Wireless

The “Dumbing Down” of Backdoors Is Dangerous to Our Security

 By: Scott Jamar, Vice President of Industry Relations, Huawei Technologies USA

 

The world’s roughly 5 billion[1] smartphone users probably don’t think too much about the behind-the-scenes effort it takes to keep their networks running 24/7. Nor should they really have to. That’s why the mere suggestion of a potential threat to those networks, intentional or not, is cause for serious alarm.

And then, there are backdoors.

A backdoor is a means to access or perform operations on a computer system or data that bypasses the system's customary security mechanisms. It can be a means to unauthorized, undocumented access for illegitimate purposes that bad actors could use as a means of attack or as a mechanism to access network data.

While an unauthorized backdoor is a serious issue, it is just one of hundreds of potential threat vectors that should be tested for as part of a comprehensive cybersecurity strategy.

Which brings us to testing and reliability.

For example, carriers have a federal mandate to maintain 99.999%[2] uptime/reliability. This ensures reliable availability for emergency responders and other critical services. What goes into maintaining that high level of reliability? Testing. Lots and lots of testing.

Many of the larger carriers have entire teams devoted to testing just the security aspects of networks, which are separate from planning and operations. Additionally, because of the complexity of security testing, operators often contract out certain tests to other companies, like penetration testing and regulatory compliance audits.

And though each carrier has a slightly different approach in their testing methodology, the end result is the same: pass or fail.

This may come as a big surprise, but it’s not at all uncommon for new products to generate a “failed” result since bugs are almost invariably found. The test engineers then generate a report and send it back to the vendors to resolve any problems. After that it’s back to square one on the test bench, rinse and repeat until it passes. This process could take two to six months to complete.

When it comes to reliability and security, carriers allow themselves plenty of time to make sure everything is 100% tested and reviewed.

Once the hardware and software have passed the intensive testing regimens, the test engineering staff use that final configuration as a master file for each type of device to be installed. Each will have its own locked-down configuration files, which are uploaded before deployment, and those master files are locked well away from general access. Only a few engineers are allowed access to them.

These networks are then fully secured with different layers of security mechanisms such as firewalls and authentication (strong user names and passwords), as well as organizational policies and processes.

Ultimately, access to any equipment once it’s in the operator’s live network is strictly controlled. Access for legitimate purposes requires many authorizations, monitoring, and tracking of every keystroke.

When it comes to software, there’s also extensive testing. Unlike your cell phone, carriers do not allow automatic software updates. That would be completely irresponsible and probably catastrophic. Even with your cell phone, you can decline the update until you feel comfortable allowing it to download and install on your device. Many people wait days if not weeks (or more) to install an update on their phones in order to hear what others have experienced with it.

With each software update from vendors, carriers go right back to square one testing, which takes weeks or even months to be certified to work with all the other third-party equipment running in their network, then locked down and distributed to the field for installation. Widespread testing for vulnerabilities (and bad coding) is even more critical when you consider that the supply chain for most of today’s electronic equipment is fully globalized.

However, to suggest that the excellent scientists, engineers and technicians who ensure you have dial tone and broadband access 24/7 are going to be easily fooled by either willful or unintentional breaches or backdoors in their networks severely discounts their skills and expertise.

Here’s the best approach to security: view all networks as a potential risk. Our national network security should be of paramount concern to all stakeholders, and we are all stakeholders when it comes to data privacy and security. In today’s technology-driven global supply chain ecosystem, we must ensure risk-based approaches are applied to securing our critical infrastructure and that “trust through verification” is the only acceptable way forward.

It’s actually a good thing that backdoors have received so much attention lately. It’s helping spur a conversation around a comprehensive, global cybersecurity policy, which is adhered to by all nations and stakeholders.

We now need to turn this conversation into action by developing strong processes and procedures that will help secure the national telecom infrastructure both here in the U.S. and around the world.

 


 

[1] https://datareportal.com/reports/digital-2019-global-digital-overview

[2] 5 9‘s reliability equals a total of 5.26 minutes downtime per year: https://en.wikipedia.org/wiki/High_availability.

The editorial staff had no role in this post's creation.