Ever since whistleblowers Edward Snowden and Julian Assange exposed government acts of preloading commercial software and equipment with backdoors, supply chain security has become a hot topic. The Obama administration has been quite vocal in expressing concerns about the equipment manufactured in China, and some of the most popular Chinese brands, including Huawei and Lenovo, have been banned in European and Asian countries for the same reason. But as it turns out, China is not the only country walking through network backdoors and supply chain vulnerabilities to commit state-sponsored cyber-espionage, and the U.S. is not the only nation reacting to supply chain security risks as we covered recently here on HackSurfer.
Silent Backdoor Imbroglios
The world has always feared China’s progress in the fields of science and Information Technology, not only because developments in IT would fuel the already booming Chinese economy with the rest of the world having to play catchup in the trying economic times, but also because these capabilities in the wrong hands would be good enough for stealing trade and defense secrets of nations relying heavily on the cyberspace in the modern era of ‘Digitization of Everything'.
The power and dominance of China’s Information and Communications Technology (ICT) manufacturers Huawei, ZTE and Lenovo have made governments and intelligence agencies elsewhere nervous to the point of paranoia. Governments are investing millions in clean-up efforts in replacing supposedly vulnerable networking devices and computers.
However, revelations from Edward Snowden also suggest the governments most vocal against supply chain espionage campaigns are themselves planting backdoors into some of the most commercial cryptographic software solutions employed globally. News has broken in the tech blogosphere that government intelligence agencies NSA (US), the FRA (Sweden) and GCHQ (UK) have deliberately made corporate, government and individual internet users vulnerable to cyber-espionage by subverting the global IT infrastructure.
Although U.S. government personnel (to some extent) acknowledge mass surveillance programs on local citizens and foreign networks as Snowden revealed, analysts believe world superpowers will continue to exercise cyber-espionage:
“Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian?” Bruce Schneier writes in The Guardian post, The US government has betrayed the internet. We need to take it back.
Global Efforts in Supply Chain Security
It seems the rest of the world is going great lengths to eliminate supply chain security risks. Some have even set their sights on the pre-digital era when spying only involved physical eavesdropping on secret conversations and when state-secrets were recorded on paper and locked in well-protected vaults away from the reach of traitors and foreign spy-agents.
Russia is the first to make such a move by resorting to electric typewriters for publication of government documents. Federal Guard Service (FSO), the security agency in charge of safeguarding President Putin’s communications has planned to spend £10,000 on electric typewriters like the German-made Triumph Adler Twen 180 that were popular in the 1980s. Russia’s defense, emergency and special services ministries are already using primitive methods for creating documents for obvious reasons: “After scandals with the distribution of secret documents by WikiLeaks, the exposes by Edward Snowden, reports about Dmitry Medvedev being listened in on during his visit to the G20 summit in London, it has been decided to expand the practice of creating paper documents” according to a source linked with the FSO.
The country has also initiated the National Software Platform for reducing dependence on foreign ICT manufacturers in a bid to reduce supply chain security risks. Following a similar strategy, India has also created policies on the government level that favor domestic ICT providers over foreign suppliers. Iran has completely banned the import of foreign software as it takes supply chain security risks more seriously following damaging cyber-attacks on its nuclear program – think Stuxnet.
Australia, New Zealand, Britain and the U.S. have also banned computers produced by Lenovo after discovering hardware and firmware backdoors in the products supplied by the Chinese manufacturer. At the same time, China has also enforced policies requiring software developers and ICT equipment suppliers to its government being Chinese citizens or legal persons under the Multi-level Protection Scheme (MLPS) .
But no matter how strict, conservative or primitive the security measures, the world will have to face supply chain security risk as a fact of life. Primarily, because the world superpowers – the U.S., China, Russia – and even the emerging cyber powers – India, Iran – will continue to undermine the fundamental social contract of right to privacy to facilitate spying campaigns. Secondly, individual people developing software and manufacturers producing ICT equipment will also continue to plant backdoors in their systems for monetary gains or perhaps under government pressure.