The world needs independent testing labs that can review off-the-shelf IT products and rate their trustworthiness -- not only on the performance front but also from an information security standpoint.
That's the pitch being advanced by $35 billion Chinese multinational networking and telecommunications equipment and services company Huawei. "Over the past couple of months there have been a number of revelations that have created a crisis of confidence in the information security industry," said Bill Plummer, Huawei's VP of external affairs, speaking by phone. "If the industry is to move forward, it's in all of our best interests to come up with common solutions."
Huawei officials detailed the company's testing proposal as part of the release of the company's Cybersecurity Perspectives whitepaper Thursday. It includes the company's vision for "a very sophisticated, comprehensive, end-to-end assurance program," Plummer said, that touches on everything from research and development and supply chains, to human resources processes and internal audits.
The publication describes -- in response to customers' related queries -- Huawei's own, internal processes for tackling those essential security lifecycle components, according to Huawei USA's chief security officer, Andy Purdy. "They want to be able to trust what they buy, and have confidence that they're getting what they want, when they buy," Purdy said by phone. "We hope that others will call on other vendors to say what they're doing."
[ Do government agencies have a false sense of security? NIST Security Standards: Fallacies And Pitfalls. ]
The whitepaper also outlines Huawei's proposal for businesses, vendors, policymakers and lawmakers to come together to create public-private partnerships that would empower third parties to vet and attest to the security and reliability of IT gear. Such testing programs already exist, for example in the form of the U.S. government's Common Criteria. Meanwhile, DARPA last year said it was launching a Vetting Commodity IT Software and Firmware (VET) program to find "innovative, large-scale approaches to verifying the security and functionality of commodity IT devices" that might be used by the Department of Defense.
But those approaches are designed for certain government agencies, Purdy said, and may be overkill -- and overly expensive -- for business use. "There's a growing recognition by people in government and the private sectors that things like Common Criteria aren't scalable," he said. In addition, such programs haven't been set up to gather and run the types of evaluations businesses would want to see.
Enter Huawei, which is now calling on businesses and government agencies to fund independent bodies that could vet software products for buggy code -- or backdoors -- as well as performance. But what do vulnerability testing professionals think about the idea?
"Huawei is left with [few] other options, since they cannot prove [the] absence of bugs and backdoors themselves," said Felix "FX" Lindner, who heads Berlin-based Recurity Labs, via email. "Generally, I'm in favor of governmental institutions that perform such reviews. However, discovered backdoors -- in a very narrowly defined sense -- should also result in consequences for the vendor, e.g. in the form of penalties and fines."
In other words, why just pool resources to fund testing firms? Why not also demand that lawmakers require any vendor submitting its products for testing to attest to its security trustworthiness first? "Vendors are not accountable at all, so far," Lindner said. "Keep in mind that there is no product liability for software products. Therefore, there is little hard incentive to produce secure products, only the soft incentive of public perception. As long as there is no business case for secure code, vendors will continue to do the bare minimum."
Furthermore, just as with the challenge of keeping supply chains secure, ensuring testing environments stay locked down could be difficult -- especially given the value of some zero-day bugs. "Many governments run or gear up offensive computer security operations," Lindner said. "Findings such as bugs and backdoors are very valuable to them. The institution reviewing the products must be legally bound to not hand findings over to offensive units, [as] is the case with the German Federal Office for Information Security."
Of course, it's impossible to discuss Huawei's proposal that vendors submit their products to independent testing labs without acknowledging the October 2012 U.S. House of Representatives Permanent Select Committee on Intelligence report, which warned -- without citing any evidence -- that Huawei and ZTE -- also headquartered in China -- "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems."