Tuesday, 27 March 2012

Huawei 'banned' from Australian broadband project

Well in a move reported by AFP the Australian government has banned Huawei from the backbone project.

The issue comes to issues of poor design and a focus on the symptoms yet again.

One of the largest issues with information security is a failure to address the root issue. What is of concern with former intrusions into the government systems remains an issue whether we trust Huawei or not. For that matter, if we designed systems well, it would not make a difference if China’s PLA owned and ran the network pipes. If ONLY China had the access and control of the routers.

Other than a DoS through turning off the systems could China attack and this would be simple to detect and lead to retaliation.

No, the issue is data exfiltration. This is the theft of secrets, information and data of value.

The concern here is that this is not an issue of who controls the network – IF we do this correctly.

In the Australian government case, where we have had many well documented severe compromises in many key systems, the issue is not even addressed through this move to make the people feel better.

There are two primary causes of the compromises:

  1. Malware on internal systems within the government.
  2. Poorly designed systems with unencrypted traffic over what are considered trusted but public networks.

Control of the network would have stopped neither attack scenario. What would have worked is better design and the effective use of encryption.

Right now, the Australian Commonwealth government is on a push to install IPv6 gateways. These are mandatory and there is not a lot of time remaining before they need to come into active use. Done correctly, IPv6 with mandated IPSec could be used to create secured end to end encrypted tunnels. It would not make a difference who ran the NBN or any other network if this was done as sniffing encrypted traffic gains little.

The other issue is one of end point security and no amount of posturing around who controls a server will make a smidge of difference from a network perspective.

Epidemiology

The science of epidemics and how to contain them has a strong parallel with information security. Just as we control and isolate people when they are infected with a communicable disease, so we also need to isolate infected (and even from critical networks possibly infected) systems.

Well, we may start to become secure when we finally start to address the issues.

When we stop posturing around political brownie points and start to actually address the problem by creating solutions that really work.

We had a chance here and with the NBN and more, but then, right now we see a system that is looking to the past for guidance and which will be obsolete before it has been completed.