The Official Assura Blog
Friday, March 7, 2008
Backdoors in Chinese Manufactured Network Equipment?
According to a report on the website PC Pro, Chinese manufacturing firms are placing backdoor code in router firmware that could allow Chinese hackers (read: the Chinese government) from eavesdropping on communications of companies in the UK.
No kidding.
However, this does highlight an issue that is an ongoing blind spot in the IT security strategies of most organizations. That is, most organizations aren't as good about monitoring what's going out of their networks as they are about what's coming in to their networks. You don't have to be part of a defense, intelligence, or law enforcement organization to be the target of this type of espionage. Any organization that handles personal information such as financial data, social security numbers, etc. is a target for identity thieves. If you have some sort of intellectual property like a proprietary manufacturing process or new computer code, you're a target.
What makes the issue of the Chinese placing backdoor code in routers is that US companies continue to move R&D, product development, and manufacturing overseas. Sometimes they open international divisions of their own companies, or sometimes they outsource those services to outside contracting firms. I'm the last person in the world to tell a company how to run its business or to advocate barriers to international commerce, but I think there could be some real trouble ahead in two areas if organizations don't start to take this threat seriously:
- Domestic manufacturers of network equipment could be held liable for damages if someone working on their behalf (whether a company employee or outside contractor) inserted backdoor code in their product that was then used to exfiltrate confidential information; and
- Companies that unwittingly deploy equipment with backdoor code that was then used by outside parties to exfiltrate confidential information.
The thing of it is that it's not a major leap in intellectual honesty to understand that this threat was always out there. The defense and intellgence communities have understood this for years and have rules around what they call "acquisition security" where the issue of foreign ownership and control (FOCI) is very top-of-mind. In fact, given the choice between a superior product manufactured by a foreign owned company and an inferior product owned by a domestic manufacturer, they will always choose the domestic company. Just ask Check Point Software how many firewalls they sold to the US Department of Defense.
For private organizations, there are a plethora of steps that can be implemented to prevent "data leakage" on the policy, acquisition security, personnel, and technology fronts. The specifics depend on the organization and the types of information at stake.
But the take away from this is that this tyoe of threat isn't just the stuff of Tom Clancy novels. It is real. Take it seriously.