11:27 AM
Connect Directly

Huawei Proposes Independent Cybersecurity Testing Labs

Independent bodies would be funded by vendors, customers and government agencies, and validate products' performance, security and overall trustworthiness.

The world needs independent testing labs that can review off-the-shelf IT products and rate their trustworthiness -- not only on the performance front but also from an information security standpoint.

That's the pitch being advanced by $35 billion Chinese multinational networking and telecommunications equipment and services company Huawei. "Over the past couple of months there have been a number of revelations that have created a crisis of confidence in the information security industry," said Bill Plummer, Huawei's VP of external affairs, speaking by phone. "If the industry is to move forward, it's in all of our best interests to come up with common solutions."

Huawei officials detailed the company's testing proposal as part of the release of the company's Cybersecurity Perspectives whitepaper Thursday. It includes the company's vision for "a very sophisticated, comprehensive, end-to-end assurance program," Plummer said, that touches on everything from research and development and supply chains, to human resources processes and internal audits.

The publication describes -- in response to customers' related queries -- Huawei's own, internal processes for tackling those essential security lifecycle components, according to Huawei USA's chief security officer, Andy Purdy. "They want to be able to trust what they buy, and have confidence that they're getting what they want, when they buy," Purdy said by phone. "We hope that others will call on other vendors to say what they're doing."

[ Do government agencies have a false sense of security? NIST Security Standards: Fallacies And Pitfalls. ]

The whitepaper also outlines Huawei's proposal for businesses, vendors, policymakers and lawmakers to come together to create public-private partnerships that would empower third parties to vet and attest to the security and reliability of IT gear. Such testing programs already exist, for example in the form of the U.S. government's Common Criteria. Meanwhile, DARPA last year said it was launching a Vetting Commodity IT Software and Firmware (VET) program to find "innovative, large-scale approaches to verifying the security and functionality of commodity IT devices" that might be used by the Department of Defense.

But those approaches are designed for certain government agencies, Purdy said, and may be overkill -- and overly expensive -- for business use. "There's a growing recognition by people in government and the private sectors that things like Common Criteria aren't scalable," he said. In addition, such programs haven't been set up to gather and run the types of evaluations businesses would want to see.

Enter Huawei, which is now calling on businesses and government agencies to fund independent bodies that could vet software products for buggy code -- or backdoors -- as well as performance. But what do vulnerability testing professionals think about the idea?

"Huawei is left with [few] other options, since they cannot prove [the] absence of bugs and backdoors themselves," said Felix "FX" Lindner, who heads Berlin-based Recurity Labs, via email. "Generally, I'm in favor of governmental institutions that perform such reviews. However, discovered backdoors -- in a very narrowly defined sense -- should also result in consequences for the vendor, e.g. in the form of penalties and fines."

In other words, why just pool resources to fund testing firms? Why not also demand that lawmakers require any vendor submitting its products for testing to attest to its security trustworthiness first? "Vendors are not accountable at all, so far," Lindner said. "Keep in mind that there is no product liability for software products. Therefore, there is little hard incentive to produce secure products, only the soft incentive of public perception. As long as there is no business case for secure code, vendors will continue to do the bare minimum."

Furthermore, just as with the challenge of keeping supply chains secure, ensuring testing environments stay locked down could be difficult -- especially given the value of some zero-day bugs. "Many governments run or gear up offensive computer security operations," Lindner said. "Findings such as bugs and backdoors are very valuable to them. The institution reviewing the products must be legally bound to not hand findings over to offensive units, [as] is the case with the German Federal Office for Information Security."

Of course, it's impossible to discuss Huawei's proposal that vendors submit their products to independent testing labs without acknowledging the October 2012 U.S. House of Representatives Permanent Select Committee on Intelligence report, which warned -- without citing any evidence -- that Huawei and ZTE -- also headquartered in China -- "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems."

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/21/2013 | 2:59:29 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
Interesting that Huawei's security chief is a former DHS official and CSC exec.
User Rank: Apprentice
10/19/2013 | 7:31:55 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
While the devil is in the details, as usual, it looks like Huawei is now making a serious effort to allay foreign suspicions, as it should. The problem it faces is that since China is a Communist dictatorship and has traditionally insisted on subordinating *all* institutions, to include commercial corporations, to the Communist Party; it is subject to *whatever* orders the Party may be pleased to impose, and outsiders probably wouldn't hear about them. That's not the fault of Huawei's management, but is an important consideration nevertheless.

A truly independent lab with access to all the specs might well be sufficient.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
10/18/2013 | 9:17:30 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
Huawei's got to be reveling in schaudenfrede as the NSA revelations keep mounting up.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.