Government now telling me what I can or can't buy?

TechGromitTechGromit A+, N+, GSEC, GCIH, GREM, Ontario, NY Posts: 1,928Member ■■■■■■■■□□

The government banning the imports of products from Huawei is one thing, but to force to business to remove all traces of Huawei equipment is quite another. I don't think the government should be allowed to tell you, who you can or can't buy goods and services from in an open market.  The federal government should have control over what suppliers federal agencies use, but to apply the same to state, local governments, not to mention businesses is over reaching. While I agree that there is the potential for the Chinese government to leverage Huawei to preform espionage activities in some cases, wide scale infiltration is pretty far fetched, with packet tracers like Wireshark, it be pretty easy to see if packets were being routed to unexpected destinations. If this is allowed to proceed unchallenged, I fear in the future what bans would be enacted.  If a President with huge conflicts of interest financially isn't the cause for alarm, then what's next, a Intel CEO as the next President banning the sale of all AMD products? A coke pro President banning Pepsi? Where does it stop?

https://www.theverge.com/2019/6/5/18652769/huawei-china-security-rural-internet-rip-replace

Still searching for the corner in a round room.

Comments

  • PC509PC509 CISSP, CEH, CCNA: Security/CyberOps, Sec+, CHFI, A+, Proj+, Server+, MCITP Win7, Vista, MCP Server 2 Oregon, USPosts: 775Member ■■■■■□□□□□
    That article hits close to home. That was my old ISP and I still have some of their equipment. Good local company. 

    I would be fine with future bans on imports (which happens now), but being forced to remove the equipment from existing infrastructure is too far reaching. 
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,503Admin Admin
    I'm assuming the NSA has some pretty good evidence that Huawei equipment in our present infrastructure is "reporting home." It is easy enough to monitor equipment to detect any unidentified communication between the device and some suspicious destination, but how many orgs are watching for that on a large scale with Huawei equipment? Will the NSA release information that makes it easy for Huawei equipment owners to detect this sort of thing?
  • mikey88mikey88 CISSP, CySA+, Security+, Network+ and others Posts: 471Member ■■■■■□□□□□
    Certs: CISSP, CySA+, Security+, Network+ and others | 2019 Goals: Cloud Sec/Scripting/Linux

  • EANxEANx Posts: 1,078Member ■■■■■■■■□□
    The intellectual property of corporations is a national asset, many/most of them are totally clueless about the extent of the threat posed by China. Historically, China has done everything they can to get people in the right place for IP theft but Huawei has expanded that capability. The current situation is what happens when the focus is on the lowest price, people tend to forget that there's always a price to be paid.
  • MooseboostMooseboost Senior Member Posts: 775Member ■■■■□□□□□□
    Threats at the carrier level are a different beasts. It isn’t as simple as just running wireshark. We are not talking compromise of a workstation but more of the compromise of the infrastructure that the workstation leverages. Carriers don’t always have great monitoring in place as it is, especially smaller ones. I’ve worked in engineering for a telco and it is pretty scary how insecure the infrastructure is to begin with. It isn’t too far fetched, our own government has done this type of mucking before. Look at the NSA placing backdoors in Cisco gear. The supply chain is absolutely a target and well within the reach of Nation State actors. 

    I don’t generally support governments mucking in things like this but carriers can and absolutely will go with the lowest cost provider in almost every case. This is a bigger deal than “I can’t buy this router for my home”. Do I feel like a complete ban is warranted? Eh.. It’s much harder for me to side either way, I have mixed feelings. I do think what has to happen is a serious review in how we think about infrastructure in an age where everything is digital communication. 
    2020 Certification Goals: OSCE GXPN
    Blog: https://hackfox.net
  • jasper_zanjanijasper_zanjani A+, Linux+, LPIC-1, Certified Associate in Python Programming (PCAP) Tampa, FLPosts: 61Member ■■■□□□□□□□
    It sounds like you are not very educated on the threat that Chinese intelligence poses, and the specific ties to Chinese intelligence that have been putting Huawei in the spotlight for a decade. I suggest you read up thoroughly, especially considering your chosen profession of cyber security, which one would think would make you more security conscious. I would hate to be in your shoes if an advanced persistent threat was discovered on your employer's networks having made a statement like this on a public forum.
  • kaijukaiju Posts: 402Member ■■■■■■□□□□
    So rewind back to 2008 when counterfeit Chinese made Cisco devices/hardware started making their way into all facets of the US government. These devices/hardware where manufactured in same Chinese silicone valley area,  Shenzen, as Huawei. Maybe in a few years we will get to see the evidence that has doomed Huawei. 
    Work smarter NOT harder! Semper Gumby!
  • TechGromitTechGromit A+, N+, GSEC, GCIH, GREM, Ontario, NY Posts: 1,928Member ■■■■■■■■□□
    edited June 7
    It sounds like you are not very educated on the threat that Chinese intelligence poses, and the specific ties to Chinese intelligence that have been putting Huawei in the spotlight for a decade. I suggest you read up thoroughly, especially considering your chosen profession of cyber security, which one would think would make you more security conscious. I would hate to be in your shoes if an advanced persistent threat was discovered on your employer's networks having made a statement like this on a public forum.

    The same could be said of smoking, it's a well known fact that cigarette smoking is bad for your health, the government warns you, but your still allowed to buy cigarettes. Now the government can warn me that Huawei equipment may security flaws or backdoors that may make my network unsecure, but shouldn't I have the right to ignore government warnings and buy it anyway, just like cigarettes?   

    My views on this issue have nothing to do with my employer, there is no Huawei equipment that is part of my employers network I'm aware of. My issue is what right does a government entity have to tell me what I can or can not buy? You can warn me all you want, but If I still want to ignore your warnings, then it should be my right to do so.

    Still searching for the corner in a round room.
  • jasper_zanjanijasper_zanjani A+, Linux+, LPIC-1, Certified Associate in Python Programming (PCAP) Tampa, FLPosts: 61Member ■■■□□□□□□□
    It is a basic ethical principle that when a decision affects the safety of others then the principle of purely selfish preference is inappropriate. In the case of information security, as I'm sure you could attest, unpatched or misconfigured networks and machines aren't merely a threat to the people who operate them directly. If they become infested with malware or are used as hop-points for more sophisticated actors to run DDoS attacks or botnets then clearly it's much more than a matter of personal preference. Let alone if they are actually designed with backdoors with the intention to be compromised by hostile state actors like the Chinese intelligence services who have been stealing our technology for decades.
    You bring up smoking, but I would compare it to anti-vaxxers who refuse to get common vaccinations for their children and then become carriers for diseases that endanger the public. Even accepting your comparison with smoking, is it not true that second-hand smoke has been recognized for decades as a cause of cancer, and that is why people are not allowed to smoke within most establishments or government buildings? In these cases, the government certainly has a right to enforce laws that deal with public health, and in the case of the parents of children who die, child neglect.
Sign In or Register to comment.