A study commissioned by the U.S.-China Economic and Security Review Commission warns that the U.S. federal government is highly vulnerable to espionage or cyber attack due to its dependence on Chinese electronics and computer software.
The study concerns “supply chain risk management,” which essentially means making the U.S. government less dependent on cheap electronic products from potentially hostile countries.
“The supply chain threat to U.S. national security stems from products produced, manufactured, or assembled by entities that owned, directed, or subsidized by national governments or entities known to pose a potential supply chain or intelligence threat to the United States, including China,” as the report puts it.
Such products could be modified to perform poorly, create security vulnerabilities for foreign intelligence and espionage teams, or compromise the security of federal information technology systems in a variety of ways. The report anticipates the threat will become much worse with the adoption of new networking technology such as the ultra-high-speed 5G mobile network and “Internet of Things” smart devices.
The report notes that China achieved its key position in the information and communications technology supply chain very deliberately, as a matter of state national security policy, strong-arming and looting foreign companies to obtain the technology it desired.
“New policies requiring companies to surrender source code, store data on servers based in China, invest in Chinese companies, and allow the Chinese government to conduct security audits on their products open federal ICT providers – and the federal ICT networks they supply – to Chinese cyber espionage efforts and intellectual property theft,” cautions the report.
“China also continues to target U.S. government contractors and other private sector entities as part of its efforts to gain economic advantage and pursue other state goals,” it adds.
The report notes that tracing the supply line for electronic components is very difficult, as components can flow across national borders during various stages of production. Completed electronic items can then bounce between distribution centers in different countries before landing in retail stores or arriving at government IT departments. Every link in these incredibly complex supply chains could introduce security vulnerabilities, or become a pressure point for an aggressor like China seeking to interrupt the U.S. supply of essential information technology.
To put this advisory another way, if China has deliberately created security vulnerabilities in some electronic components, there is almost no way to tell which devices will be at risk of security penetration or orchestrated failure on the day Beijing decides to exploit those vulnerabilities. On a less apocalyptic scale, China can exert tremendous influence over foreign companies by threatening to shut down their supply of essential components.
In a grim twist, the report notes that China used the disclosure of classified American documents by Edward Snowden in 2013 to argue that American technology firms were sinister agents of influence that had “seamlessly penetrated” Chinese society. These allegations were then used as an excuse to bully American tech companies and develop the supply chain influence that makes China such a threat to U.S. information security today.
China is not just using draconian regulations to hamper foreign competition, steal their trade secrets, and give Chinese firms a competitive advantage. China’s regulations force American companies to “surrender source code, proprietary business information, and security information to the Chinese government,” which makes them vulnerable to “Chinese cyber espionage efforts.”
This vulnerability is not purely theoretical. The report recalls that 34 U.S. companies were hit by Chinese cyber attacks in 2010 that appear to have exploited flaws in the Microsoft Internet Explorer, whose source code was surrendered to the Chinese government in 2003. The 2010 attack wave was, in turn, designed to steal source code from the targeted companies.
Since those very same companies are major providers to the U.S. federal government, those vulnerabilities are passed along to Uncle Sam like a contagious disease. The companies attacked in 2010 included Google, Adobe, Yahoo, and Northrop Grumman, all major providers to the federal government.
The report is not exclusively focused on China. One section discusses Russia-based cybersecurity firm Kaspersky Labs, whose products the U.S. government banned after ties were discovered between the company and Russian intelligence, and Kaspersky anti-virus software was exploited by the Russian government to steal data from an NSA contractor’s computer. Government-connected firms in Israel are more vaguely described as a potential danger to the information technology supply chain.
As for recommendations moving forward, the report somewhat glumly concedes that changing the information technology supply chain is basically impossible at this point, so the U.S. government is best advised to centralize risk management efforts, demand greater transparency from providers, do what it can to reduce dependency on problematic sources like China, clean up the “conflicting and confusing laws and regulations” currently governing risk management, and use the appropriations process to ensure that only projects with high-security standards are funded.
“They are doing it. We’re not even making it difficult right now,” chief executive Jennifer Bisceglie of study authors Interos Solutions told the Washington Post, referring to Chinese efforts to “seed U.S. government offices with spyware and electronic back doors.”
“The problem is growing in magnitude. We don’t have a plan to address China’s increasing role on the world stage and its plan to dominate ICT,” Michael Wessel of the U.S.-China Economic and Security Review Commission added.
To be brutally honest, the recommendations at the end of the Interos Solutions study do not seem equal to the magnitude of the dangers described in the preceding pages. If China secures the dominant position it desires in next-generation technologies like 5G wireless and artificial intelligence, there might never be a way to reach an acceptable level of data security and supply chain protection.