Bruce Schneier, Cyber Warrior?

Do you remember the story from the Times in 2009 titled Spy chiefs fear Chinese cyber attack?

[UK] Intelligence chiefs have warned that China may have gained the capability to shut down Britain by crippling its telecoms and utilities.

They have told ministers of their fears that equipment installed by Huawei, the Chinese telecoms giant, in BT’s new communications network could be used to halt critical services such as power, food and water supplies.

The warnings coincide with growing cyberwarfare attacks on Britain by foreign governments, particularly Russia and China...

The company [Huawei] is providing key components for BT’s new £10 billion network, which will update the UK’s telecoms with the use of internet technology. The report says the potential threat from Huawei “has been demonstrated elsewhere in the world”...

T]he ministerial committee on national security was told at the January [2009] meeting that Huawei components that form key parts of BT’s new network might already contain malicious elements waiting to be activated by China.

Working through Huawei, China was already equipped to make “covert modifications” or to “compromise equipment in ways that are very hard to detect” and that might later “remotely disrupt or even permanently disable the network”, the meeting was told...

Ok, old news. But what did I just read in Huawei's US Sales Push Raises Security Concerns from September 2010?

Should United States telecommunications companies consider purchasing -- or even be allowed to purchase -- infrastructure equipment from a major Chinese company that could, maybe, be a significant national security risk?

Some US government officials and security experts are concerned about products from Huawei Technologies Co. Ltd. , which has begun more actively courting US customers...

Another security expert concerned about foreign tampering is Bruce Schneier, chief security technology officer at BT and a well known blogger about security. Although he doesn't have any proof, Schneier says it "certainly wouldn't surprise me at all" if Huawei installed software that could endanger US security. He would "think twice" before buying equipment from Huawei.

Wow. Did Bruce tell his bosses at BT this? I mean, he has been Chief Security Technology Officer at BT since BT acquired Counterpane in late 2006. (The BT-Huawei deal predates that acquisition by a few years, so Bruce didn't have input back then.) I guess it's possible Bruce really is a closet cyber warrior...

Comments

Anonymous said…
It should also be pointed out that foreign countries using equipment made by US companies should fear that the US government could have backdoors allowing them to affect critical systems.

And have already done so, such as the Russian gas pipeline incident and numerous rumours about NSA hooks into various products.
10:22 PM
Anonymous said…
A small mind game.

The network was probably mostly up and running and replacing it is very expensive. BT does not care about a potential cyber warfare problem, if the price for protection is maybe 20b (nonHuawei price). But the government might be willing to pay. If persuaded.
Although in this case I do not believe mr Schneier was able to be that cynical.

In Estonia IMHO the cyber warface is being used to get government to pay the salary (and equipment) for banks and a little less for telcos security needs.
They now even have mpa degree in cyber security.
Now, if we think about things from this perspective...
Its just money.

This does not mean that I think that the problems are so black and white. It all comes to responsibility and in case of problems who in reality will take the bill.

Juhani
3:00 AM
Nasir Khan said…
Conspiracy theories abound....

Crypto AG was at the center stage when it was accused of building back doors for Intelligence agencies when it shipped cryptographic equipment to other countries.

http://en.wikipedia.org/wiki/Crypto_AG

Similarly what prevents governments from discovering and keeping vulnerabilities (later back doors) to themselves when they have the source code of OS (including Windows). Nothing can be hidden given enough resources.

Microsoft opens source code to Russian secret service

http://www.zdnet.co.uk/news/security/2010/07/08/microsoft-opens-source-code-to-russian-secret-service-40089481/

they have done similar arrangements with China in the past.

Huawei, Cisco Juniper everyone runs an OS (a piece of software) thats vulnerable and available to adversaries.
9:27 AM
Me, David said…
The military institution which is my employer only is allowed to buy US based manufacturers ... Ironically, every single Cisco box is labelled "made in china" and Apple computers are labelled assembled in China"

In today's world what's the difference ? Can an ISP, in this economical climate and competition be blamed ?

ninja edit: just for the record: Alcatel-Lucent is also in bed with China so that's not an alternative
4:19 AM
Anonymous said…
Allowing someone do your key management crypto software and not being able to validate that would be the equivalent of asking someone whom you dont trust to build a lock and give you a key and store all your valuables behind that :-)
7:08 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more