In recent weeks a number of mainstream media outlets (ABC, Reuters, Defense Minister) have reported on (hyped?) the use of Chinese made CCTV equipment in Australian Government institutions and the "recommendation" to remove and replace this equipment.
From a purely technical Cyber perspective, it is really disappointing that there has been a singular lack of explanation as to the RISK that this equipment actually poses to the security of the Organisations that have this equipment in place.
Fundamentally, all devices that are connected to a network pose a security risk - especially if there is an absence of appropriate network architecture, poor attention to patching and maintenance or a lack of understanding as to what each device actually does (and in some instances, how it does it)!
Before I spend too much time putting you all to sleep with techno-babble, let me be really clear - devices from Chinese based manufacturers, installed in an appropriate manner, with appropriate protections pose no more risk to an Organisation's data than a PC purchased from the local Harvey Norman store with a US made Operating System (Windows) installed in a similar manner.
So why all the media hysteria and Government minister press releases with stories of x devices in location y needing replacement?
Simple - its all about trust.
Devices manufactured in China are not necessarily subject to the same levels of independent scrutiny as those from other markets. Additionally, all businesses based in China can be subject to Chinese Communist Party (CCP) intervention (mind you, this is not a unique situation, the US National Security Agency (NSA) has been known to lean on US suppliers for similar things - but we trust them!).
These two key considerations result in well founded concerns that certain device classes may well be specifically re-firmwared (is that even a word?) to bypass normal levels of scrutiny/security and provide additional, non-core functions to specific people (ie: they can have backdoors incorporated to allow for spying).
Does this mean that we should simply ban these devices? Yes, No and Maybe!
Sorry, there is no simple answer to this! For certain environments where it is either not practical or would negatively impact on desired functionality, then yes - remove the device(s) and select a functional equivalent from a trusted manufacturer. For just about everyone else, be AWARE that the device may not quite do what is says on the label and ENSURE that your environment has a minimal attack surface and restricted blast radius from any such device. And for those in the third category (if you are a supplier to an Australian Government Department) watch this space as there has been some noise indicating that risk mitigation will be required.
If you have any concerns regarding equipment with your network environment, please reach out to one of our Cyber assessors - we can certainly assist!
