Cyber-security, foreign goods and the role of verification

Posted by Scott Spence (scott.spence) on Nov 02 2012
VERTIC Blog >> Verification and Monitoring
Katherine Tajer and Larry MacFaul, London
There are plenty of threats in cyberspace currently worrying governments around the world: espionage, damage to critical infrastructure, the theft of intellectual property, and others besides. The range of potential adversaries is equally as diverse: states or state-sponsored actors, terrorists, ‘hacktivists’, foreign companies and criminal organisations. The types of attack are numerous and they can be very fast, easily concealable and able to bypass conventional defences at national boundaries.

The increasing reliance on cyber-related technologies throughout the public and private sector, combined with the speed of development in this area, is leading governments to think hard about how to effectively regulate and establish robust prevention and response measures in this area. While many discussions focus on the difficulty of attribution of cyber-attacks once they have taken place, a matter of growing concern is the vulnerability of electronic product supply chains to interference. Governments are now wondering whether their adversaries might introduce harmful elements into the hardware, firmware and software that they buy to support important national services.

Some techniques, such as post-production evaluation, are already used to check the security characteristics of software-intensive systems. But the acceptability to governments of using these types of evaluation seems heavily dependent on the context in which they are being applied. A US House of Representatives report released last month cautions against their usefulness, at least when applied to the involvement of Chinese companies – in particular Huawei and ZTE – in the development of large telecommunication systems in North America. The report argues that these evaluations are more likely to favour the interests of the seller than the buyer. It states that ‘such processes are not necessarily designed to uncover malicious code’ and adds that one ‘key issue not addressed by standardized third-party security evaluations is product and deployment diversity,’ noting that: ‘The behavior of a device or system can vary wildly depending on how and where it is configured, installed, and maintained.’
Huawei has established independent evaluation centres in the UK and most recently Australia to carry out post production evaluations on products to be used by government agencies. The House of Representatives report notes that the UK addresses potential security issues in its business with Huawei by vetting the evaluators of the products, but it argues that ‘it is not clear yet, however, that such steps would readily transfer to the US market.’
The report argues that it is almost impossible to locate and eliminate every significant vulnerability from a complex product, especially if these include ‘flaws intentionally inserted by a determined and clever insider’. It accepts that there is ‘a large body of literature describing techniques for finding latent vulnerabilities in hardware and software systems’ but points out that ‘no such technique claims the ability to find all such vulnerabilities in a pre-existing system.’ It also notes that techniques do exist that can ‘prove a system implementation matches a design which has been formally verified to be free of certain types of flaws. However, such formal techniques must be incorporated throughout the design and development process to be effective. They cannot currently be applied to a finished product of significant size or complexity.’
The report is also concerned that post-product evaluation does not address threats of malware infiltration once the product is in use. The ongoing security of a network will be determined, the report argues, by how a network operator oversees its patch management, its trouble-shooting and maintenance, upgrades, and managed-service elements, as well as the vendors it chooses for such services’. The report concludes that significant security ‘is available only through a thoughtful design and engineering process that addresses a complete system-of-systems across its full lifecycle, from design to retirement and includes aspects such as discrete technology components, their interactions, the human environment, and threats from the full spectrum of adversaries.’
But why was the US House of Representatives so interested in these two companies’ involvement in the country’s telecommunications systems in the first place? The concern lay mainly in the level of the companies’ ties with the Chinese government and the opportunities this might give it to infiltrate critical US systems. Equally, for its part, the Chinese government has raised fears about its own reliance on American manufactured software .
Not only did the report examine post-product evaluation methods, it also described how the Permanent Select Committee on Intelligence reviewed financial information about the companies and interviewed specialists in the field. The committee determined that these companies were not forthcoming about the investigation, and therefore that the US should regard them with suspicion.
In this case, as in many other areas, the degree of assurance desired by a country from a verification system is largely determined by its perception of the level of risk. When the perceived or potential adversary in question is powerful, has the capability to carry out an attack, and the impact from such an attack would be high, the level of assurance required from a verification system is also high.
National or third party licensing and verification systems have been applied to international trade in other commodities. International inspectorates are used to peer into sensitive facilities such as nuclear power plants to check material is not being diverted. These examples indicate that the international community can sometimes generate the level of ambition needed to try to address problems at the multilateral scale – especially when countries’ national security is concerned.
Discussions exploring what instruments might be acceptable and workable for cyberspace are ongoing in a variety of international conferences and forums. The debate has focused on tools such as confidence building measures, treaties, international bodies and enhanced transparency and cooperation between and within countries. Part of that discussion will likely continue to focus on verification and assurance. Could a sufficiently effective and inexpensive verification system be developed to meet whatever level of assurance is required? What level of intrusiveness would the seller accept, And what form would such systems need to take? Moreover, can they remain as largely industry and national level arrangements, or will they need to be addressed at an international level by an international standards-setting organization?

Last changed: Nov 02 2012 at 9:47 AM