It was reported recently - Feb 2019 - that the Japanese government will be issuing guidelines to owners/operators of critical infrastructure, such as water and electricity on their purchase of telecommunications equipment to avoid the risks of these equipment being embedded with malicious software. (source: Nikkei Asian Review)
This is a continuation of the fallout arising from the allegations started by the US against the telecom equipment manufacturer Huawei.
The allegation by foreign countries against Huawei is that its telecom infrastructure equipment may contain backdoors that could enable unauthorised surveillance by the Chinese government.
For equipment and devices, all software and driver updates were already installed in it.
Drivers update are send automatically by the software developer periodically. The developers constantly refined and update their software to enhance its performance and also to patch up any vulnerabilities which they may find subsequently. These equipment and devices comes with anti-virus software.
All equipment and devices are susceptible / vulnerable to a breach or attack as viruses can be inserted into any IT system through a lot of ways and does not necessarily need to be made inserted directly into the equipment / devices.
The manufacturer and software developer does not provide the assurance to the users that its equipment / devices are breached proof i.e., malware cannot penetrate its system. Cyber attackers / hackers frequently creates new viruses and released it. All operating system or software are vulnerable - which explained why it has these driver updates.
In cybersecurity definition, malware, shorthand for malicious software, is always understood to be software developed by cyber attackers / hackers with the intention of gaining access or causing damage to a computer or network, often while the victim remains oblivious to the fact there's been a compromise.
If a 'backdoor' is really inserted inside, it would only make spying / surveillance easier. If hackers do really want to attack these owners / operators of critical infrastructure, with or without the 'backdoor', they can still insert other malware into the system, albeit slightly more difficult.
An organisation that practised benchmark cyber resilience would have met all the pre-requisites i.e., the organisation would have regular pen testings, vulnerability assessment to assess its 'health' and an adequate defence to monitor and minimise any 'incoming' threats.
During these pen testing and assessment exercises, threats / malwares already planted inside the IT system would be identified, located and disabled / destroyed.
New and improved 'defensive walls' would be added, if necessary, to strengthen the existing defences to track and identify potential new threats from attacking.
Logically, it is not impossible to assume that if these 'defensive walls' can 'defend' new potential threats from coming in, it can also 'prevent and stop' threats or information from inside going out.
The following companies competes with Huawei around the world as telecom equipment manufacturers :-
it is common knowledge that the US government request companies like Facebook, Apple, Microsoft to make available 'backdoors' to the government citing national security as the basis. China, however, has not made known or it was never publicised, of any similar request to the internet giants in China.
On a separate front, concerns were raised about the vulnerability of all those IoT devices that would be entering the market. With the rush by manufacturers of IoT devices to push their products into the market, a lot of them installed standard settings with the passwords set at default - making it extremely easy for cyber criminals to hack into. Some of these IoT equipment or devices could end up or be used by the owners/operators of those critical infrastructure for their operations.
Should a ban or guidelines be also issued against these IoT equipment / devices? Presently, China is one of the biggest manufacturer of these IoT enabled devices in the world and their products are also sold worldwide.
We leave it to the readers to assess and decide on our heading - 'Can a manufacturer insert malicious software into their equipment?'