WHY THE UNITED STATES IS SO AFRAID OF THIS CHINESE TELECOM EQUIPMENT COMPANY? An article from MIT Technology Review

WHY THE UNITED STATES IS SO AFRAID OF THIS CHINESE TELECOM EQUIPMENT COMPANY?
An article from MIT Technology Review

"The threat may be theoretical—but compromised telecom equipment could quickly cripple a nation’s civilian and military infrastructure."

"Alperovitch says China is known to be interested in carrying out electronic espionage against other governments and companies, and is a major backer of espionage software spread by e-mail and the Web. “The Chinese are the most pervasive actors in terms of cyber espionage,” he says."

"This report is not the first time that a government has noted potential as a vector for Chinese espionage. In 2011, the U.S. Commerce Department blocked the company from bidding to build a new wireless network for first responders; in March 2012, the Australian government barred this company from bidding for contracts to create part of its new National Broadband Network."

by Tom Simonite 

"A (U.S.)Congressional report warned that (Chinese telecommunications companies)... pose a “threat to U.S. national security interests” and could sell companies equipment rigged to give the Chinese government control over American communications networks."

"The report (PDF), issued by the House of Representatives Intelligence Committee ...experts say the possibility is real that surveillance technology could be built into the routers and switches that underlie the Internet and wireless communications systems—and this could be difficult to detect."

"(Chinese telecommunications company) primary business is selling high-end computer networking switches and other equipment used by cell phone carriers, Internet service providers, and other companies to run communications networks."

“A switch sees all the traffic that passes,” says Fred Schneider, a professor at Cornell University who works on cyber security and policy. This digital data could be anything from phone calls to Internet traffic. “If you control the switch, you could set it up so that any time it handles data, it makes a copy and sends it someplace else, or you could change the data while en route—a yes to a no.”

"A back door installed in networking hardware could be very difficult to detect, says Schneider. “If you siphon off lots [of data], then someone who was looking would notice,” he says. But “if it’s a small scale, it would be pretty hard to tell.” That’s because part of the Internet is designed to be fault-tolerant and allow the occasional piece of data to go missing. “It would be hard to distinguish between drops and retries and something nefarious,” says Schneider."

"A trigger could be built either into the software that comes installed in switches and network hardware or into the hardware itself, in which case it would be more difficult to detect, says Schneider. The simplest kind of attack, and one very hard to spot, would be to add a chip that waits for a specific signal and then disables or reroutes particular communications at a critical time, he says. This could be useful “if you were waging some other kind of attack and you wanted to make it difficult for the adversary to communicate with their troops,” Schneider says."

"The use of strong end-to-end encryption could help prevent eavesdropping, but nontechnical defenses—such as buying from trusted suppliers or sourcing equipment from multiple vendors to reduce the consequences if one piece of equipment proves untrustworthy—could also be crucial, he says."

"This report is not the first time that a government has noted potential as a vector for Chinese espionage. In 2011, the U.S. Commerce Department blocked the company from bidding to build a new wireless network for first responders; in March 2012, the Australian government barred this company from bidding for contracts to create part of its new National Broadband Network."

“The telcos are very worried about this,” says Dmitri Alperovitch, a cofounder and CTO of Crowdstrike, a security startup that’s working on ways for companies to protect against cyber attacks and identify the perpetrators. 

"Alperovitch says China is known to be interested in carrying out electronic espionage against other governments and companies, and is a major backer of espionage software spread by e-mail and the Web. “The Chinese are the most pervasive actors in terms of cyber espionage,” he says."

"This track record, together with the fact that the (company) has refused to explain its relationship with the Chinese government or the role of a Communist Party committee inside the company, means that it’s fair to wonder if its products will remain safe, Alperovitch says. “The question is, if the Chinese government comes to the company and says would you put this code in your router, would the company do it?” he says."

"Both Schneider and Alperovitch note that although this week’s report singles out (this company), the globalization of supply chains raises wider security concerns about products from many technology companies. Even if equipment is made in the U.S., for example, it almost certainly contains components and chips made by other companies in other countries."

“There is a broader concern about supply chain,” says Alperovitch. “Who knows what’s being put into your product at the factory?”