Let’s Focus on Real Risk Based on Verifiable Facts.
On October 8, 2018, Apple’s Vice President for Information Security issued a letter to Congress contradicting a bombshell report of Chinese hacking into their servers. “Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation,” the letter stated, adding, “The U.S. Department of Homeland Security joined the U.K.’s National Cyber Security Centre in saying they have no reason to doubt the statements we’ve made.”
The following highlights of the letter illuminate the realities of current industry protocols regarding security and the global supply chain.
"Our frustration is animated by the fact that we share your rightful focus on cybersecurity and the integrity of the global supply chain . . . Concern for supply chain security is absolutely central to the way we run our business . . . We purposely work with multiple vendors, and our infrastructure is very diverse, protected by multiple layers of security. We deploy both commercially available and Apple proprietary security tools, led by an experienced security team that is familiar with diverse threats, simple and sophisticated. We apply rigorous and ongoing diligence to vendors. Before we begin a relationship, vendors are submitted to a review process which can incorporate, depending on the criticality of the services offered, a layers-deep study of the security infrastructure of the vendor in question. The hardware incorporated into our environment is also placed in the scope of Apple’s Vulnerability Management Program which makes these products subject to ongoing vulnerability scans, patching, and security reviews. In the situation [described], the so-called compromised servers were allegedly making outbound connections. Apple’s proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found.”
A reputable security researcher, one of the few sources named in the investigative report on the supposed hack, also cast serious doubt on the story, noting that there are easier, most cost-effective methods of attaining backdoor access to a target computer network. The report claimed Chinese operatives managed to sneak a microchip smaller than a grain of rice onto motherboards produced by hardware supplier Supermicro. Supposedly designed by the Chinese military, the chip acted as a “stealth doorway onto any network” and offered “long-term stealth access” to attached computer systems. Nearly 30 companies were reportedly impacted by the breach, though only Amazon and Apple were named in the story.
How can we begin to see real cybersecurity/national security threats amidst reports like this one? If we get lost in paranoia and fear, we may fail to see the actual threats and act to counter them.
The most sophisticated threats require an equally sophisticated and fully coordinated response, one that is continuously improved in light of the changing risk environment and changes in technology. Arguably, one of the most serious national security threats is the one discussed above regarding the unconfirmed report about microchips implanted in hardware of AWS and Apple.
Perhaps the most serious consequence of confusion around that report is that it might obscure a real danger: that it is technically possible to implant a small amount of nearly undetectable code in software or hardware (such as in a base station) that can enable malicious functionality/attacks. Such code is almost definitely undetectable if you do not look for it.
Given the risk of such an attack mechanism, whether it is a threat that is the most, or even somewhat likely – given the difficulty and cost, and availability of good alternatives -- is a different question. It is valuable to independently test products pursuant to an agreed-upon criteria as part of a comprehensive risk-management approach, with shared responsibility among telecom operators, equipment vendors, and government stakeholders.
What we clearly need is rigorous, third-party testing of hardware and software; risk mitigation by network operators including strict monitoring of traffic, sophisticated defense mechanisms; prioritization and protection of the most important assets including, for example, personal and network data, and key nodes and equipment; and segmentation of networks by operators to minimize potential damages when -- not if -- sophisticated actors are able to penetrate them.
Once we see these very real possibilities clearly, we can move toward the types of practical, structural, co-operative solutions that can actually protect us by managing risk and promoting resilience. Without this vision, we may miss the actual threats, as well as crucial opportunities for partnership and progress.
A senior official of the British intelligence service, GCHQ, had it right when he said recently that we need a “clear-eyed” focus on national security cyber threats. Rather than blackball individual companies, or target companies headquartered in China, we need to up our game, and drive collaboration between telecom carriers, equipment vendors, governments, and technical experts to create a unified, technology-neutral security assurance framework steeped in internationally recognized standards and best practices.
And we must go one better than a “trust, but verify,’ approach: we need a “trust through verification” assurance protocol applicable not only to equipment vendors, but the telecom operators as well. Let’s work together to create a trusted, independent verification model that provides third-party, objective and fact-based testing – based on internationally agreed upon standards and best practices -- that ensures that we have verifiable facts on which to base a conclusion that a product or vendor is trusted or untrustworthy.
Sophisticated, well-resourced, and motivated nation states, and some other organized malicious actors, can penetrate just about any network or system, and those who have to defend (and government stakeholders) have to keep this in mind. We need well-recognized risk assessment and management approaches. Organizations must assess risk based on their business objectives and risk environment and must include supply chain risk in this analysis. The National Institute of Standards and Technology Cybersecurity Framework is a useful risk-analytic tool.
The requirements for assessing and mitigating national security-level threats to our communications networks should be informed by deep threat-modeling and vulnerability and impact analysis that recognize that at least five nation states can virtually implant hidden functionality or malicious code in just about anyone’s network and system, recognizing that it is not possible to eliminate all risk. Some experts have suggested creating a trusted foundry for chips used most critical deployments, such as for Air Force One, or the most sensitive military communications systems. But this would not address the problem broadly enough. Rather, a comprehensive approach to risk management and resilience is required for all equipment providers, telecom operators, and other third-party providers, including trusted third-party review of all key products based on internationally recognized standards and best practices.
We also need to use incentives – not just regulation – to drive more security practices. This includes developing risk-informed procurement requirements to motivate vendors. We also need to encourage vendors to work together to further develop the telecom technology industry’s own voluntary assurance and transparency requirements.
Risk management is a shared responsibility among telecom operators, equipment vendors, and other third-party providers. Questions about the security of network equipment fall to vendors, each and all tasked with developing secure and security-enabling products. Operators, who control networks and access to data, assume the primary risk of network and data security so are naturally incentivized to take great care in choosing vendors they can trust. In moving toward a “trust through verification” approach it is important to note that the operators control the data; equipment vendors (and other third-party providers) do not have uncontrolled access to these networks or the personal or network data contained in them. Even if asked by some government authority, a vendor (like Huawei, the subject of so much recent controversy and confusion) could not possibly comply with requests for inappropriate data collection and transmittal or other malicious behavior regarding data.Telecom operators strictly control network access, requiring vendors to receive permission before vendors can access any data, and usually require vendors to follow policies and use technologies that provide strong assurance and auditable transparency regarding access to sensitive personal and network data. When strong controls are in place, it is not possible for a vendor to access, use, or transmit data that is inconsistent with the limited access provided by the operator.
Third-party, independent, and internal conformance models are also essential elements to implement a “trust through verification” approach. For example, Huawei’s Internal Cyber Security Lab (ICSL) works independently from other Huawei business operations and acts as a gatekeeper of the company’s products from a customer perspective. The ICSL acts independently to evaluate product security and check whether the company’s strict security standards are met, supporting the Global Cyber Security and Privacy Officer’s veto rights. The company’s open and transparent cooperation has been integral to its long-term and effective security-evaluation partnerships with several countries such as the UK, Canada, Germany, and France. Huawei is working successfully with the European Cyber Security Center in Brussels to provide security verification access to Huawei products to customers, governments, and third-party experts, and through external evaluation programs in UK and Canada, and an emerging program in Germany for security assurance mechanisms for all vendors.A useful model for a global framework for trusted third-party testing and verification is the security standard approach of Common Criteria, which features recognized independent labs in a number of countries with objective, standards-based testing requirements. Most significantly, the program requires all signatories to accept the testing results from all participating laboratories in all countries. This eliminates the prejudices against particular countries, like China, which is currently obscuring our vision.