President Trump’s recent executive order correctly references a US national emergency in cyber security. But it makes the fatal mistake of connecting code insertions from Huawei with the real and present danger that America faces from its cyber adversaries. That is, if the Chinese – or any other offensive actors – decide to attack our infrastructure, they will not do so using Trojans. Rather, they will exploit vulnerabilities of our own making.
This is an important point, because Trump’s executive order tightens the noose around foreign companies, now including Huawei, that make up the so-called entity list sitting on Wilbur Ross’s desk. The basic gist is that US companies must steer clear of interactions with these companies or their agents on matters related to domestic telecommunications design, development, and operations. The motivation, presumably, is cyber security.
I believe it is naïve to think that rigged code is required to attack the telecommunications infrastructure of any nation. And it makes no tactical sense to think that using hidden Trojans from a complicit vendor is even a good choice to accomplish such a goal. People like me, who have devoted their entire lives to securing telecommunications, know that better offensive options exist that can be exploited with low cost and non-attribution.
This is not to say that vendors should be allowed to insert hidden code with impunity. Such practice, even in the form of Easter Eggs, should be considered unacceptable under all circumstances. To that end, supply chain managers should include terms in all contracts that specify consequences if Trojans are disclosed (perhaps by insider snitches). This approach doesn’t solve the problem, of course – but it can help.
Let’s illustrate the threat Trump is referencing: Suppose some broadband company in the US has purchased and uses a switch or router from Huawei. The White House is suggesting that the Chinese could send special signals over the Internet to that device to eavesdrop or interrupt service. Technically, I guess this is true, but there are many, many superior ways to accomplish such an attack that are easier to perform and much less obvious to detect.
You might know the term advanced persistent threat or APT. This is a designation for the finding unprotected access to a company (usually with a phish) and then lurking around, finding interesting stuff, and gaining privileges. I am certain that virtually every small telecommunications companies in the US is vulnerable to this attack. And I know this is how China would attack. It’s also a great way to nab intellectual property (hint, hint).
American allies seem to agree with this point. As far as I can tell, not a single non-US country has accepted Trump’s warning about Huawei. And thus, Wilbur Ross’s updated list is uniquely American. Other countries, such as the UK, have taken a more technical approach, assigning an expert oversight board to watch how Huawei develops products. Their recent report provide useful insight into how the vendor operates. You should read it.
Look – if Trump’s move is purely political, and is intended to punish the Chinese for their IP theft, then we should just say so. My guess is that many observers, including me, would agree that some sort of stiff action is clearly warranted. But if the suggestion is being made that avoidance of Huawei products will make the United States more secure against advanced cyber attacks to telecommunications, then I feel obliged to refute this claim.
What we need instead is a national initiative toward the following, which I’ve repeatedly tried to communicate to the President (I am Father McKenzie writing the words to a sermon that no one will hear): (1) a program for more youngsters to study computer science in return for government service in cyber; (2) an accelerated program of Zero Trust Security for all civilian agencies; and (3) agreement to use one compliance framework (I vote NIST).
Granted, these three initiatives will not magically fix our security weaknesses. But they will improve our posture, and will lead our adversaries to see that we shifting onto the right protection track. In contrast, we have this nonsensical order about supply chain – which, by the way, would seem to complicate legal use of the phone Trump tweets from. The Android code on his phone almost certainly includes open source submissions from Chinese citizens.
Finally, I worry about retribution. What would stop the Chinese from issuing their own directive that software such as the Windows operating system or MacOS represent serious national security threats to China? They could resurface silly, debunked theories of US Government entanglements (such as the _NSAKEY story) to justify such action. This could quickly escalate into a high-tech war with all losers and no winners.
I hope you take the time to read the executive order to develop your own opinion. If you are an American, then show patriotism by demanding insightful and nuanced leadership from Washington. If you care about your country, then give credit where credit is due, but also do not waver if decisions are being proposed that make no sense. In my expert opinion, this recent executive order makes no technical sense and does not make us more secure.