Hardware security and the Chinese

In the recent days there have been a lot of coverage on the central government’s decision to block sale of networking equipment to domestic carriers in the country by China-based telecom hardware makers Huawei Technologies Co. and ZTE Corp. due to security concerns.

The minutes of the latest meeting of the Foreign Investment Promotion Board (FIPB) while deliberating on a case regarding Huawei clearly bear the government’s apprehension: “Huawei is a company founded by a People’s Liberation Army officer and the company has the capability to remotely manipulate the equipment it supplies to its clients”. This piece of information on the company was communicated to the FIPB by the home ministry.

In order to reduce the panic that may ensue, the officials have been trying to convey that decisions to allow/disallow use of these Chinese-made hardware are done case by case:

“There’s no blanket ban on Chinese equipment,” Gopal K. Pillai, the top bureaucrat in the Home Ministry, told reporters in New Delhi today. “We review equipment case by case.”

In a recent development, the government has also announced the formation of a regulatory body to provide “security certification at different stages for equipment brought to India by both the public and private sectors.”

Understandably some call it extreme paranoia and see these as a knee-jerk response to the recent reports of cyber espionage attributed to non-state Chinese actors, while others claim it as having something to do with the 3G license auction or do with the cheap Chinese hardware that is flooding the Indian market and drowning both Indian and western products.

One would be ill-advised to dismiss such claims completely. The suspicion that Chinese hardware may contain backdoors is neither new nor specific to Indian context. The UK government has raised question about the presence Huwaie in BT’s 21CN network backbone. This is one of the main reasons why BT has a system is in place to inspect the hardware and is able to provide consultancy service to Indian counterpart. A similar concern was also raised by the Australian government. In fact similar fears were raised by the Indian government in 2009 too.

None of these reports have any proof to show that these espionage attempts are actually taking place but given that it is easy to carry out, hard to detect and given Chinese government’s track record of engaging in active information warfare, it is a not-too-remote possibility. Given this, the steps taken by the Indian government to tackle the issue is commendable. It is also good to see follow up actions being taken in the form of setting up of a regulator rather than just banning the import/use of Chinese hardware. Given the experience that companies like BT have had in dealing with similar situations, it is also nice to see the government engaging with them to kick start the effort rather than working in isolation.

On the other hand, the lack of concrete proof of the presence of backdoor is in some ways troubling. If the various three-letter agencies have not been able to publicly state that they have discovered backdoors, nor that they have seen suspicious egress traffic, it does look more likely that there might not be any! This might mean that the “fearmongering” that Chinese companies are being subjected to may be financially motivated. After all, getting rid of cheap Chinese hardware would make the life of both Indian and western competitions a lot easier! That begs the question — why are the hardware from western manufacturers not being subjected to similar scrutiny? Do we have more trust in them than the Chinese ones? If so, what have they done to earn that trust?

A related  issue is that of the involvement of BT in the regulatory process. Its involvement in the process should be made clear openly. Though they do seem to have the expertise to help the Indian counterparts, their involvement should be restricted to consultancy services and the actual testing and audit process should be implemented and conducted by Indian institutions.

And what happens to the existing hardware of Chinese origin that are used extensively by Indian companies? It is just about infeasible to decommission them. Are we going to live with it? Looks like it for the time being. In that case these devices should be subjected to rigorous scrutiny and the companies need to make sure that no information is being leaked but also also that they are working correctly.

http://uk.news.yahoo.com/16/20100504/ttc-india-bans-chinese-networking-kit-ov-6315470.html

Connect

Connect to us through these channels

, ,

5 Responses to Hardware security and the Chinese

  1. Satya May 18, 2010 at 1:20 pm #

    Hi – First up, I would like say that I have read your posts and find it very interesting. As an Indian IT professional, I do look forward to read on such topics.

    About this specifically, I think it is a very good idea to have strong mechanisms to check the hardware (for general usage, non-classified) which will act as a deterrent. For classified communications, I think India should adopt a policy of procuring from dependable vendors – it should lay out standards for who can be classified as a “dependable vendor”. This way, there will be no blanket ban on any chinese company, but if they meet these stringent standards, then they will procure.
    Satya

    [Reply]

    skn Reply:

    We can’t be expected to produce every equipment needed indigenously, hence indeed, assurance process for critical infrastructure equipments is badly needed.

    [Reply]

  2. Vishnu Gupta June 12, 2010 at 3:05 pm #

    Well, you say : “That begs the question — why are the hardware from western manufacturers not being subjected to similar scrutiny? Do we have more trust in them than the Chinese ones? If so, what have they done to earn that trust?”
    Well, I’d be more suspicious of a Chinese company than an American one because Chinese companies have a recorded history of functioning as an extension of the state, where as it is acknowledged that *western* companies do not(in general) lend themselves to be extensions of the state mechanism. Of course, this does not imply that western companies should not be scrutinised, but prima facie there appears to be a stronger case for more scrutiny over Chinese companies.

    [Reply]

  3. trickey July 9, 2010 at 5:24 pm #

    The Communist Party is a stake-holder in every Chinese company. That’s why.
    Blame it on Comprehensive National Power. But you cannot segregate Chinese companies from the Communist Party so easily.

    Getting rid of Chinese telecom equipment is rather easy. They don’t fare so well on energy consumption or data latency. The MTBF is unacceptable. The equipment is ill-suited for upcoming cloud computing applications. The telecom industry thrives on an innovation per day culture. I don’t recall Chinese companies doing so well on that front. Huawei allegedly ripped off Cisco code and continues to rip off technology through espionage and other activites(such as illegally obtaining circuit layouts of competitors)

    [Reply]

Trackbacks/Pingbacks

  1. The answer to Global Times’ why | The Acorn - July 9, 2010

    […] why. 09 Jul 2010 | Concerning Economy, Foreign Affairs, SecurityTags: China, cyber strategy, cyber […]

Leave a Reply