Establishing Digital Trust: Don't Sacrifice Security for Convenience
The Chinese government recently implemented new rules requiring foreign companies that sell computer equipment to Chinese banks to disclose source code, submit to audits and build backdoors into both hardware and software, according to the New York Times.
BBC News reports that the U.S. Chamber of Commerce and other groups have responded with a letter calling the rules intrusive and stating, "An overly broad, opaque, discriminatory approach to cyber security policy that restricts global Internet and ICT products and services would ultimately isolate Chinese ICT firms from the global marketplace and weaken cyber security, thereby harming China's economic growth and development and restricting customer choice."
Tim Erlin, director of IT security and risk strategy at Tripwire, told eSecurity Planet by email that this latest move is just one part of a complex, far-reaching issue tied to economics, encryption and assurance. "While the likes of Microsoft and Google aren't willing to simply cede the Chinese market, there can be little doubt that a path that involves sharing source code ends with piracy and ultimately enhances China's ability to copy what they currently buy," he said.
China would of course prefer not to rely on foreign vendors at all, Erlin said, but they don't have sufficient capabilities domestically at this point to do so -- and as a massive market, they do have leverage with leading vendors. "Market issues aside, there are national security implications to China having open access to source code for software used by other governments, including the U.S.," he said. "China's offensive cyber capabilities would be greatly enhanced with the 'inside knowledge' afforded by such access."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"It's unlikely that the U.S. would stand idly by while China developed an arsenal of zero days behind the guise of source code audits," Erlin added.
Tripwire security analyst Ken Westin said by email that this kind of demand for backdoor access is ultimately a sign that many companies are doing a better job of securing customer data. "The problem is that this is all happening in public, and the bad guys are fully aware of where their communications can be intercepted and have already moved to more clandestine technologies and forms of communication," he said.
"The end result of all of this is that legitimate uses of encryption, and other security protections, suffer and the backdoors only work to subvert security, making everyone less safe," Westin added.
Back in 2012, security researchers came across several backdoors in routers made by Huawei that could provide the Chinese government with access to those routers. Huawei responded by denying that the backdoors were intentional and offering unrestricted access to its source code.
In U.S. congressional hearings at the time, Huawei senior vice president Charles Ding said, "It would be immensely foolish for Huawei to risk involvement in national security or economic espionage," adding, "There are no backdoors in any of Huawei's equipment."