Friday, December 03, 2010

Bruce Schneier, Cyber Warrior?

Do you remember the story from the Times in 2009 titled Spy chiefs fear Chinese cyber attack?

[UK] Intelligence chiefs have warned that China may have gained the capability to shut down Britain by crippling its telecoms and utilities.

They have told ministers of their fears that equipment installed by Huawei, the Chinese telecoms giant, in BT’s new communications network could be used to halt critical services such as power, food and water supplies.

The warnings coincide with growing cyberwarfare attacks on Britain by foreign governments, particularly Russia and China...

The company [Huawei] is providing key components for BT’s new £10 billion network, which will update the UK’s telecoms with the use of internet technology. The report says the potential threat from Huawei “has been demonstrated elsewhere in the world”...

T]he ministerial committee on national security was told at the January [2009] meeting that Huawei components that form key parts of BT’s new network might already contain malicious elements waiting to be activated by China.

Working through Huawei, China was already equipped to make “covert modifications” or to “compromise equipment in ways that are very hard to detect” and that might later “remotely disrupt or even permanently disable the network”, the meeting was told...

Ok, old news. But what did I just read in Huawei's US Sales Push Raises Security Concerns from September 2010?

Should United States telecommunications companies consider purchasing -- or even be allowed to purchase -- infrastructure equipment from a major Chinese company that could, maybe, be a significant national security risk?

Some US government officials and security experts are concerned about products from Huawei Technologies Co. Ltd. , which has begun more actively courting US customers...

Another security expert concerned about foreign tampering is Bruce Schneier, chief security technology officer at BT and a well known blogger about security. Although he doesn't have any proof, Schneier says it "certainly wouldn't surprise me at all" if Huawei installed software that could endanger US security. He would "think twice" before buying equipment from Huawei.

Wow. Did Bruce tell his bosses at BT this? I mean, he has been Chief Security Technology Officer at BT since BT acquired Counterpane in late 2006. (The BT-Huawei deal predates that acquisition by a few years, so Bruce didn't have input back then.) I guess it's possible Bruce really is a closet cyber warrior...


Anonymous said...

It should also be pointed out that foreign countries using equipment made by US companies should fear that the US government could have backdoors allowing them to affect critical systems.

And have already done so, such as the Russian gas pipeline incident and numerous rumours about NSA hooks into various products.

Anonymous said...

A small mind game.

The network was probably mostly up and running and replacing it is very expensive. BT does not care about a potential cyber warfare problem, if the price for protection is maybe 20b (nonHuawei price). But the government might be willing to pay. If persuaded.
Although in this case I do not believe mr Schneier was able to be that cynical.

In Estonia IMHO the cyber warface is being used to get government to pay the salary (and equipment) for banks and a little less for telcos security needs.
They now even have mpa degree in cyber security.
Now, if we think about things from this perspective...
Its just money.

This does not mean that I think that the problems are so black and white. It all comes to responsibility and in case of problems who in reality will take the bill.


Nasir Khan said...

Conspiracy theories abound....

Crypto AG was at the center stage when it was accused of building back doors for Intelligence agencies when it shipped cryptographic equipment to other countries.

Similarly what prevents governments from discovering and keeping vulnerabilities (later back doors) to themselves when they have the source code of OS (including Windows). Nothing can be hidden given enough resources.

Microsoft opens source code to Russian secret service

they have done similar arrangements with China in the past.

Huawei, Cisco Juniper everyone runs an OS (a piece of software) thats vulnerable and available to adversaries.

Me, David said...

The military institution which is my employer only is allowed to buy US based manufacturers ... Ironically, every single Cisco box is labelled "made in china" and Apple computers are labelled assembled in China"

In today's world what's the difference ? Can an ISP, in this economical climate and competition be blamed ?

ninja edit: just for the record: Alcatel-Lucent is also in bed with China so that's not an alternative

Anonymous said...

Allowing someone do your key management crypto software and not being able to validate that would be the equivalent of asking someone whom you dont trust to build a lock and give you a key and store all your valuables behind that :-)