Beware of “blame the vendor” distractions.
https://bsky.app/profile/rgblights.bsky.social/post/3ltshf3lvc22e
Rob Joyce posted this on his BlueSky account as a response to Alexander Martin’s article, “Spain awards Huawei contracts to manage intelligence agency wiretaps.” Both Rob and Alex are exasperating “blame the vendor” fears when the real problem is more systemic, with nothing to do with which world the vendor builds or manufactures its equipment.
It doesn’t matter which vendor is deployed. China’s Special Agencies 1 & 2 in the PRC do not care (Special Agency 1 is the State Security ecosystem & Special Agency 2 is the PLA ecosystem). They now have the tools to gain access to the network. The ‘barn doors are wide open’ when ISPs/Telcos in the US (or anywhere in the world) do nothing to protect themselves.
Look at Spain right now (see The Shadowserver Foundation dashboard on Spain). Allow CWMP, Telnet, SNMP, FTP, & TFTP access to your network devices. PAGE 1 in the Special Agency 2 (PLA’s) Ecosystem playbook is to target any organization with these protocols exposed to the Internet. Having these protocols open to the world means no one is watching the network. Threat Actors are watching. Low-intensity brute force combined with “username/password breach intelligence” gets you into any ISP/Telco that leaves the barn door open to attack (assume threat actors have everything in Have I Been Pwned’s database).
Remember, the UK demonstrated this with the Huawei Cyber Security Evaluation Centre (HCSEC). Various HCSEC reports led to the conclusion that “banning” a vendor does not guarantee security. Deploying Cisco, Juniper, Arista, or any other vendor does nothing to protect your network. “Protecting your network from State Threat Actors” requires a digital safety architecture combined with persistent and consistent daily work to lock down your organization from risk.
“Blaming the vendor” is a distraction from the real problems. “Salt Typhoon” loves it when you “blame the vendor.” It means you are putting the ladder on the wrong wall and not focusing on the essentials.
One of those essentials is never to trust the vendor. It is not in their interest to protect your network. It is in their interest to protect their profit margin (I know this through experience on both sides of the vendor-operator dialog). Do you “trust” Huawei? No. As a network operator, you make sure you put in place architectural, procedural, and operational processes to protect your operations.
What are the essentials? Do not assume you know the essentials. Start with Ian Levy’s 2019 work, which, in my opinion, is required reading for anyone involved in ISP/Telco/Cloud/Network architecture: Security, complexity, and Huawei; protecting the UK’s telecoms networks.