.png)
'' 'HUAWEI HOW HAUNTS' ''
''THE HUAWEI PROBLEM is very simple to explain,'' writes author Bruce Schneier, and then sets about with his illumination :
'When it comes to 5G technology, we have to build a trustworthy system out of untrustworthy parts.'
THE UNITED STATES GOVERNMENT'S continuing disagreement with the Chinese company Huawei underscores a much larger problem with computer technologies in general :
We have no choice but to trust them completely, and it's impossible to verify that they're trustworthy. Solving this problem - which is increasingly a national security issue - will require us to both make major policy changes and invent new technologies.
The Huawei problem is simple to explain. The company is based in China and subject to the rules and dictates of the Chinese government.
The government could require Huawei to install back doors into 5G routers it sells abroad, allowing the government to eavesdrop on communications or - even worse - take control of the routers during wartime.
Since the United States will rely on all those routers for all its communications, we become vulnerable to building our 5G backbone on Huawei equipment
It's obvious that we can't trust computer equipment from a country we don't trust, but the problem is much more pervasive than that. The computers and smartphone you use are not built in the United States. Their chips aren't made in the United States.
The engineers who design and program them come from over a hundred countries. Thousands of people have the opportunity, acting alone, to slip a back door into the final product.
There's more. Open-source software packages are increasingly targeted by groups installing back doors. Fake apps in the Google Play store illustrate vulnerabilities in our software distribution systems.
The NotPetya worm was distributed by a fraudulent update to a popular Ukrainian accounting package, illustrating vulnerabilities in our update systems. Hardware chips can be back-doored at the point of fabrication even if the design is secure.
The National Security Agency exploited the shipping process to subvert CISCO routers intended for the Syrian telephone company. The overall problem is that of supply-chain security, because every part of the supply chain can be attacked.
And while nation-state threats like China and Huawei - or Russia and the antivirus company Kaspersky a couple of years earlier - make the news, many of the vulnerabilities I describer above are being exploited by cyber criminals.
'When it comes to 5G technology, we have to build a trustworthy system out of untrustworthy parts.'
THE UNITED STATES GOVERNMENT'S continuing disagreement with the Chinese company Huawei underscores a much larger problem with computer technologies in general :
We have no choice but to trust them completely, and it's impossible to verify that they're trustworthy. Solving this problem - which is increasingly a national security issue - will require us to both make major policy changes and invent new technologies.
The Huawei problem is simple to explain. The company is based in China and subject to the rules and dictates of the Chinese government.
The government could require Huawei to install back doors into 5G routers it sells abroad, allowing the government to eavesdrop on communications or - even worse - take control of the routers during wartime.
Since the United States will rely on all those routers for all its communications, we become vulnerable to building our 5G backbone on Huawei equipment
It's obvious that we can't trust computer equipment from a country we don't trust, but the problem is much more pervasive than that. The computers and smartphone you use are not built in the United States. Their chips aren't made in the United States.
The engineers who design and program them come from over a hundred countries. Thousands of people have the opportunity, acting alone, to slip a back door into the final product.
There's more. Open-source software packages are increasingly targeted by groups installing back doors. Fake apps in the Google Play store illustrate vulnerabilities in our software distribution systems.
The NotPetya worm was distributed by a fraudulent update to a popular Ukrainian accounting package, illustrating vulnerabilities in our update systems. Hardware chips can be back-doored at the point of fabrication even if the design is secure.
The National Security Agency exploited the shipping process to subvert CISCO routers intended for the Syrian telephone company. The overall problem is that of supply-chain security, because every part of the supply chain can be attacked.
And while nation-state threats like China and Huawei - or Russia and the antivirus company Kaspersky a couple of years earlier - make the news, many of the vulnerabilities I describer above are being exploited by cyber criminals.
Policy solutions involve forcing companies to open their technical details to inspection, including the source code of their products and the designs of their hardware. Huawei and Kaspersky have offered this sort of openness as a way to demonstrate that they are trustworthy.
This is not a worthless gesture, and it helps, but it's not nearly enough. Too many back doors can evade this kind of inspection.
Technical solutions fall into two basic categories, both currently beyond our reach. One is to improve the technical inspection processes for products whose designers provide source-code and hardware design specifications, and for products that arrive without any transparency information at all.
In both cases we want to verify that the end product is secure and free of back doors. Sometimes we can do this for some classes of back doors : We can inspect source code - this is how a LINUX backdoor was discovered and removed in 2003 - or the hardware design, which becomes a cleverness battle between attacker and defender.
This is an area that needs more research. Today, the advantage goes to the attacker. It's hard to ensure that the hardware and software you examine is the same as what you get, and it's easy to create backdoors that slip past inspection.
And while we can find and correct some of these supply chain attacks, we won't find them all. It's a needle-in a haystack problem, except we don't know what a needle looks like.
We need technologies, possibly based on artificial intelligence, that can inspect systems more thoroughly and faster than humans can do. We need them quickly.
The Honor and Serving of the latest Operational Research on Technology, and Supply Chain vulnerabilities, continues. The World Students Society thanks author Bruce Schneier.
With respectful dedication to the Students, Professors and Teachers of the world.
See Ya all on Facebook, prepare and register for Great Global Elections on The World Students Society - [for every subject in the world] : wssciw.blogspot.com and Twitter - !E-WOW! - The Ecosystem 2011:
''' 5G & Tech '''
This is not a worthless gesture, and it helps, but it's not nearly enough. Too many back doors can evade this kind of inspection.
Technical solutions fall into two basic categories, both currently beyond our reach. One is to improve the technical inspection processes for products whose designers provide source-code and hardware design specifications, and for products that arrive without any transparency information at all.
In both cases we want to verify that the end product is secure and free of back doors. Sometimes we can do this for some classes of back doors : We can inspect source code - this is how a LINUX backdoor was discovered and removed in 2003 - or the hardware design, which becomes a cleverness battle between attacker and defender.
This is an area that needs more research. Today, the advantage goes to the attacker. It's hard to ensure that the hardware and software you examine is the same as what you get, and it's easy to create backdoors that slip past inspection.
And while we can find and correct some of these supply chain attacks, we won't find them all. It's a needle-in a haystack problem, except we don't know what a needle looks like.
We need technologies, possibly based on artificial intelligence, that can inspect systems more thoroughly and faster than humans can do. We need them quickly.
The Honor and Serving of the latest Operational Research on Technology, and Supply Chain vulnerabilities, continues. The World Students Society thanks author Bruce Schneier.
With respectful dedication to the Students, Professors and Teachers of the world.
See Ya all on Facebook, prepare and register for Great Global Elections on The World Students Society - [for every subject in the world] : wssciw.blogspot.com and Twitter - !E-WOW! - The Ecosystem 2011:
''' 5G & Tech '''
Good Night and God Bless
SAM Daily Times - the Voice of the Voiceless
0 comments:
Post a Comment
Grace A Comment!