Los Alamos National Laboratory is ripping out devices made by a Chinese manufacturer citing security risks, but security experts say the move will do little to stop attackers set on stealing secrets.
"There is definitely been plenty of proof that the Chinese use the supply chain to their advantage," said Avivah Litan, vice president and distinguished analyst at Stamford, Conn.-based Gartner. "If you have a high security environment and you are concerned about theft of intellectual capital, you would be wise not to use Chinese equipment."
The highly sensitive government laboratory is reportedly removing networking switches made by China-based H3C Technologies, according to Reuters, which obtained a letter about the decision. H3C is a joint venture between Huawei Technologies Co. and 3Com Corp., a firm that was acquired by Hewlett-Packard in 2010. A security assessment focusing on sensitive networks prompted the move by the U.S. nuclear weapons laboratory, according to the letter.
China-based Huawei and ZTE have come under pressure following a report by the U.S. House of Representatives' Permanent Select Committee on Intelligence in October, which labeled the two telecom and mobile equipment makers a security risk. Executives of both firms have publicly dismissed the report's findings, citing their longstanding business in the U.S. and strong commitment to security.
Switches and routers are designed to direct network traffic. The devices can also collect logs and be coded to incorrectly send data to a centralized repository shedding details that an attacker can use to their advantage, said Jeff Vansickel, a senior consultant, information security and technology at Sudbury, Mass.-based SystemExperts Corp. The threat is a concern, especially for a sensitive government agency, but there is a greater risk that attackers will use other methods to gain access to sensitive systems.
NEXT: Los Alamos Decision May Be PoliticalMike Rothman, analyst and president of security consultancy and analyst firm Securosis, Phoenix, Ariz., dismissed the threat, calling Los Alamos' decision to take out the switches purely political. Rothman said the decision removes the agency from any negative political fallout that would happen if the agency experiences a high-profile breach.
"It's much easier to rip the gear out than it is to open yourself up for baseless political wrangling and maneuvering if there is some kind of breach," Rothman said. "In a lot of cases, it's easier to pay for someone on the inside or do some social engineering or other kinds of more traditional attacks than subverting the firmware on a network switch at the manufacturer."
Intellectual property theft has quietly become a serious issue at many companies following a spate of published reports of targeted attacks or advanced persistent threats that specifically target manufacturers and suppliers to infiltrate systems for extended periods to steal data. Cyberespionage came to light with the Google Aurora attacks in 2009 and later with the RSA SecurID data breach in 2011. Since then, Gartner's Litan and other experts say the extent of the problem is unknown because many firms do not publicly report when IP is stolen, but the issue is coming up more in conversations about how to mitigate the risks.
Corporate trade secrets, design documents and other sensitive data can give competitors a substantial advantage. It also creates an opportunity for manufacturers in China and several other countries to create and sell pirated products at much lower costs. The energy industry is especially aware of cyberespionage activity and safeguard documents outlining oil and gas exploration and partnership agreements.
"Technology companies, defense contractors and their partners up and down the supply chain are concerned about intellectual property theft," Litan said. "There are all sorts of theories out there about why these attacks are taking place, but no one really knows what the motives are."
PUBLISHED JAN. 7, 2013