Monday, 22 July 2013

The blurry line between cyber threats and competitor lobbying

Huawei_Office_Glass_Wide
Ex-CIA chief and current Motorola director Michael Hayden has made waves recently, labelling Chinese telecom manufacturer Huawei a spy for China in an interview with The Australian Financial Review.
In the interview Hayden didn’t disclose any damning evidence directly tying Huawei to electronic spycraft, only stating that he had been briefed on the issue in a professional capacity and it was his “professional judgement” that ­Huawei has supplied sensitive intelligence to ­Chinese officials.
Hayden isn’t the first person to claim that Huawei is an electronic Trojan horse for the Chinese government. In 2011-2012, the company’s name was nearly synonymous with cyber warfare as it ricocheted through the news cycles with pundits and armchair analysts saying that if Huawei were allowed to build telcom infrastructure backbone in a western countries it would be a backdoor for Chinese hackers.
But all of this was without a shred of evidence. Nobody could produce a piece of evidence that tied Huawei and Chinese electronic intelligence gathering together beyond a reasonable doubt.
Backdoor, or bug?
At last summer’s DEFCON, Felix Linder of Recurity Labs made a presentation demonstrating how some of Huawei’s gear was riddled with security vulnerabilities. According to Linder, the firmware on Huawei’s AR18 and AR29 routers were left wide open to session hijack, a heap overflow and a stack overflow — all rudimentary hacks that have long been patched up by other vendors.
Speaking to CNET, Linder said that the problem lies in the use of “1990s-style code” by Huawei.
When asked about the possibility of Huawei collaborating with the PLA to install back doors, Linder said: “They don’t need to. You (just) need to have Huawei people running your network or help run your network… If you have so many vulnerabilities, they are the best form of (attack) vector.”
If Huawei’s gear isn’t sophisticated enough to be secure from the attacks of two decades ago, it probably isn’t sophisticated enough to contain hidden backdoors for the electronic intelligence wing of China’s military.
So how did Huawei get this reputation in the first place?
Manufacturing dissent
Huawei’s competitive advantage of lower costs is well known by its competitors. As Cisco can only beat the company on quality, not cost, it worked to paint its competition as a “Manchurian Candidate” through a combination of reports drafted by its public relations department and lobbying.
In late 2011, almost a year before the company’s name entered the zeitgeist as being synonymous with Chinese cyber spying, Cisco had started to brand the company as a threat to national security. The Washington Post obtained a document drafted by Cisco entitled “Huawei & National Security”, apparently delivered to firms considering Huawei equipment over Cisco’s.
“Despite denials, Huawei has struggled to de-link itself from China’s People’s Liberation Army and the Chinese government,” reads a selection of the document published by The Washington Post.
Fast forward to 2013’s congressional hearings about the possible security threat posed by Huawei and similar language appeared: “Throughout the investigation, Huawei consistently denied having any links to the Chinese government and maintains that it is a private, employee-owned company. Many industry analysts, however, have suggested otherwise,” read the congressional report.
According to lobbying watchdog OpenSecrets.org, Cisco’s lobbying efforts have increased dramatically in 2011-2012. During those two years the company spent US$2.75 million compared to $2 million in 2010 and less than $500,000 when it was the most valuable company in the world in 2000.
While Cisco categorically denies it has been lobbying against Huawei, its offensive may have more fronts than the hallways and offices of Capitol Hill.
“We’re going to make it hard on them in the U.S. and we’re going to be very tough,” Cisco’s CEO, John T. Chambers, said during a November 2011 earnings call. “We’re just going to try to make it as tough as we can on them, and we plan to beat them.”
It would be odd for a CEO to say his plans for the competition were anything less, but in this case it appears a pillar of Cisco’s marketing campaign included creating fears of a Manchurian corporation.
In many ways Huawei’s refusal to embrace transparency and proactive disclosure has strengthened the Cisco-Congress echo chamber, creating a nebulous line between PR campaign and legitimate national security threat. Huawei’s deficiencies, its struggles with some aspects of the manufacturing process, have been wrongfully categorized as malicious backdoors, a hole in the software that would allow hackers in, Charles Ding, a senior VP of the company, said to Congress.
“What they have been calling ‘backdoors’ are actually bugs in the software,” he said.

No comments:

Post a Comment