“What’s under the hood?” is a question normally associated with the automotive industry, but of late it has woven its way into the national security discussion in the United States, associated with foreign made goods and services. Sometimes the question makes sense; other times … well, your head gets a good scratch as you ponder the expense and rationale.
The National Defense Authorization Act for Fiscal Year 2018 (01OCT2018-30SEP2017) highlights a key prohibition concerning the U.S. Department of Defense’s nuclear command, control and communications systems. The act specifically excludes commercial equipment from Russia, China and “covered telecommunications equipment or services”—Huawei, ZTE or telecom equipment or services that the Secretary of Defense believes to be an entity owned or controlled by a covered country.
Sens. Tom Cotton (R-Ark.) and Marco Rubio (R-Fla.) introduced the “Defending U.S. Government Communications Act” (S.2391) in February 2018. The proposed legislature specifically prohibits the U.S. government from purchasing or leasing telecommunications equipment and/or services from Huawei or ZTE.
The Federal Communications Commission (FCC) joined the fray with its own entry, “Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs” (a title only a bureaucrat could love). This proposed rule from the FCC seeks comment on the exclusion of both Huawei and ZTE. The FCC takes a slightly different tact: its responsibility to marshal the Universal Service Fund in a manner that is not “used in a way that undermines national security.”
Not surprisingly, during the director of National Intelligence’s presentation of the state of the worldwide threats to the United States, he and the directors of the primary intelligence organizations were asked if they would use Huawei phones or Kasperksy software and they all answered, “No.”
With the various government entities singing the same tune in complete three-part harmony, U.S. consumer-facing entities have been placed in a seemingly untenable position. Do they offer up products that the global marketplace is saying are beyond satisfactory, or do they avoid the issue of giving the appearance of sticking a finger in the eye of the U.S. government?
Well, AT&T was going whole-hog on bringing Huawei into its offering, but after pressure from both the Senate and the FCC, demurred and opted to drop the Huawei discussion. It then appeared that perhaps Verizon would sign up with Huawei following the CES trade show, but it too demurred.
When the carriers walked away, it was not surprising to see big-box retailer Best Buy announcing it was going to opt-out of including Huawei phones among its retail selection.
What Do Members of Industry Think?
Blocking foreign companies’ products is easier than blocking products with foreign components. Dennis Chow, CISO at SCIS Security, opined that any entity trying to exclude foreign-made products would find “it’s difficult to enforce those requirements and keep costs within reason.” However, he noted the threat of “malicious firmware or other data-stealing functions baked into the product” is very real and could be accomplished without the customer’s knowledge.
Lindsey Havens, senior marketing manager at PhishLabs, echoed the theme coming out of the U.S. government entities. “Experts acknowledged that a threat of surveillance technology being built into routers and switches that underlie the internet and wireless communications systems is real,” Havens said.
With the attendant threat comes risk. Mark Stamford, CEO of OccamSec, noted concerns “around supply chain issues” have been around for some time and “there is a potential for the production process to be attacked and components modified.” He also pointed out that, in many cases, alternatives to foreign-manufactured goods “are few and far between, especially in the hardware space.” The key, he said, “is to assess the risk of the device/software.”
What Do You Think?
Should foreign made devices or companies’ products be excluded from the United States market (in total or just the sensitive government entities)?