Is it just me or does this seem to be a tortured argument - the US suggested that huawei might be implementing backdoors in their product out of the box, is not the same thing as the US security agency actively searching for exploits for the product. One is a collaborative effort to sell someone a defective product (could be fraud) the other is a adversarial effort that is a natural part of the security industry cycle.
There is another degree of freedom in that equation, Cisco.
The Chinese networking gear has become shockingly good. performance per dollar and performance per watt they are extremely competitive with Cisco, especially in the higher end. I couldn't talk to gateway routers but their switches also have accurate documentation. Ciscos biggest edge is institutional memory, a bunch of CCxx certifications, and they are assembled in America or owned by an American company or something like that which meant security.
Can any one tell a remotely interesting story as to why Cisco wouldn't aid the NSA? I mean Apple, google, etc did..
>the US suggested that huawei might be implementing backdoors in their product out of the box, is not the same thing as the US security agency actively searching for exploits for the product.
The US has also been adding hardware backdoors by intercepting mail as it travels across US friendly territories. Furthermore, the US backdoored RSA's RNG 'out of the box', and reports suggest it has backdoored other things 'out of the box'.
The argument as I understood it was this, US:
"China valves its 'dominance of cyberspace' over the security of both itself and the community of nations, therefore using hardware produced in China will probably make everyone, including the US, less safe".
It is a good argument in general form and it addresses an important need for security because this sort of gear is used in nuclear power plants, air defense grids, hydroelectric dams, etc (note that Hardware backdoors have covert radios for bridging airgaps). These backdoors, even if not exploited by the Chinese, could fall into arbitrary hands[1] and cause significant economic damage.
EDIT: People are downvoting this comment. As downvoting is your right please continue to do so but feedback is welcome. I care about understanding this issue and I want to know why you disagree with my comment.
There's just an important distinction that you're missing.
If the NSA is intercepting devices and bugging them, then it doesn't really matter which brand you buy - you're being targeted as an individual. Order a Huawei phone and they'll (presumably) try to intercept and compromise it. Country of origin doesn't really matter, because (presumably) the NSA isn't compromising the company producing the device, they're compromising the delivery chain which handles all (most) devices.
The reason to avoid Huawei (according to some US gov't sources, evidently) is that Chinese security services may have compromised the company's structure itself; thus all products they create may have backdoors/trojans already in them.
These two situations aren't even in the same universe.
>the NSA isn't compromising the company producing the device, they're compromising the delivery chain which handles all (most) devices.
We have substantial evidence that the NSA is doing this exactly this, in your words "compromising the company producing the device". For example in the case of RSA being paid to use Dual_EC_DRBG[1] or with the unspecified encryption chips that have been backdoored according to the Snowden documents[2].
>These two situations aren't even in the same universe.
From a policy standpoint it might be the same universe. We ban the use of chemical weapons in all circumstances, despite their effectiveness, because we believe the world is a better place without them.
Given the threat that hardware backdoors, either installed at the factory or during shipping, pose to both security and global trade there is an argument that such actions are off-limits. It was the public position of the US that the US did not do such actions but that China did. It appears that was PR.
2: "(TS//SI//REL TO USA, FVEY) Complete enable for [REDACTED] encryption chips used in Virtual Private Network and Web encryption devices [CCP_00009]" - (U) COMPUTER NETWORK OPERATIONS (U) SIGINT ENABLING http://www.nytimes.com/interactive/2013/09/05/us/documents-r...
Are you aware that the NSA is actively planting exploits into products by intercepting shipments? Your are not buying a Cisco product: you are buying a Cisco + NSA product, with a backdoor. Which is exactly the same as buying a Huawei product with a backdoor.
The NSA is planting exploits. It is not only exploiting existing security holes: it is creating new security holes, by manipulating the hardware. Is is effectively working together with Cisco / any other company (maybe not willingly, but who cares) to manufacture a Cisco/NSA router, with a backdoor easily accessible to the NSA.
According to his comment he is not aware of this, otherwise he would not differentiate between Cisco/NSA and Huawei.
And according to your comment, you do not even understand what I am saying.
The concern with Huawei is that a security apparatus would be inserting backdoors/Trojans into every device. The NASA's targeted attacks of a few hundred (thousand?) devices is entirely unrelated.
Previously the story was "the chinese are inserting backdoors". Afterwards the story was, the NSA is spying everyone. Now the story seems to be that the NSA is spying and planting some backdoors. How many? 1% of devices? 10%? 99%?
Let me clarify two things for you:
- We do not know how many backdoors the chinese are planting. Maybe none, maybe in all devices.
- We do not know how many backdoors the NSA is planting. Maybe just in some devices, maybe in most devices.
In light of this, how are you so sure that "these two situations aren't even in the same universe." Do you have any other knowledge that you would like to share?
yes, and one should be outraged by that. I would not have posted my comment if that was the parallel made in the OP, but by my reading that is not what the article stated.
