John Pescatore

The Telegraph reports that UK intelligence officials have warned that BT’s new 21CN network is vulnerable to exploit by the Chinese government since the network uses Huawei telecoms equipment. Huawei is China’s largest telecoms company and was recently “discouraged” by the US from acquiring the TippingPoint intrusion prevention technology owned by 3Com. There have been similar concerns in US political and Department of Defense circles about “supply chain integrity” – if we buy stuff from “them,” how do we know “they” aren’t sneaking in malicious capabilities?

Now throughout history, whenever any empire has controlled communication channels that empire exploited that control for national gain. Whether back in the day where communications was via handwritten letters sent on sailing ships, via government-controlled (or regulated) telegraph or telephone lines (or satellite links), or when that country  had a dominant share of communications technology – in every single case the country that had some level of control over the communications path exploited it. The UK, the US, the old USSR, China – everyone. The answer is certainly, yes – “they” will sneak bad stuff in, just as “we” did when “we” had the chance.

What to do, what to do? Well, it is pretty certain we are not going back to only buying locally. Even if we did, our experience with easter eggs in commercial software says even “home flag” suppliers can and will sneak things in – let alone that most of those local suppliers have been using overseas developers for years and years. As Thomas Friedman says “the world is flat (and hot and crowded)” – we are not going back.

The answer to this problem is really not anything new: make sure that you verify that anything you buy will only do what it is supposed to do. This is pretty similar to “when you are paying someone to develop software, make sure part of your acceptance criteria is making sure there are no exploitable security vulnerabilities in the code.” There are a variety of levels of how to do this, how far you push it depends on your security needs. Gartner has published a number of research notes around the issues of making sure security is highly rated criteria in sourcing decisions, whether for outsourcing, cloud-based services, X as a service, etc – this is not really any different.