Here are two news stories whose contrast should tell you a lot, via
Charlie Stross.
Spy chiefs fear Chinese cyber attack:
INTELLIGENCE chiefs have warned that China may have gained the capability to shut down Britain by crippling its telecoms and utilities.
They have told ministers of their fears that equipment installed by Huawei, the Chinese telecoms giant, in BT’s new communications network could be used to halt critical services such as power, food and water supplies.
And here's
F-Secure's take on the big story that supposedly-Chinese hackers created a botnet of compromised Windows machines in Tibetan and Chinese-dissident organisations that let them remotely activate and monitor webcams and microphones.
The first thing is that the
Times story is a classic of the discourse of "cyberwar". Threats are by definition from state actors, Dr Evil is behind everything, and the solution turns out to be indistinguishable from giving lots of money to favoured military-industrial vendors. And there is no sign of any engineers anywhere near the story - just that very British product, the intelligence-administrative complex, telling itself stories.
But surely there is a risk from Teh Huawei? Well. First of all, what are we trying to protect? "Security" isn't an answer. There are, as far as I can see, essentially three things an attacker could do in the BT core network - crash the whole thing (denial of service), spy on somebody's traffic, or spoof a network entity, to pose as one in order to misroute traffic for some sinister aim. The horrors described in the article are presumably thought to be possible consequences of a massive denial of service attack.
How would they go about attacking it? Well, the whole point here is that they can attack from the public Internet. (If they can attack from within BT, it doesn't matter whose routers we buy...) Physical layer attacks are much less dangerous because you would need to do much more work for every unit of trouble caused - you'd need to physically tap wires and find ways of backhauling the traffic you tapped.
So we're concerned about a breach of Internet security, which implies that the crucial element in our defence will be to prevent malicious traffic getting access to the system's administrative features. For our purposes, a secret backdoor is essentially the same as an administrator interface.
Well, that's good news - this would be absolutely no different if the equipment came from Cisco Systems, Alcatel, Marconi as was, Nokia, ZTE, Motorola, NEC or anyone else, and the security solutions involved are applicable across them all, being essentially good internetworking practice. And 21CN's architecture actually makes an attack from the IP layer rather difficult. It's probably worth opening
the Wikipedia page in another tab to follow this bit.
21CN is made up of Multi-Service Access Nodes (MSANs), which replace the old local exchanges, terminate the copper wires from your house, and switch different kinds of traffic into appropriate pipes - steam voice gets converted to VoIP at this point as well, metro-nodes, which are the gateway routers to the core network, core nodes, which are really big MPLS routers, and iNodes, which are voice softswitches and which will control calls, video sessions etc. Huawei's bit is the MSAN, plus some of the optical splitters, repeaters and such.
Importantly, the MSAN isn't an Internet entity; it is a Layer 2 Ethernet device, which talks to the metronode it's connected to. In 21CN, both other ISPs and BT Retail are sold wholesale service in the form of Ethernet links, and the MSAN is responsible for putting the traffic into the right link, but the metronode is the first element to actually route Internet packets. Therefore, even if the Chinese were to secretly control all the MSANs, they would have to create a new Wholesale Broadband Connect Ethernet pipe from each one in order to get the traffic out to the Internet. And to control it, they would have to first of all get in, then break out of the encapsulation to access the MSAN itself.
And most of the IP layer equipment, including the big routers that link the whole thing to the Internet, is made by Alcatel, Cisco, or Juniper Networks; in fact, 21CN has a fair amount of diversity, which is usually good from a security standpoint. So I would suggest that this is a classic movie plot threat. Like most of them, of course, it taps deep political assumptions and vested interests; there is no evidence of Huawei's equipment being secretly controllable by the Chinese intelligence service whatsoever, but there are a lot of rightwing congressmen who just
know it, and they receive contributions of funds from competing vendors with unstartling regularity.
And more to the point, what is the evidence that Huawei is any more likely to be spying on its customers than the alternatives? If the equipment came from Cisco Systems, as some of it does, shouldn't we worry that the Americans have secretly fiddled with it? If from Alcatel, as some of it does, what about the French? (Don't laugh,
they're building a Total Info Awareness clone.) The Swedish government wants to run absolutely all Internet traffic on its territory through the facilities of the FRA, its national signals-intelligence agency, so obviously Ericsson (and Juniper, which is an Ericsson division) can be ruled right out.
However, we don't have a single documented case of any of these things happening. In fact, the best documented telco core-network hack, the Vodafone Greece case, involved an Ericsson AXE10 switch and specifically the lawful-interception system, which is really a nonsecret backdoor into the switch for the cops and spooks to listen in. (And the iNodes in 21CN? They're AXE10s. ) So it's quite possible that the security bureaucrats might be the cause of the security threat.
After all, they have Windows PCs in their offices. And they get hacked. By the Chinese. And they *do* have back-door access. Now, no-one knows who was behind the Vodafone Greece case, but we do know who is behind the vast majority of real information security breaches: non-state actors. But for some reason, there is a strange kind of cognitive bias against accepting the reality and agency of non-state actors. Just as a certain kind of government official cannot believe that guerrillas or terrorists can exist without the Dr Evil figure (Iran! Syria! Cuba! Canada!), they can't believe that their computers might get hacked by hackers. I've had to come back to this
again and again and
again.
The problem is, of course, that it involves believing that the little people have agency, intelligence, and skill. Here's
some evidence from F-Secure; the malware used in the Tibetan spying operation is maintained by a group of hackers and is openly on sale (and some people say it's Swedish - didn't I tell you we can't trust those terrible Vikings?). Accepting that is an important political act, and it is absolutely necessary, both for effective security and in general to move
beyond fear.
(
Update:
China Mobile isn't worried and trusts the French. And there is a metal band called Beyond Fear, which is
almost as cool as Bruce Schneier.)