Risk
10/18/2013
11:27 AM
50%
50%

Huawei Proposes Independent Cybersecurity Testing Labs

Independent bodies would be funded by vendors, customers and government agencies, and validate products' performance, security and overall trustworthiness.

The world needs independent testing labs that can review off-the-shelf IT products and rate their trustworthiness -- not only on the performance front but also from an information security standpoint.

That's the pitch being advanced by $35 billion Chinese multinational networking and telecommunications equipment and services company Huawei. "Over the past couple of months there have been a number of revelations that have created a crisis of confidence in the information security industry," said Bill Plummer, Huawei's VP of external affairs, speaking by phone. "If the industry is to move forward, it's in all of our best interests to come up with common solutions."

Huawei officials detailed the company's testing proposal as part of the release of the company's Cybersecurity Perspectives whitepaper Thursday. It includes the company's vision for "a very sophisticated, comprehensive, end-to-end assurance program," Plummer said, that touches on everything from research and development and supply chains, to human resources processes and internal audits.

The publication describes -- in response to customers' related queries -- Huawei's own, internal processes for tackling those essential security lifecycle components, according to Huawei USA's chief security officer, Andy Purdy. "They want to be able to trust what they buy, and have confidence that they're getting what they want, when they buy," Purdy said by phone. "We hope that others will call on other vendors to say what they're doing."

[ Do government agencies have a false sense of security? NIST Security Standards: Fallacies And Pitfalls. ]

The whitepaper also outlines Huawei's proposal for businesses, vendors, policymakers and lawmakers to come together to create public-private partnerships that would empower third parties to vet and attest to the security and reliability of IT gear. Such testing programs already exist, for example in the form of the U.S. government's Common Criteria. Meanwhile, DARPA last year said it was launching a Vetting Commodity IT Software and Firmware (VET) program to find "innovative, large-scale approaches to verifying the security and functionality of commodity IT devices" that might be used by the Department of Defense.

But those approaches are designed for certain government agencies, Purdy said, and may be overkill -- and overly expensive -- for business use. "There's a growing recognition by people in government and the private sectors that things like Common Criteria aren't scalable," he said. In addition, such programs haven't been set up to gather and run the types of evaluations businesses would want to see.

Enter Huawei, which is now calling on businesses and government agencies to fund independent bodies that could vet software products for buggy code -- or backdoors -- as well as performance. But what do vulnerability testing professionals think about the idea?

"Huawei is left with [few] other options, since they cannot prove [the] absence of bugs and backdoors themselves," said Felix "FX" Lindner, who heads Berlin-based Recurity Labs, via email. "Generally, I'm in favor of governmental institutions that perform such reviews. However, discovered backdoors -- in a very narrowly defined sense -- should also result in consequences for the vendor, e.g. in the form of penalties and fines."

In other words, why just pool resources to fund testing firms? Why not also demand that lawmakers require any vendor submitting its products for testing to attest to its security trustworthiness first? "Vendors are not accountable at all, so far," Lindner said. "Keep in mind that there is no product liability for software products. Therefore, there is little hard incentive to produce secure products, only the soft incentive of public perception. As long as there is no business case for secure code, vendors will continue to do the bare minimum."

Furthermore, just as with the challenge of keeping supply chains secure, ensuring testing environments stay locked down could be difficult -- especially given the value of some zero-day bugs. "Many governments run or gear up offensive computer security operations," Lindner said. "Findings such as bugs and backdoors are very valuable to them. The institution reviewing the products must be legally bound to not hand findings over to offensive units, [as] is the case with the German Federal Office for Information Security."

Of course, it's impossible to discuss Huawei's proposal that vendors submit their products to independent testing labs without acknowledging the October 2012 U.S. House of Representatives Permanent Select Committee on Intelligence report, which warned -- without citing any evidence -- that Huawei and ZTE -- also headquartered in China -- "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
10/18/2013 | 9:17:30 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
Huawei's got to be reveling in schaudenfrede as the NSA revelations keep mounting up.
jries921
50%
50%
jries921,
User Rank: Ninja
10/19/2013 | 7:31:55 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
While the devil is in the details, as usual, it looks like Huawei is now making a serious effort to allay foreign suspicions, as it should. The problem it faces is that since China is a Communist dictatorship and has traditionally insisted on subordinating *all* institutions, to include commercial corporations, to the Communist Party; it is subject to *whatever* orders the Party may be pleased to impose, and outsiders probably wouldn't hear about them. That's not the fault of Huawei's management, but is an important consideration nevertheless.

A truly independent lab with access to all the specs might well be sufficient.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/21/2013 | 2:59:29 PM
re: Huawei Proposes Independent Cybersecurity Testing Labs
Interesting that Huawei's security chief is a former DHS official and CSC exec.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You are infected!  @malwareunicorn to the rescue...  
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.