Risk
10/18/2013
11:27 AM
Connect Directly
RSS
E-Mail
50%
50%

Huawei Proposes Independent Cybersecurity Testing Labs

Independent bodies would be funded by vendors, customers and government agencies, and validate products' performance, security and overall trustworthiness.

The world needs independent testing labs that can review off-the-shelf IT products and rate their trustworthiness -- not only on the performance front but also from an information security standpoint.

That's the pitch being advanced by $35 billion Chinese multinational networking and telecommunications equipment and services company Huawei. "Over the past couple of months there have been a number of revelations that have created a crisis of confidence in the information security industry," said Bill Plummer, Huawei's VP of external affairs, speaking by phone. "If the industry is to move forward, it's in all of our best interests to come up with common solutions."

Huawei officials detailed the company's testing proposal as part of the release of the company's Cybersecurity Perspectives whitepaper Thursday. It includes the company's vision for "a very sophisticated, comprehensive, end-to-end assurance program," Plummer said, that touches on everything from research and development and supply chains, to human resources processes and internal audits.

The publication describes -- in response to customers' related queries -- Huawei's own, internal processes for tackling those essential security lifecycle components, according to Huawei USA's chief security officer, Andy Purdy. "They want to be able to trust what they buy, and have confidence that they're getting what they want, when they buy," Purdy said by phone. "We hope that others will call on other vendors to say what they're doing."

[ Do government agencies have a false sense of security? NIST Security Standards: Fallacies And Pitfalls. ]

The whitepaper also outlines Huawei's proposal for businesses, vendors, policymakers and lawmakers to come together to create public-private partnerships that would empower third parties to vet and attest to the security and reliability of IT gear. Such testing programs already exist, for example in the form of the U.S. government's Common Criteria. Meanwhile, DARPA last year said it was launching a Vetting Commodity IT Software and Firmware (VET) program to find "innovative, large-scale approaches to verifying the security and functionality of commodity IT devices" that might be used by the Department of Defense.

But those approaches are designed for certain government agencies, Purdy said, and may be overkill -- and overly expensive -- for business use. "There's a growing recognition by people in government and the private sectors that things like Common Criteria aren't scalable," he said. In addition, such programs haven't been set up to gather and run the types of evaluations businesses would want to see.

Enter Huawei, which is now calling on businesses and government agencies to fund independent bodies that could vet software products for buggy code -- or backdoors -- as well as performance. But what do vulnerability testing professionals think about the idea?

"Huawei is left with [few] other options, since they cannot prove [the] absence of bugs and backdoors themselves," said Felix "FX" Lindner, who heads Berlin-based Recurity Labs, via email. "Generally, I'm in favor of governmental institutions that perform such reviews. However, discovered backdoors -- in a very narrowly defined sense -- should also result in consequences for the vendor, e.g. in the form of penalties and fines."

In other words, why just pool resources to fund testing firms? Why not also demand that lawmakers require any vendor submitting its products for testing to attest to its security trustworthiness first? "Vendors are not accountable at all, so far," Lindner said. "Keep in mind that there is no product liability for software products. Therefore, there is little hard incentive to produce secure products, only the soft incentive of public perception. As long as there is no business case for secure code, vendors will continue to do the bare minimum."

Furthermore, just as with the challenge of keeping supply chains secure, ensuring testing environments stay locked down could be difficult -- especially given the value of some zero-day bugs. "Many governments run or gear up offensive computer security operations," Lindner said. "Findings such as bugs and backdoors are very valuable to them. The institution reviewing the products must be legally bound to not hand findings over to offensive units, [as] is the case with the German Federal Office for Information Security."

Of course, it's impossible to discuss Huawei's proposal that vendors submit their products to independent testing labs without acknowledging the October 2012 U.S. House of Representatives Permanent Select Committee on Intelligence report, which warned -- without citing any evidence -- that Huawei and ZTE -- also headquartered in China -- "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/21/2013 | 2:59:29 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
Interesting that Huawei's security chief is a former DHS official and CSC exec.
jries921
50%
50%
jries921,
User Rank: Apprentice
10/19/2013 | 7:31:55 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
While the devil is in the details, as usual, it looks like Huawei is now making a serious effort to allay foreign suspicions, as it should. The problem it faces is that since China is a Communist dictatorship and has traditionally insisted on subordinating *all* institutions, to include commercial corporations, to the Communist Party; it is subject to *whatever* orders the Party may be pleased to impose, and outsiders probably wouldn't hear about them. That's not the fault of Huawei's management, but is an important consideration nevertheless.

A truly independent lab with access to all the specs might well be sufficient.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
10/18/2013 | 9:17:30 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
Huawei's got to be reveling in schaudenfrede as the NSA revelations keep mounting up.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.