11:27 AM

Huawei Proposes Independent Cybersecurity Testing Labs

Independent bodies would be funded by vendors, customers and government agencies, and validate products' performance, security and overall trustworthiness.

The world needs independent testing labs that can review off-the-shelf IT products and rate their trustworthiness -- not only on the performance front but also from an information security standpoint.

That's the pitch being advanced by $35 billion Chinese multinational networking and telecommunications equipment and services company Huawei. "Over the past couple of months there have been a number of revelations that have created a crisis of confidence in the information security industry," said Bill Plummer, Huawei's VP of external affairs, speaking by phone. "If the industry is to move forward, it's in all of our best interests to come up with common solutions."

Huawei officials detailed the company's testing proposal as part of the release of the company's Cybersecurity Perspectives whitepaper Thursday. It includes the company's vision for "a very sophisticated, comprehensive, end-to-end assurance program," Plummer said, that touches on everything from research and development and supply chains, to human resources processes and internal audits.

The publication describes -- in response to customers' related queries -- Huawei's own, internal processes for tackling those essential security lifecycle components, according to Huawei USA's chief security officer, Andy Purdy. "They want to be able to trust what they buy, and have confidence that they're getting what they want, when they buy," Purdy said by phone. "We hope that others will call on other vendors to say what they're doing."

[ Do government agencies have a false sense of security? NIST Security Standards: Fallacies And Pitfalls. ]

The whitepaper also outlines Huawei's proposal for businesses, vendors, policymakers and lawmakers to come together to create public-private partnerships that would empower third parties to vet and attest to the security and reliability of IT gear. Such testing programs already exist, for example in the form of the U.S. government's Common Criteria. Meanwhile, DARPA last year said it was launching a Vetting Commodity IT Software and Firmware (VET) program to find "innovative, large-scale approaches to verifying the security and functionality of commodity IT devices" that might be used by the Department of Defense.

But those approaches are designed for certain government agencies, Purdy said, and may be overkill -- and overly expensive -- for business use. "There's a growing recognition by people in government and the private sectors that things like Common Criteria aren't scalable," he said. In addition, such programs haven't been set up to gather and run the types of evaluations businesses would want to see.

Enter Huawei, which is now calling on businesses and government agencies to fund independent bodies that could vet software products for buggy code -- or backdoors -- as well as performance. But what do vulnerability testing professionals think about the idea?

"Huawei is left with [few] other options, since they cannot prove [the] absence of bugs and backdoors themselves," said Felix "FX" Lindner, who heads Berlin-based Recurity Labs, via email. "Generally, I'm in favor of governmental institutions that perform such reviews. However, discovered backdoors -- in a very narrowly defined sense -- should also result in consequences for the vendor, e.g. in the form of penalties and fines."

In other words, why just pool resources to fund testing firms? Why not also demand that lawmakers require any vendor submitting its products for testing to attest to its security trustworthiness first? "Vendors are not accountable at all, so far," Lindner said. "Keep in mind that there is no product liability for software products. Therefore, there is little hard incentive to produce secure products, only the soft incentive of public perception. As long as there is no business case for secure code, vendors will continue to do the bare minimum."

Furthermore, just as with the challenge of keeping supply chains secure, ensuring testing environments stay locked down could be difficult -- especially given the value of some zero-day bugs. "Many governments run or gear up offensive computer security operations," Lindner said. "Findings such as bugs and backdoors are very valuable to them. The institution reviewing the products must be legally bound to not hand findings over to offensive units, [as] is the case with the German Federal Office for Information Security."

Of course, it's impossible to discuss Huawei's proposal that vendors submit their products to independent testing labs without acknowledging the October 2012 U.S. House of Representatives Permanent Select Committee on Intelligence report, which warned -- without citing any evidence -- that Huawei and ZTE -- also headquartered in China -- "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems."

1 of 2
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
10/18/2013 | 9:17:30 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
Huawei's got to be reveling in schaudenfrede as the NSA revelations keep mounting up.
User Rank: Ninja
10/19/2013 | 7:31:55 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
While the devil is in the details, as usual, it looks like Huawei is now making a serious effort to allay foreign suspicions, as it should. The problem it faces is that since China is a Communist dictatorship and has traditionally insisted on subordinating *all* institutions, to include commercial corporations, to the Communist Party; it is subject to *whatever* orders the Party may be pleased to impose, and outsiders probably wouldn't hear about them. That's not the fault of Huawei's management, but is an important consideration nevertheless.

A truly independent lab with access to all the specs might well be sufficient.
User Rank: Apprentice
10/21/2013 | 2:59:29 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
Interesting that Huawei's security chief is a former DHS official and CSC exec.
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.