Trump declares emergency over IT threats

(bbc.co.uk)

33 points | by jfk13 100 days ago

11 comments

  • Someone1234 100 days ago

    > The president signed an executive order effectively barring US companies from using foreign telecoms believed to pose a security risk to the country.

    So let's just back up a little: A Chinese equipment manufacturer left a telnet daemon running on a single version of a single device and a national emergency is declared, Cisco leaves SSH credentials (public and private keys leaked) hard coded into multiple generations of routers over several years and not a peep..?

    When is the US going to tell us what these Chinese manufacturers are up to? Heck when are they going to tell the UK's own security services? Just telling us why we should be concerned seems far more productive and effective than their current strategy that is marred by accusations of protectionism.

    I'm not even saying the US are wrong. I am saying the lack of specific technical information undercuts their whole position.

    • jplayer01 100 days ago

      I've repeatedly seen a lack of interest in geopolitical issues on HN. This whole thing is akin to "Should the US be reliant on a hardware manufacturer that can be considered a non-independent subsidiary of the Chinese government?" Replace Chinese with Russian, Iranian, North Korean, Saudi Arabian, etc. These are all countries, like China, that would love to have that kind of potential leverage and power over US infrastructure and political processes because of the benefits these would bestow.

      I've said in a recent comment: It doesn't matter if Huawei is entirely innocent right now. China is a major competitor to the US as a global power - militarily. politically, economically. If people think they wouldn't at some point in the future use Huawei's ties deep into cellular infrastructure to serve China's needs, they're incredibly naive.

      Hell, none of this is unprecedented. The whole debacle with all the ties between Republican representatives or people in Trump's campaign and Russia alone should give pause. Or Russia's meddling in the US election. Or Russia's meddling in Eastern Europe (Ukraine wishes somebody would give a geopolitical shit right now). And somehow Huawei, and by extension China, are supposed to be impartial and innocent and not a potential threat? Really?

      • wahern 100 days ago

        If the U.S. were serious about any of this they'd be funding initiatives for open, verified hardware and software. Other than INRIA, the French research group, and CSIRO, from where seL4 comes, where else is this work being done?

        I don't just mean theoretical work. I mean production ready stuff that is useable, like most commercialized solutions are, but also actually secure. Doing both is difficult. seL4 is useable and in fact is being tested in U.S. drones. Why didn't the NSA do something like seL4? Instead we get seLinux which isn't even secure--anything running on Linux is as a practical matter exploitable on the first day it ships.

        Our communications and control systems are so fundamentally insecure it hardly matters whether it's sourced from Huawei or not--it's six of one or a half-dozen of the other, except one of those cartons is at least substantially cheaper than the other.

        The fact of the matter is that the commercial industry will never develop and deliver secure products on their own. They've never done this well, and are probably fundamentally incapable of doing so because most of the benefits of a secure product inure to the public generally. Commercial vendors can't capture the value provided by secure solutions. It's up to the public--government, academia, open source community, etc--to invest in and develop the fundamental building blocks of secure systems.

        Importantly, the entire stack doesn't need to be secure. We can write secure networked systems for the Internet because we presume the network is hostile. There's no reason that cellular radios should be a trusted component of a wireless cellular network. They are because (1) it's just cheaper to do it that way (see above) and (2) the U.S. government spent decades sabotaging cryptography generally and cellular standards specifically, which means even 5G standards are fundamentally broken from a design perspective.

        So the whole Huawei controversy deserves a giant eye roll. All of the arguments about why Huawei can't be trusted are irrelevant. Huawei shouldn't be trusted, but neither should Qualcomm or any of these other vendors. Rather, we should set transparency standards and verify that they're being met. But doing so requires a ridiculous amount of work up and down the software and hardware stack, starting from the design stage; work that the U.S. government isn't actually doing but, in fact, still sabotaging!

      • rst 100 days ago

        The US government has been murmuring about security risks of Huawei gear for years now, mostly without citing any particular technical threats. The report of the open telnet server was the first thing a lot of us have seen which gives technical substance to those complaints, but it almost certainly didn't motivate the policy response -- which was, in any case, a continuation of pressure tactics that were already underway, domestically and overseas. For example, Michael Hayden, former head of the CIA and NSA, was publicly calling them a security risk as far back as 2013.

        Timeline: https://www.computerworlduk.com/security/huawei-controversie...

        • 0xDEFC0DE 100 days ago

          This is most likely just a political action to put pressure on China. They don't really care if it's hypocritical.

        • koube 100 days ago

          The title (written by the BBC) seems to be ambiguous. This is not about hardening US computer systems, this is about banning US companies from using Huawei 5G technology. The United States has been lobbying other countries to not use Chinese 5G technology for a while now, while it doesn't seem like there are currently any viable alternatives. This makes it a nation-wide ban.

          • marsrover 100 days ago

            This is great news. The lack of the government seeming to care about national IT security has been bothering me for years now.

            • jfk13 100 days ago

              Are you sure it's about national IT security, and not just about sticking it to China because we're in a trade war with them?

              • shdh 100 days ago

                Huawei has set a historical precedent of being a bad actor in regards to corporate espionage. How outlandish is it to think that they would also be participating in national espionage for the Chinese government?

                • lostmsu 100 days ago

                  Can you point to a specific example? Why was banning not done via the standard arbitrage?

                • threatofrain 100 days ago

                  How sure are you of a framing which separates information security from economic conflict?

                • joeleisner 100 days ago

                  I remember watching a video about how old/antiquated the technology used by the IRS is (i.e. a behemoth computer system built in the 60's)... Our government's IT infrastructure needs a massive overhaul.

                • rst 100 days ago
                  • Leary 100 days ago

                    Who's gonna build real 5G in the US?

                    • Zenst 100 days ago

                      I've always been supprised that Qualcomm is not more active in this field. Though they recently had some home hotspot 5G coverage kit, and do a lot of work with Nokia. So who knows.

                      • kingosticks 100 days ago

                        I'd like to know this too. Presumably both Ericsson and Nokia are also foreign telecoms companies, so who does that leave?

                        • sdinsn 100 days ago

                          Just to be clear, since the article isn't: the EO does not ban products from all foreign companies, only foreign companies who "poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States" (Direct quote from EO).

                          So Ericsson, Nokia, Samsung, etc. will not be affected.

                          • kingosticks 100 days ago

                            Ahh OK thanks for clarifying that. So by 'foreign' they really mean 'Chinese', and it becomes a little less crazy.

                          • Shelnutt2 100 days ago

                            Samsung is Korean, Alcatel-Lucent was French but now is part of Nokia. Nortel was acquired by Ericsson.

                            Cisco makes some backbone equipment. They were trying hard to sell a LTE "virtualized" core when I previously worked at $wireless_telco, but cisco does not make RAN components.

                            The only US based company I know of that is has licensed products in production use by a major telcom is Airspan [1]

                            [1] https://www.airspan.com/

                          • Chris_Chambers 100 days ago

                            Hopefully no one, ever? 5G is obviously a weapon pretending to be innocent data transfer tech.

                          • Zenst 100 days ago

                            "The president signed an executive order effectively barring US companies from using foreign telecoms believed to pose a security risk to the country."

                            "Mr Trump does not name any company specifically in the order."

                            I'm guessing they are called emergencies as they await for the threat to emerge. Which kinda seems at odds with my definition of emergencies - which would be a defined clear-cut issue that needs addressing.

                            All this effectively does is hurt and curtail legit business with fair and good foreign telecom providers who have now been bundeled via red-tape into the same collection as those unnamed less fair and good foreign telecom providers.

                            Expect a fall-out of how this will hurt and impact legit businesses over the coming days and weeks. Let alone touch upon the possible impact upon Americans using their provider SIM and roaming abroad.

                            • basicplus2 100 days ago

                              Every country should design and manufacture its own internet infrastructure (and be owned and controlled by its gov) as a free, level, secure playing field for the benefit of all of its citizens.

                              • supergirl 100 days ago

                                is he banning every electronic that is made in china? pretty sure even if huawei is banned, chinese made equipment is still used in 5G.

                                • Leary 100 days ago

                                  I'm throwing out my PC now.

                                • drivingmenuts 100 days ago

                                  A whole bunch a sound and fury, signifying nothing.

                                  • CryoLogic 100 days ago

                                    Does this include russian vote hacking?

                                  • tempsolution 100 days ago

                                    Sounds good. In reality this likely means Trump will abuse this power for some absurd changes and surveillance.