Why Openness and Transparency Pay when Buying Security
Why vendor blacklists, especially secret ones, fly in the face of everything we know about best practice in procurement and vulnerability detection
Procurement Discipline
The principles and benefits of open procurement of “make public spending more efficient” and “promote integrity and equal treatment,” are set out in the EU public procurement Directive 2014/24/EU. It is well known that such best practices in transparency and accountability help reduce waste and graft while enhancing competition and value for money.
In its guidance on improved safeguards against corruption, it recomends that deviations or violations of public procurement rules should be reported and that results of any monitoring made “available to the public.” Such best practices in transparency and accountability are also now applied widely in the private sector as well.
Openness and transparency are seen as levers for innovation, allowing fair competition that favours suppliers that are able to provide more for less, either by minimising their prices, or by maximising the value that they provide, or both.
Even in the most secretive niches, open competition has proved fruitful. Technology and cybersecurity companies that offer bug bounties have benefitted enormously as ethical hackers have helped them detect vulnerabilities before the cybercriminals beat them to it.
Traditional techniques like penetration testing services tend to generate a culture of fear and a tick-box approach to compliance, while bug bounties are more about creating a culture of openness, transparency, and responsibility. Even those companies that don’t offer bug bounties are encouraged to establish a vulnerability disclosure policy.
Blacklists backfire
Technology and telecoms firms have a vested interest in maintaining their operational integrity and security. They risk massive reputational damage and regulatory sanction if they get it wrong.
It is the operators themselves that procure, implement, and operate the technology and they, therefore, have the best overall visibility and control of their networks and systems.
Vendor bans, especially those based on a firm’s nationality, rather than on any known criminality, fly in the face of all procurement best practices.
Almost a year after the EU parliament voted in favour of banning Kaspersky Lab products, a review by the European Commission confirmed that there was no evidence that Kaspersky Lab products posed any national security risk. Similarly, despite pressure from the US to ban Huawei products from 5G networks, detailed testing of Huawei equipment has failed to uncover any sign of the alleged back doors.
And while products from companies like Kaspersky Labs and Huawei are among the most heavily scrutinised in the world, other supposedly ‘trusted’ vendors that get an easy pass are often more likely to represent a real security threat.
Vendors like Kaspersky Labs and Huawei have invested enormous amounts in R&D to improve their products and in reputation management to counter the unfounded criticisms that they face.
These are not therefore the products or services that hacker gangs are therefore going to target. Indeed, as the recent SolarWinds incident has shown, they are far more likely to seek to compromise the vendors and services that you trust most.
Starting with Microsoft Office 365 hacker gangs, believed to be Russian, are thought to have compromised the SolarWinds Orion IT monitoring platform, and we believe that this was then how they infiltrated major US government organizations. Indeed the SolarWinds issue was discovered when another ‘trusted vendor’, cybersecurity firm FireEye, set about trying to figure out how attackers got past its own defenses.
SolarWinds was trusted by a host of top public and private sector organisations worldwide - in the US alone its clients included:
- More than 425 of the US Fortune 500
- All of the top 10 US telecommunications companies
- All five branches of the US military
- The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
- All of the top five US accounting firms
Belgian Blunder
Possibly the worst procurement example has been the 5G policy in Belgium, where they have not only chosen to ban Huawei, simply because it is based in China, but have also drawn up a secret list of high-risk vendors that will be restricted or banned in the name of national security.
In terms of value for money, excluding the market leader in 5G, leaves the Belgians with the Nordic duopoly of Nokia and Ericsson to buy from, limiting competition. And a secret ban list makes transparency and accountability impossible.
The irony here is that Huawei is less expensive and no less secure than Nokia and Ericsson, both of which use components from China in any case.
Trust the Telcos
It is unclear why individual products or vendor bans, often based on political bias or trade wars tactics, would be a better approach than allowing the network operators to take a holistic view across all layers of their security.
The Belgian approach, like many other such bans, assumes that the network operators are not either best placed or indeed competent enough to secure their own networks and systems - something that the operators themselves would vigorously dispute.
After all, why should such bans apply to network hardware alone? If the network operators cannot be trusted to select, deploy, and secure hardware on their networks, then how can they be trusted with the choice of software or security systems? And as staff often represent the weakest link in cybersecurity, maybe governments also need to dictate which recruitment firms can be trusted, and ban those that are not up to scratch.
The reality is that vendors do not fall neatly into black and white lists as those favouring bans would like, that network operators that manage their security from end to end are better at deciding on the best approach than their governments are, and that, as bug bounty programs have shown, openness, transparency, and responsibility are by far the best approach.
See my full blog and other selected articles here