> "We cannot afford to maintain critical dependencies that could become a weapon against our interests,"
Like Russian oil?
Reliance on Chinese telecommunications equipment maker Huawei could end up costing Germany's state-owned rail operator Deutsche Bahn upwards of €400 million if a rip-and-replace order is issued. According to internal documents obtained by German mag Der Spiegel, Deutsche Bahn, which has invested heavily in Chinese network …
Or Microsoft, Cisco, Intel, AMD..
At least some risks can be mitigated, if you have dual-suppliers, but that's expensive and non-trivial. So maybe there are core, critical risks in processors or microcontrollers that affect Intel, AMD or ARM. Or their microcode, or OS. Oops, please apply this critical patch now.
I think one of the biggest risks actually comes from serialised components and DRM. Back in the good'ol days, if you anticipated supply shortages, you could stockpile spares in warehouses and swap stuff out at will. That de-risks events like Covid or shipping disruption delaying spares availability. But it that gets a whole lot harder if interface modules need to be paired with authorised devices, then registered on some licence/authentication server, somewhere that may be unreachable.
Biggest risk with a supplier like Huawei was that China just slapped on an export ban. Sorry, no more tin for you. Sneakier risks were potentially less risky, ie if you've designed a secure network with no public access to the control plane, you can limit the risks. If Huawei wants a 100Gbps link to their NOC as part of the support contract, you.. perhaps question why they need all that capacity? In the good'ol days, those types of access for suppliers might have been via out-band connections that had to be physically connected before vendors could get at your console/craft ports. Now, it's 'make sure all these virtual ports are enabled so you can connect to our licence servers across the Internet, or it'll stop working'.
Governments attempt to prevent this by creating security standards, but that doesn't always help when vendors are unwilling to offer kit that's actually secure.
"We cannot afford to maintain critical dependencies... "
AFAIK Huawei kit has been extensively investigated, and while found in some cases to be buggy and insecure there was no evidence of any backdooring. So 'rip and replace' makes no strategic sense. If you want to do away with Huawei kit, just stop buying it (and if you want to be free of critical dependencies, maybe buy Nokia or Ericsson kit rather than Cisco... ). The Huawei kit will become obsolete and need to be replaced in a few years and you can wean yourself off the dependency at very little additional cost.
But the noise to go down the rip and replace route is being very heavily pushed from the US. Strangely they stand to benefit from increased sales of equipment under US brand names that are manufactured in the Far East or if not, primarily use components manufactured there.
I certainly have no confidence that the US government does not have security loopholes that permit access. The simple assumption is that Chinese = Bad, US = Good. That could very easily change in the future to be India - Bad, US = Good. Rewrite according to the latest country that is perceived to be a threat to the US.
Does the kit have to be extensively investigated every time there is a firmware/software update, or do users just have to suck up no updates or patches?
It depends, and can also get very expensive. There is some formal specification, eg-
https://en.wikipedia.org/wiki/Evaluation_Assurance_Level
and the rest can depend on any requirements by regulators, official bodies or how much you can squeeze out of the board for your ITSec budget. But previously when I did officially secure networks, the design had to be signed off and that was generally the same as for EAL approvals. So certification would be based on the specific design and implementation, including hardware, firmware and software revisions. So not updating anything meant you didn't break your security certification. For vendors, every update or revision should mean resubmitting their stuff for EAL validation, which is a slow and expensive process. One of Checkpoint's engineers told me it cost around $5m each time.
So it can be FUN! designing those types of networks. It also gets harder as vendors move to SaaS and expect holes poked through the security perimited to permit access for licensing, telemetry and ad serving. Especially when you think you've got a locked-down system and then the next update decides to re-enable features, like trying to find Xboxs or 'YouPhone' on your secure network. Then again, finding Xboxs or TheirPhone on your network when they shouldn't be there is also part of the security design. It gets ever more challenging to design secure networks as IT 'evolves' to make bloatware ever more 'feature rich' and insecure. Oh for the old days where you could run IOS10.2 on a locked down, locked away router, guarded by a pack of hungry leopards.
The challenges are also why there's so little high-level EAL kit, eg-
Practical application of EAL7 is currently limited to TOEs with tightly focused security functionality that is amenable to extensive formal analysis. The Tenix Interactive Link Data Diode Device and the Fox-IT Fox Data Diode (one-way data communications device) claimed to have been evaluated at EAL7 augmented (EAL7+)
which could be a V.24 connector with either pin 2 or 3 removed and the shell filled with epoxy. This works, kind of but only if there's a secure control/data plane seperation along with a physical craft/console port that can be secured. Then finding a current laptop or mobile terminal that still has a trusty serial port on it..
If Chinese kit had back doors I'm pretty sure someone would spot it and why would they risk it? China isn't a truly communist country anymore and makes money on exports. Why would China risk it's credibility in the world for a backdoor in networking kit? I'm also pretty sure any country can force companies in their jurisdiction to do whatever they want them to do. China just doesn't hide that fact. Anyone remember prism? All this is purely about who takes the money for networking kit and China is way ahead on that.
It never fails to astound me how on the internet people struggle with basic English comprehension. It may not be your first language, I don't know, however the article and my comment relates to hardware sold by the Chinese and not malware that we have zero proof was planted by the Chinese other than the standard media response to these things and the countries they automatically blame, the mighty axis of evil, Russia, China, Iran and North Korea who don't even have proper internet. Do people not proof read their own comments or is it like some knee jerk reaction where you think you can prove someone wrong so you go for it without actually thinking about what you are posting? I'll never understand it.
It's not sniping it's correcting your obvious mistake. You were the one that made it, not me. Don't' be upset. Just learn English comprehension and you'll be fine. Why am I "anonymous"? Well that's a good question. I've been anonymous on this site since about 1995 (I worked in IT at the time and wanted to keep up to date with everything IT related, I've also had multiple accounts so forth and so on) and the reason for that is I want to gain honest and thoughtful responses to the things I post that are not influenced by things I have previously posted. I did try posting without anonymity for a while but it's not for me. So you see me posting as anonymous has no ulterior motive it's just how I like to do things and I'm glad I can. I also don't take the piss with it. I'm currently on 13.5k Vs 2.2k votes which I really don't care about otherwise I wouldn't be anonymous. If I was to add up my pervious accounts I would have a gold badge as some of my comments have featured in articles on a few occasions but I am not here for glory. I want honest answers and opinions to what I post and I put that above everything else so I'll continue to be anonymous. Do you have a problem with that? Just to be clear as I know your comprehension isn't that great. This is a snipe as was yours. Mine is just written better. Have a wonderful day darling.
... is already suffering from a serious lack of investment in Germany's infrastructure.
Not a good time to discover a bunch of other unfunded capital costs.
I would hope that as the railways have been around since before GSM-R that they have a backup in place should it fail or at least a contingency plan. Killing the train network during a time of war would be a big deal but at other times it would just be an inconvenience from my understanding besides how long could they actually bring it down for? The other point is the moment they do everyone else would turn the kit off where ever it is and they would lose any other opportunities. I find the whole notion of hacked Chinese tech to be very under analysed by the press. It's like a one sided argument that China is bad and China has law that allows snooping etc.. which every other country in the world can and do anyway.
"I would hope that as the railways have been around since before GSM-R that they have a backup in place should it fail or at least a contingency plan."
/sta
For the most part, no they don't. The old infrastructure before the introduction of digital train/block control was pretty much still mechanical relay interlocks and token/staff interlock systems. The vast majority of this infrastructure has been removed and what remains is no longer operational and kept mostly for historical/preservation reasons.
@abend0c4
I doubt there is one countrry not suffering from a serious lack of investment in infrastructure but your link referes to the "world competitiveness ranking".
And that you can ponder about here.
https://www.imd.org/centers/wcc/world-competitiveness-center/rankings/world-competitiveness-ranking/
Despite all sorts of official statements, there is no more proof of Chinese state interference than there is of US governmental interference in their industries...
The actual reason for all of this is the US seeking some ways of harming Chinese businesses without falling foul of free trade rules. If any government wants firms in their country to join in this scam to placate the USA, they need to pay the companies for this.
I am more concerned about being monitored by big businesses, especially US ones, than Chinese spooks.
Quote
"Um, I think you'll find much more US interference in EU industries than Chinese. It started in 1945"
I suspect US interference in european industries started about 4 year prior to that
Although back then it was in everyones best interests that european manufacturing got taken out .......
There are other sectors where I have my suspicions along similar lines.
HV circuit breakers in particular. One Chinese outfit I know are now making a blatant copy of Siemens systems. So good is the copy in fact, that casting errors in the source unit have been copied.
The first few examples of these arrived recently and all share the same casting errors.
Besides shit build quality and IP piracy, documentation is basically a joke; just plain wrong in most cases. It would not surprise me if the software is also deliberately backdoored though I need to get one of these units in a test stand to prove that.
Now can we please be done with it and revise procurement law so we don’t have to buy this shit?
The difference being the Siemens one they'd take back immediately and offer a replacement.
Whereas the Chinesium copy is "correct" in the minds of the copier.
The procurement issue specifically is that for high value publically funded tenders one cannot "exclude" suppliers on past performance; and nor can you take a "more expensive" option when the lesser one (allegedly) does the job.