"Since most network infrastructure hardware is manufactured in China and many targeted industrial cyberespionage attacks seem to originate in China as well, it is only prudent to ask the question 'how can we verify that critical enterprise network infrastructure devices have not been compromised during manufacturing or shipping?'
"For that matter, how can we verify that network devices designed & manufactured entirely within other countires are not compromised either? When you stop to think about it, we place implicit trust in equipment all the time simply because of the corporate logo on the front of the device, while, in reality, it is all coming out of the same globalized supply chain. 'Trust but verify.' Okay, but how do we actually 'verify'? Can anyone at Cisco, Huawei or ZTE answer this question?"
Well, I reached out to ZTE and received the following official response:
ZTE's State of the Art Trusted Delivery Model
Core elements of ZTE's Trusted Delivery Model include:
The Trusted Delivery Model provides a high assurance of security to stakeholders about ZTE's system, free from known security risks and matching carrier's purchasing order.
ZTE provides full transparency and complete cooperation while security testing and trusted delivery verifications are being executed by an independent third party assessor.
A comprehensive independent audit, including a physical facility review with a focus on security and maturity of ZTE's processes pertaining to software and hardware design and development, manufacturing and supply chain/delivery operations is conducted during the Trusted Delivery Model review.
A thorough, in-depth high assurance evaluation of the ZTE software, firmware and hardware is conducted by the assessor. Software and firmware source code are fully analyzed and evaluated. Hardware is evaluated to the level of detailed printed circuit board layout, discrete components and signal paths in and among circuit boards.
System level security vulnerability testing, conducted by the assessor and executed continuously throughout the system/technology lifecycle includes tailored penetration testing that is informed and guided by a deep analysis to bring to light vulnerabilities and exposures in the system.
The Trusted Delivery Model confirms that ZTE's systems match the systems certified by the assessor and deployed by the carrier. The security testing processes are continuously evolving to address specific government agency and carrier concerns.
The trusted delivery model promises complete visibility of audits and testing results for carriers authorized by the U.S. Government Agency and other stakeholders.
Note: I've both called and emailed Cisco's top Public Relations executive, John Earnhardt, seeking Cisco's official response regarding the "safety" of Cisco components and equipment that are manufactured in China and received absolutely NO response.
