May 22, 2019 by Greg Meckbach
The controversy over telecommunications equipment from Chinese manufacturer Huawei is just the tip of a large cyber risk iceberg, an Internet security expert warns.
“The question is, should we trust the country in which the company whose products and services you are using resides in?” said Bruce Schneier, a special advisor to IBM Security, during the recent Payments Canada Summit in Toronto.
“This is very much the tip of an extraordinarily complex iceberg,” Schneier told more than 1,000 financial industry professionals attending the summit on May 14.
Four telecommunications carriers are delaying sales of new Huawei smartphones, The Associated Press reported Wednesday. Those carriers are EE and Vodafone (based in Britain) and KDDI and Y! Mobile (based on Japan).
The U.S. government claims Huawei is a cybersecurity risk and has restricted technology sales to Chinese telecom gear suppliers. On Monday, the U.S. government granted a temporary, 90-day exemption, but only for existing hardware and software. President Donald Trump’s order cuts Huawei’s access to American chips and Google, which makes the Android operating system and services for its smartphones, AP reported.
The opposition to Huawei equipment is similar on concept to misgivings some people had to computer security products from Kaspersky, because Kaspersky is based in Russia, Schneier said at the Payments Canada Summit.
“Our industry is deeply international,” said Schneier.
“There is nothing we do that doesn’t involve dozens of different countries, many of whom are not friendly. And we are not going to solve that any time soon,” added Schneier, who is also a fellow at the Berkman Klein Center for Internet & Society at Harvard University
“This thing is not made in the U.S.,” Schneier said of his mobile phone. “Its chips aren’t fabricated in the U.S. Its programmers carry – what – 150 different passports? What we know about supply chain is that any piece of it can be used to subvert the whole thing.”
Schneier alluded to claims made a few years ago by Glenn Greenwald in his book No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State.
InfoWorld magazine reported – quoting from Greenwald’s book – that the United States National Security Agency sometimes intercepts routers and other computer network devices before they are exported and enables them with surveillance technology. There is no indication the vendors knew this was happening, InfoWorld reported.
“In a supply chain, you have no choice but to trust everybody even though you can’t trust anybody,” Schneier said May 14 at the summit.
“I think of this as an insurmountably hard problem. We are not going to make a national-only smartphone. Even the U.S. couldn’t pull that off and if we did no one would buy it.”
The Payments Canada summit was hosted by Payments Canada, which operates the clearance and settlement systems that dozens of financial institutions use for cheques, pre-authorized debit, direct deposits, wire transfers and other payment methods.