If nothing else, the long-running Huawei situation shows the importance of considering the supply chain when it comes to cybersecurity. Huawei being the Chinese telecommunications equipment maker basically banned by the federal government. This topic came up at the recent RSA security conference, where Bruce Schneier was. He’s Adjunct Lecturer in Public Policy at Harvard University, and well-known cybersecurity. He joined Federal Drive with Tom Temin to tell us more.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
Tom Temin: Bruce good to have you on.
Bruce Schneier: Thanks for having me.
Tom Temin: Let me start with the idea of cybersecurity and the supply chain. You called it an insurmountably hard problem. How is that? I mean, the government certainly trying to surmount it now.
Bruce Schneier: They’re not really. The debate we’re having now is about Huawei. Can we trust equipment made from China? A few years ago was about Kaspersky. Can we trust Russian made anti-virus equipment? Basic question is a good one. Can you trust computer equipment that comes from a country whom you don’t trust? But that is really just a small piece of the problem. And I’m talking to you from an iPhone. Apple is an American company. But that iPhone is not made in the U.S. It’s chips aren’t made in the U.S. It’s parts on come from the U. S. It’s programmers carry 100 different passports. Any one of those people in the supply chain could subvert the iPhone. So, you know, just focusing on the country of origin of the company is a very small part of a much more complex problem.
Tom Temin: And so there is a law now that banned Huawei, and this followed a couple years of policy trying to ban it. So would you say that is all misguided policy, should be repealed? Or should it go further than simply that company?
Bruce Schneier: It can’t go further. You can make a U.S. only iPhone. It’ll cost 10 times as much. No one will buy it. You know, the point is that banning Huawei might be a good idea. I mean, I certainly don’t trust that equipment, but I’m not convinced I’m gonna trust Cisco Equipment more, or Erickson, or Nokia or any European or American company. Our supply chain is deeply international, and you can’t just legislate it out. We have to really figure out how to solve the problem, even though we don’t trust all of this stuff.
Tom Temin: Got it. And I guess the corollary comment that you made during that panel is that the real risk in all of this type of gear is not actually spying. Since we spy on them, they spy on us. But you named a much more difficult problem.
Bruce Schneier: It’s more complicated than that. So spying is a risk. So, you know, more problems here. U.S. has intercepted Cisco equipment destined for, among other places, the Syrian telephone company. This came out in the Snowden documents. So we have to trust the shipping mechanism distribution mechanism, update mechanism and go on and on about supply chain issues. And some of this is used for spying. So there’s a story that African Union had a new headquarters built in Addis Ababa by China and was found a couple of years ago that the network was sending copies everything back to Shanghai every night. So that’s spying. That’s a risk. But something like that’s kind of obvious. We’ll catch that.
Tom Temin: Kind of like the Waldorf Astoria, with all the wires possibly buried in the walls.
Bruce Schneier: Huawei is used by China for spying on things routinely. We will notice it, you will notice the bits moving through the network. You can’t keep that secret. My worry in supply chain security, and not just China, with everybody, is that they’ll be embedded commands to make the stuff not work, or degrade in capabilities, or give give the wrong answers when there are hostilities. You can imagine the United States putting those back doors in network weapons systems that we sell, countries who we might not trust. You can imagine China and other countries embedding that into systems going into the U.S. and Europe. So if something happens, then our communication system fails. That’s a much harder thing to detect, and you could build that in such way That is undetectable, and it just lies dormant until it’s used. I think that’s the real risk.
Tom Temin: And this gets into the question of the 5G network. It somehow Huawei and all of this equipment is connected to the 5G build out. That’s happening, and the Pentagon is exploring ways that it can use. So what about 5G and the security connected with that?
Bruce Schneier: So that’s a big worry. So 5G is the new generation of cellular network. And this is important, it’s not designed, so you can watch Netflix faster. We already do that. It’s designed for talking to other things. It’s designed for the Internet of Things. We’re going to send data back and forth behind our backs without our knowledge, and that’s what it’s for. And it will be critical to our national infrastructure. And having that equipment with embedded back doors is a national security threat. So I think worrying about Huawei is important. But it’s a national security threat even without Huawei, because I would worry about other countries China, Russia, Iran, North Korea, others embedding these kill commands in our equipment, even if they don’t own the companies that supply the equipment. Just like I’d worry about the United States embedding those commands in equipment that’s going to other countries. And maybe that is our only piece of optimism, right? If we do it to them, they do it to us. In the case of a war, nothing happens.
Tom Temin: Well, then the question becomes, I guess, is it possible to build trustworthy networks with these insecure parts?
Bruce Schneier: So I think that actually is the question. It’s not when we have an answer to. And it’s a question that is almost like the founding question of the internet. The internet was created to answer this question. Can we build a reliable network out of unreliable parts? It turns out the answer was yes. You’re asking a similar question. Can we build a trustworthy work out of untrustworthy parts? I don’t know that the answer is yes, but it’s not, obviously, no. So I think we need a research agenda, akin to the internet itself to answer that, now that might be a 5 to 10 year research project. Other questions. What do we do today and today we’re basically fighting a holding action night. Banning Huawei makes sense. It might not be possible. I mean, there’s a reason they dominate the market, and not just because their equipment is half the price. It’s because they’re the ones making it. We in the U.S. don’t have a competing company. I joke that AT&T was too busy suing Qualcomm to bother building any of this next generation equipment. So we’re kind of stuck. Now we can build in security, privacy against eavesdropping. But building security against sabotage is a lot harder, and we might just be stuck with a vulnerability. Kind of a lousy answer, but I don’t have anything better.
Tom Temin: Sure. It sounds like, though, that the national security and trade issues really can’t be separated in any meaningful way.
Bruce Schneier: We have to separate the trade from national security. I think one of the big problems with administration’s response has been to conflate those two. If it’s a trade issue, we negotiate, we figure it out, and they’re compromises. If it’s national security, the equities are very different and there are no compromises. I think the big problem we’ve had convincing our allies to go along is because we are confusing those two issues and confusing our response.
Tom Temin: One more question regarding a program the Defense Department has launched, and that is the CMMC, the Cybersecurity Maturity Model Certification for suppliers to the Pentagon. Makes sense? Is it doable? It kind of gets into the supply chain question indirectly.
Bruce Schneier: I think the program makes sense. I’m not convinced it’s doable. I’m not convinced we’ll be able to separate what is secure from what’s insecure. It is something we have to try, though, so I like seeing the efforts but is way harder than I think the program realizes right now.
Tom Temin: Cybersecurity expert Bruce Schneier is adjunct lecturer in public policy at Harvard University. Thanks so much for joining me.
Bruce Schneier: Thank you.