The directive from the U.S. Commerce Department sent to leading network providers such as Verizon hits at the very heart of enterprise security because it bluntly asked: Has China implanted malware into the networking and computer gear it sells to U.S. corporations?
Distributed in April, with details surfacing in the press in December, the document did not ask that question in those words. But throughout the security community the meaning of what it did ask for was clear. That is because Commerce asked for details on two fronts: 1) itemize the point of origin of any foreign-made gear on the network; and 2) detail incidents of “unauthorized hardware” on the network or attempts to redirect data to unauthorized destinations.
That prompts the blunt question: Is China eavesdropping on your network?
Answers are not clear cut, but a reality is that, throughout the security community, there are rising worries that a worst case scenario just may be coming true.
For starters, however, understand how slippery this inquiry is. A longtime cyber-espionage security professional (who insisted on anonymity because he was not authorized to comment on the record) indicated that organizations that go on an energetic search for hidden malware may come up empty. That does not mean there are not bigger problems. He believes Chinese networking gear did not arrive on U.S. soil with hidden Trojans or malware but, rather, engineered vulnerabilities. The differences, he said, are huge.
“An engineered vulnerability is a ‘feature’ of a system which makes life easier for a piece of malware. A Trojan is, of course, a piece of malware. If a Trojan is discovered in a system fresh out of the box, China has a problem. If a vulnerability is discovered in a system fresh out of the box, you’re not going to be able to prove it was engineered in vs. just an ordinary security screw up. So the deniability is perfect.”
Paul Henry, a security specialist at Lumension, elaborated on the concerns: “The Chinese have already proven that they have the expertise to easily break into our networks using vulnerabilities. Why not package a backdoor directly in the network gear they are selling us? It makes sense that this vector would be a consideration of the Chinese.”
Although he stressed he could not confirm such incidents have occurred, onetime Nokia network executive Joe Gottlieb, now CEO of cyber security company Sensage, said, “This is entirely possible and examples range from configuring undocumented admin credentials to removing password management controls to embedding sophisticated back doors in firmware and software.”
The unsettling message from security professionals: There are no good reasons to believe your network is not presently under surveillance by government and quasi-governmental forces abroad. No reasons whatsoever.
What should an end user do? The rub is that it increasingly is difficult to provision a network without using Chinese gear. Worse, there are proven instances of equipment labeled with names of U.S. companies that in fact were counterfeits made in China (the motives appeared to be quick profits, not espionage). Inside the Washington, D.C. beltway various super-secret agencies purportedly have built out networks that avoid all suspect gear — but at what cost? Nobody is talking about the price tags or much of anything else in regard to these installations.
For the rest of us, experts say that a safe strategy going forward is to view enterprise networks as possibly compromised. In that vein Jason Lewis, Looking Glass’ CTO, said, “The end user strategy should be to treat the network equipment as possibly compromised. That means, not trusting what the network equipment’s interface reports. Separate equipment should be used to monitor unusual network activity from the suspect hardware. This could be monitoring the hardware for attempts to access unknown networks, sending unexpected encrypted data, or even modifying network traffic.”
Keep a close eye on any network that is constructed around made in China gear is a first necessary step towards cyber security. But then there is this chilling comment from Andrew Storms, director of security operations for nCircle, a security firm that works with many Fortune 500 companies: “The threat has been there for some time. To limit this to China is myopic. People almost anywhere could manufacture fake hardware”
To Storms’ point it would be very easy for nation state espionage agencies to manufacture counterfeits that are badged anyway the nation wishes. Maybe there are bad actors out there seeking to throw undeserved blame on China for their own advantage?
The bottom line is networks increasingly need monitoring, especially of outbound traffic but at every step, suggest the experts. Network admins simply must recognize that it is entirely possible the network is compromised and nobody knows (or could know) it. That just is the unsettling state of the network in 2012.
As a busy freelance writer for more than 30 years, Rob McGarvey has written over 1,500 articles for many of the nation’s leading publications ranging from Upside to the Harvard Business Review and The New York Times. He has covered mobility since the birth of the cellular industry and PCs since the 1980s. He writes often about networking and security issues. Somewhere in there he also files a regular “Mobility Matters” on mobile banking for the Credit Union Times. While he does most of his writing on a Samsung Chromebook, he admits to Macbook Air envy.