Buying from the enemy

The apparent FBI focus on the threat potential in counterfeit gear is at best a useful first step and at worst a serious mistake. Given national government resources and a strong anti-American, anti-western, agenda the same people who might have been using the counterfeits for their own purposes could just as easily use the real thing - and run lower risks of detection in doing so

Last week zdnet bloggers Richard Koman and Michael Krigsman independently responded to the news that the FBI has been pursuing a major criminal investigation into the sale of counterfeit IT components - particularly Cisco routers.

As part of his report Krigsman reproduces an FBI PowerPoint presentation outlining the investigation - and if you haven't seen this, you'll probably find it worth the time to look at it now.

I believe that this presentation was first brought to public attention by someone signing as "mister.old.school" and presented on the abovetopsecret.com conspiracy theory site under the title FBI Fears Chinese Hackers and/or Government Agents Have Back Door Into US Government & Military Computer Networks.

Mister.old.school starts his report with this paragraph:

Some months ago, my contacts in the defense industry had alerted me to a startling development that has escalated to the point of near-panic in nearly all corners of Government security and IT infrastructure. The very-real concern, being investigated by the FBI, is that either the Chinese government or Chinese hackers (or both) have had the benefit of undetectable back-doors into highly secure government and military for months, perhaps years. The cause: a high-number of counterfeit Cisco routers and switches installed in nearly all government networks that experienced upgrades and/or new units within the past 18 months.

The counterfeiting problem is obviously serious. According to one slide the FBI believes, based on numbers from "the alliance for grey market and counterfeit abatement" and KMPG, that one in ten IT products sold is counterfeit - and you probably know, as I certainly do, people proud of gear purchased at improbable prices or with impossible specs: I antagonized an otherwise perfectly good friend a few years ago by unkindly pointing that his 2.93Ghz Core Duo laptop was about 400Mhz ahead of Intel's PR announcements and a good 600 ahead of anything actually in production.

The security concern is equally obvious - click here for the FBI summary slide

Unfortunately I think that focusing on the threat potential in counterfeit gear is at best a useful first step and at worst a serious mistake. Given national government resources and a strong anti-American, anti-western, agenda the same people who might have been using the counterfeits for their own purposes could just as easily use the real thing - and run lower risks of detection in doing so.

Think of it this way: if you worked for the communist Chinese, had essentially unlimited resources, and wanted to plant gear or code into the American government and economy, you'd have no reason to use counterfeit gear when many of the components for the real stuff are made in factories you can directly or indirectly control, and much of the code is written or maintained by people you can buy for two nickels and a nice line in anti-western rants.

So what this comes down to is just that where the FBI is seriously concerned that some or all of this gear may be designed to function as one component in an attack on U.S. defence and business security; you, and they, should be even more concerned with legitimate parts and code built or written and maintained overseas - because, really, very few code users or parts purchasers have the technical means to ascertain exactly what those things can do.

And that's the bottom line: buy a PC or other component made in Asia and you really have no way of knowing what surprises the thing may contain - and if your financial services company depends utterly on millions of lines of COBOL written or maintained in Lahore, you'll probably find it cheaper and more effective to redo your architecture with entirely new applications than to try to figure out whether those off-shored applications now contain nasty surprises.

In general the right answer in dealing with these kinds of borderline nutty issues is to trust but verify. In this case, however, there's a rocks and hard places problem: the cost of trust could prove catastrophic, but the cost of verification is probably out of reach too - so what do you do? Dismiss the issue as paranoia so you can sleep better?

For most of us that may be the only practical answer - but before you opt for it, take a careful look at where your communications and processing infrastructure might be vulnerable, talk to your vendors and others in your industry who may have similar issues, and consider sampling and other strategies that would let you work with your colleagues and key vendors to determine how probable the existence of such surprises really is.