In this episode of the podcast (#167): two stories this week – one from Pittsburgh and one from New York – have highlighted anxiety about Chinese made cameras and other security gear deployed in U.S. government agencies and in cities and towns. We’re joined by Terry Dunlap the co-founder of ReFirm Labs to talk about why software supply chain risks are real -and growing.
These are times of rising international trade tensions, as the U.S. and its chief rival China impose sanctions on each other and hold on-again off again talks. In the meantime, the U.S. Congress has been aggressive in calling out the Chinese threat to domestic businesses. It has also taken action: using the most recent national defense authorization act (PDF) to ban the use or procurement of telecommunications and video surveillance services or equipment by a wide range of vendors from mainland China including Huawei, ZTE, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company.
That decision followed years of warnings from security professionals about security vulnerabilities, back door accounts and suspicious patterns of behavior from cameras and other technology manufactured in the People Republic of China. But two stories this week suggest that simply ordering the U.S. government to swear off Chinese hardware is easier said than done.
Witness the scene in Pittsburgh where Allegheny County District Attorney Steven Zappala bought cameras by Dahua and deployed throughout the greater Pittsburgh area. That deployment includes cameras at Fifth Avenue and Craig Street in Oakland, an intersection that gives the cameras a view of Carnegie Mellon’s Software Engineering Institute has a $731 million contract with the Air Force and the Rand Corporation, which does millions of work for the Departments of Defense and Homeland Security.
Or consider the case unveiled involving the principles of a New York firm, Aventura Technologies, which made tens of millions of dollars selling “Made in America” surveillance cameras, body cameras, turnstiles and other security equipment to the US military, the Department of Energy and the Treasury, among other govt. agencies. The cameras, branded as made in America, were actually made in the People’s Republic of China.
To understand the threat that software and hardware from China poses to organizations here in the U.S. we invited Terry Dunlap of the firm ReFirm Labs back into the Security Ledger studio.
Terry is a former NSA employee who specializes in firmware security. It was his research into Dahua that exposed the suspicious behavior of that company’s cameras, eventually leading to a U.S. government ban on the technology.
In this conversation, Terry and I talk about the news from Pennsylvania and New York, the ways in which vulnerable and insecure hardware poses a risk to security-conscious organizations and what companies can do to address supply chain risk within their network.