09 October 2012

China, Cyberwar and your Phone Company


Why we are not paranoid about Huawei

Yesterday, the House Permanent Select Committee on Intelligence published a watershed report highlighting the strategic importance of telecommunications equipment and recommending that US companies not buy gear from either Huawei or ZTE. News coverage of this topic has been widespread, including 60 Minutes and The Wall Street Journal.   The primary fear is that Huawei and ZTE will insert "back doors" into telecom equipment that will allow the Chinese government to disrupt or intercept communications inside American networks.


Such back doors are not unheard of.  Although few are reported publicly, there are publicly known examples of large-scale telecom exploits, like


Whatever Huawei says about "just being a business", do not doubt that the Chinese government can induce a Chinese company into supporting its missions, through coercion, payment, regulatory favors or even simple patriotism.  While some may try to pass off these concerns of the US government as xenophobia or paranoia, there are enough publicly-exposed precedents just in recent years to justify concern, and you can be sure that the people in the intelligence community who raise these concerns are aware of other incidents that were never publicized.  This is not paranoia.  The concerns raised by this report must be taken very seriously.

Multiple threats to US carriers

The internet was designed with the assumption that there are malicious actors inside the network, but telephone systems are different.  The SS7 network, on which the public telephone and cellular networks run, is a true "network of trust", with few internal security controls.  Once malicious code is introduced into a telephone company's core network, there is very little that can be done to control it.  This is what Rep. "Dutch" Ruppersberger, ranking Democrat on the intelligence Commitee meant when he said, "In the telecommunications world, once you get the camel's nose under the tent, you can go anywhere."  This is why the introduction of suspect equipment into US telephone networks raises such serious alarms, much stronger alarms than in the IP routing world.  In some cases, the government has already intervened directly to stop large companies from purchasing suspect equipment, but small companies may make such purchases and not be noticed until after the fact.

Not being noticed does not mean there isn't risk for carriers.  The government could take actions post-facto to limit the perceived security threat.  One measure might be to refuse new spectrum licenses to limit geographic extent of the threat.  Another measure might be to prevent the merger or purchase of the company to prevent the suspect equipment from infiltrating into larger networks.  Either of these actions would be devastating to the growth and valuation of the affected company.  Whether the suspect equipment is a real threat to security or not (and I would wager that it is), just having the government take such a strong position against these vendors makes their equipment a threat to the businesses who use it.

Solutions

The immediate solution, and the strong advice of the government today, is for carriers avoid Huawei or ZTE equipment.  But this issue of Chinese back doors raises a larger question of how to determine the trustworthiness of any telecom system, Chinese or otherwise.  The real answer is open source software.  By "open source", I am not necessarily referring to software that is released to the public, but simply referring to software that can be provided to customers in source code form.  The license may be GPL or may be something more restrictive, but by allowing end users to review source code and build their own binaries, either for installation or comparison, everyone involved in the process can insure that the software is what it claims to be.  So far, the selection of open source software for cellular and core networks is limited, but it is growing, with products like OpenBTS and yate, and projects like Osmocom.  Security is just one more reason that these products represent the future of telecommunications.

(David Burgess is the lead developer of the the OpenBTS software and co-founder and CEO of Range Networks.)

Follow-up Comment

An advisor to our company read this post and asked some questions: Why is the open source solution adequate? What about hardware? Those questions go to an excellent point, that the open source approach cannot end just with the application source code, but must go down to "bare metal", including operating systems, device drivers, firmware and device schematics. For an "old school" approach, with custom chips and lots of special-built circuit boards, that is anathema, because astronomical development costs and hazy legal standards (like the copyright status of a circuit board) justify strict non-disclosure controls on the intellectual property. But as modern systems move toward commodity hardware, this becomes less of an issue, since more and more of the functionality (and value) of a system can be expressed in source code and protected with well-established copyright law.

4 comments:

  1. Good article.
    But just shipping source code to a customer doesn't ensure security - very few customers have enough resources to do the thorough review of the code. And that's where open-source software which is shared with the world is much better. If your sources are published publicly, there are much more chances they will be independently reviewed. And security of the code will improve with this kind of crowd-sourcing.

    ReplyDelete
  2. The license may be GPL or may be something more restrictive, but by allowing end users to review source code and build their own binaries, either for installation or comparison, everyone involved in the process can insure that the software is what it claims to be. china sourcing

    ReplyDelete
  3. During the time that a lot of this press was being released putting a negative light on Huawei it was (and probably still is) the only company offering everything needed for a 4G network. Do you think there is a coincidence?

    I immediately thought of protectionism, McCarthyism, and other historical 'Red-Baiting' tactics 2.0. I think I'd be more worried about back doors from the US government. Why is there not the same concern over Lenovo or any number of other products manufactured in the PRC? Huawei is quickly rising toward number 1 because they're producing a better product and fulfilling market needs.

    You did mention in your article "how to determine the trustworthiness of any telecom" and I agree firmly that open-source is the answer to these questions of security. However a lot of US companies don't like that solution because they are still clinging to patent and copyright monopolyism.

    At any rate, in my opinion, the conclusions that can be drawn from all this are that the US is falling behind technologically and is grasping for other methods to stall the competition. This could be mitigated by aggressively reforming patent laws to stimulate innovation.

    ReplyDelete
  4. Well as I have worked for Huawei so I know their technology is not bad but yes working somewhere is a bit problem due to low cost. Although I love this post its worth reading and have too much information.
    polycom IP 321

    ReplyDelete