Government communications experts and other insiders have long been concerned about the critical systems supporting vital infrastructure in the United States. For instance, some power installations have vital command and control data flowing through the same channels as non-mission-critical business communications.
The situation is exacerbated to a very high level due to the use of the Internet. In the past, communications problems — failures or malicious hacks — were more or less limited. With the massive connectedness of the Internet, a problem at one facility can be exported to others.
Those long-standing vulnerabilities are good background for a report released last week by the U.S. House of Representatives that urges American companies to not do business with two Chinese firms, Huawei Technologies and ZTE Corp. CNBC reports that the vendors of telecom gear were evasive with the committee and, if allowed to build critical infrastructure, would threaten national security. Here is a key passage from the report, which was quoted by CNBC:
Industry giants like Huawei and ZTE provide a wealth of opportunities for Chinese intelligence agencies to insert malicious hardware or software implants into critical telecommunications components and systems. Even if the company's leadership refused such a request, Chinese intelligence services need only recruit working-level technicians or managers in these companies. Further, it appears that under Chinese law, ZTE and Huawei would be obligated to cooperate with any request by the Chinese government to use their systems or access them for malicious purposes under the guise of state security.
On the less geopolitical but no less important level, there are worries about the security of Huawei devices completely aside from the intent of the Chinese government. This story at Computerworld features researcher Felix “FX” Lindner, who is quoted as saying that the vendor’s “code quality is pretty much from the 90s.” He said that since he and colleague Gregor Kopf detailed the problems at the Defcon conference in July, the company has attempted to improve its security.
The clear takeaway is that it is important to be careful about Huawei on two levels. One is the nuts-and bolts: What router maker only starts paying close attention to security after it is criticized? The other, of course, is the national security level.
Paul Rosenzweig, the founder of Red Branch Consulting, did a good job of catching a meaningful piece of a Washington Post story (here is the piece) on China’s reaction to the report. The paragraph said that ZTE phones included a backdoor that allowed eavesdropping on texts and calls and insertion of programs. A security analyst is quoted as saying it was intentional.
It is impossible to say who put the backdoor into the phone. The point is, however, that the find is a real example of the type of thing the government thinks is possible. If it can happen to a phone, there is no reason to think it can’t happen to infrastructure equipment.