Edward Amoroso (pictured), the former Chief Security Officer of AT&T, has claimed that US President Donald Trump’s decision to ban Huawei products is misguided. Amoroso, who left AT&T in 2016 to found TAG Cyber, a cyber security research and consulting business, argued against Trump’s reasons through a LinkedIn blog article:
If the Chinese – or any other offensive actors – decide to attack our infrastructure, they will not do so using Trojans. Rather, they will exploit vulnerabilities of our own making.
Last month President Trump barred American firms from using kit made by firms that posed “a risk to national security”. The US Department of Commerce has added Huawei to a list of firms with which American companies cannot do business without official permission.
Amoroso goes on to explain his reasons for taking this controversial position:
I believe it is naïve to think that rigged code is required to attack the telecommunications infrastructure of any nation. And it makes no tactical sense to think that using hidden Trojans from a complicit vendor is even a good choice to accomplish such a goal. People like me, who have devoted their entire lives to securing telecommunications, know that better offensive options exist that can be exploited with low cost and non-attribution.
Nevertheless, vendors shouldn’t be allowed to insert hidden code with impunity, he says.
Such practice, even in the form of Easter Eggs, should be considered unacceptable under all circumstances. To that end, supply chain managers should include terms in all contracts that specify consequences if Trojans are disclosed (perhaps by insider snitches). This approach doesn’t solve the problem, of course – but it can help.
He says that there are “many, many superior ways to accomplish such an attack that are easier to perform and much less obvious to detect” than intercepting or snooping on communications via a router. Far more of a threat, he argues, is hacking and gaining privileges within an organization’s internal systems:
You might know the term advanced persistent threat or APT. This is a designation for the process of finding unprotected access to a company (usually with a phish) and then lurking around, finding interesting stuff, and gaining privileges. I am certain that virtually every small telecommunications company in the US is vulnerable to this threat. And it is precisely how China would choose to attack (including nabbing US intellectual property – hint, hint).
There may be other reasons for the ban, Amoroso suggests:
Look – if Trump’s move is purely political, and is intended to punish the Chinese for their IP theft, then we should just say so. My guess is that many observers, including me, would agree that some sort of stiff action is clearly warranted. But if the suggestion is being made that avoidance of Huawei products will make the United States more secure against advanced cyber attacks to telecommunications, then I feel obliged to refute this claim.
Amoroso proposes a three-fold solution:
What we need instead is a national initiative toward the following, which I’ve repeatedly tried to communicate to the President (I feel like Father McKenzie writing the words to a sermon that no one will hear): (1) a program for more youngsters to study computer science in return for government service in cyber; (2) an accelerated program of Zero Trust Security for all civilian agencies; and (3) agreement to use one compliance framework (I vote NIST).
Granted, these three initiatives will not magically fix our security weaknesses. But they will improve our posture, and will lead our adversaries to see that we are shifting onto the right protection track. In contrast, we have this nonsensical order about supply chain – which, by the way, would seem to complicate legal use of the phone Trump tweets from. The Android code on his phone almost certainly includes open source submissions from Chinese citizens.
Amoroso questions whether the Chinese might indulge in some retribution which could lead to a situation which benefited no one:
What would stop the Chinese from issuing their own directive that software such as the Windows operating system or MacOS represent serious national security threats to China? They could resurface silly, debunked theories of US Government entanglements (such as the _NSAKEY story) to justify such action. This could quickly escalate into a high-tech war with all losers and no winners.
Amoroso concludes that a more nuanced leadership is needed in the White House, coupled with a clear understanding of the issues at stake:
In my expert opinion, this recent executive order makes no technical sense and does not make us more secure.