press speculation that CISCO and HP have been assisting Governments to install monitoring capability. What does the honourable congressman think about that
• US Government has a cloud first policy, the DoD et el are going to cloud yet as the article explains the big cloud vendors are buying technology directly from China… oops

The reality is the technology is joined up, the global supply chain is just that, global. When the world is round just pointing the finger comes straight back to you. Congressman, Senators be part of the global solution not part of the global problem.
1333520896
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.