ARCHIVED 11/29/10

November 29, 2010

To view the original article please click here.

CYBERSECURITY EXPERTS SAY HARDWARE CONCERNS GO BEYOND CHINA

Jennifer Scholtes, CQ Online News, 11/29/2010

As lawmakers wait for the Obama administration to respond to their cybersecurity concerns about U.S. telecommunication deals with Chinese companies, experts suggest their focus may be too narrow, considering the scope of the security threat bleeds far beyond China’s borders. In late October, a bipartisan group wrote to the Federal Communications Commission with questions about discussions between the U.S. companies Sprint and Cricket, and Chinese telecommunication equipment providers Huawei Technology and ZTE. The foreign companies are perceived to have a cozy relationship with their government, which has given them billions of dollars in backing. Those ties raise concerns that China could alter any technology sold to the American firms — with or without the manufacturers’ knowledge — to capture calls, e-mails and GPS locations for purposes of espionage, according to the letter’s authors, Republican Sens. Jon Kyl of Arizona and Susan Collins of Maine, Sen. Joseph I. Lieberman, I-Conn., and Rep. Sue Myrick, R-N.C. Congressional aides have indicated that they expect to see answers to the letter sometime in the next few weeks. But professionals in the private sector say that although the security fears are real, they are misdirected. The threat can only be stemmed by ensuring security throughout the telecommunications supply chain, not by merely testing equipment or pinpointing Chinese companies, said Larry Clinton, president and CEO of the Internet Security Alliance. “The Chinese military can affect the supply chain in India or in Vietnam. You don’t have to build something in China to be attacked by the Chinese,” Clinton said last week. “Let’s blow off Chinese-made stuff — that doesn’t solve your problem. You’ve got an inherent supply chain problem.” The solution, Clinton said, is creating a secure system out of insecure parts by developing a series of practices and standards throughout the supply chain. Such safeguards would ensure that the end products created are trustworthy, regardless of whether their hardware has been manipulated. In their letter to the FCC, the lawmakers’ first question was whether the commission has the authority to review foreign technology. But even if the FCC did have that authority, the exercise would be useless, Clinton said. While testing for insecure software is commonplace, it’s “virtually impossible” to detect an invasion of hardware, he said. Additionally, hardware manipulation is much more difficult than tampering with software, requiring billions of dollars, Clinton said. Because it’s challenging and costly, nation states are usually the only entities that would be willing or able to pull off such an operation, he said. Looking Beyond China Without a surefire way to ensure equipment is secure through post-facto testing, knowing the security of its manufacturer is key — not trying to guess the motivations of countries like China, said Richard A. Clarke, former special adviser on cybersecurity to President George W. Bush. “The product could come from the United States. It could come from India. It could come from China. Where it comes from isn’t the issue. The level of security is the issue,” Clarke said. “If the computer chip is manufactured in a place where somebody can hack their way in and alter it . . . then you don’t have a secure product. It’s not a matter of where it came from.” Representatives from Huawei agree. Bill Plummer, vice president of external affairs for the company said the same security concerns exist across the industry and that, essentially, Huawei is being unfairly picked on — caught in the crossfire of U.S.-China geopolitical issues. “Huawei is Huawei,” Plummer said. “Huawei is not China. To some extent at least, we’re being caught up in this overarching umbrella of U.S.-China tension, and we’re just a commercial company that happens to have a heritage in China.” In a 2010 report submitted to Congress, the Defense Department stated that Huawei has close ties to China’s military. And this month, China stipulated that $500 million of a loan it provided to Cambodia must be spent on equipment from the company. Still, Plummer insists that Huawei has no more of a connection to the Chinese government than any other company, pointing to the fact that the business is a completely commercial entity. It is 100 percent employee-owned, he said, and nearly all other major telecommunication equipment manufacturers produce some of their products in China. Ericsson, which is headquartered in Sweden, has more than 7,000 employees in China and northeast Asia, accounting for more than 8 percent of the company’s employees as of September 2010. “We’re all doing the same thing. We’re all taking advantage of the same interdependent supply chain,” Plummer said. “There’s not a single company or government anywhere who’s ever found our equipment to vary from international standards related to security.” Stifling U.S. business with Huawei, he said, would be a major financial detriment to the United States. The company, which is one of the largest telecommunication equipment manufacturers in the world, buys billions of dollars’ worth of components from U.S. companies such as Texas Instruments every year. A senior Senate aide said legislative action on the issue is not expected, and that congressional lawmakers foresee being able to work closely with the Obama administration to address concerns. Briefings from the administration are expected in December on the questions of whether the FCC perceives telecommunication technology business with China as a risk to U.S. security and what the commission is doing to monitor transactions and equipment.