Sharing “Cyber Secrets” with Russia?
Is There A Problem with This?
Yesterday Reuters had a headline article about how western tech firms share cyber secrets with Russia in order to sell their products in Russia. You can read the article here.
In my opinion: This is a sensationalized story written to fit in with the times. Here’s why:
- Western tech firms are not intentionally “sharing” cyber secrets.
- Tech companies will do essentially anything it takes to gain entry into a lucrative market. Always have, always will.
- Security functionality should only depend on a small set of secrets, such as a key that cannot be examined by anyone. Encryption algorithms, authentication techniques and security functions should not rely on being secret and as a matter of fact, if they are it is viewed as a bad implementation.
The Reuters story focuses on the current boogeyman country Russia, and mentions China. The Chinese government has an arguably tighter grip on the Chinese economy, is far more paranoid than Russia and is at least as aggressive in cyber spying. The Chinese market is so large that western companies will bend over backward to get into it. Here is an example:
All PCs have a little crypto processor called a Trusted Platform Module, or TPM. If you’ve ever used Microsoft Bitlocker, you’ve used the TPM on your machine. The TPM implements security algorithms developed by open standards committees, everyone knows what goes on in a TPM (or could know if they wanted).
China doesn’t like the TPM because they either don’t trust westerners to develop secure algorithms, and probably because the TPM has no backdoors, or ways for the government to get around the encryption. More specifically, the Chinese don’t like the security algorithms in the TPM.
Ok, now a PC maker doesn’t want to make a special motherboard for China only, or change their software to operate differently in China. You know what the solution was?
China devised their own TPM algorithms and had western PC makers put those algorithms in the Chinese market TPM instead of the open standards algorithms. The suspicion in the security community is that these algorithms have backdoors that only the Chinese government is aware of.
Western PC manufacturers will happily follow the Chinese government rules and implant spy devices on PCs meant for China. Most companies would be staunchly opposed to this suggestion from the U.S. government, arguing that they don’t exist to manufacture spy devices for the government. Yet that is what happens in China.
What is going on in Russia is nothing new, except apparently importing to Russia becoming more strict. You really can’t blame the Russians (or anyone else) for worrying about backdoors in western-built products, the stories about the NSA implanting secret access have been all over the internet. Companies are usually open to having a “trusted third party” examine their code and products to ensure no backdoors are present. This is not “sharing secrets” as the third party is severely limited in what they can disclose.
The Reuters article pointed out that Symantec ceased allowing code inspections because they did not trust the trusted third party, probably for good reason. The fear is that the third party was actually looking for security vulnerabilities as an agent for the Russian government. Indeed, if the third party is not trusted, the procedure does not work.
BUT, the interest of western companies is heavily weighted to protecting intellectual property rather than worrying about vulnerabilities in code. That is more likely the reason Symantec dropped out of the program. They are, after all, in the software security industry and if their code was broken well then their business is ruined. So in their case, hidden vulnerabilities are, in a sense, intellectual property to be protected.
Personally, I’d be happier if the U.S. government required such code inspection on imported products. We know spyware is implanted in Chinese-made items. This would simply become consumer protection, hey you can spy on your customers but at least disclose it. I doubt it’s practical, though, given the vast number of imported products to the U.S. and the dearth of interest in the government to seriously protect cyber infrastructure.
Posted in Cyber Security by Mark with comments disabled.