22 April 2018

The U.S. government is vulnerable to Chinese espionage or cyberattack because of its dependence on electronics and software made in China

David J. Lynch

The U.S. government is dangerously vulnerable to Chinese espionage or cyberattack because of its dependence on electronics and software made in China, a risk that threatens to grow as Beijing seeks global technological dominance, according to a study for a congressionally chartered advisory commission. Information technology products made by enterprises owned or influenced by China could be modified to work poorly, conduct espionage or otherwise interfere with government operations, said the report for the U.S.-China Economic and Security Review Commission, which is scheduled to be released Thursday. Much of the government’s annual $90 billion in spending on information technology is devoted to Chinese products, offering Chinese officials an opportunity to seed U.S. government offices with spyware and electronic back doors that could be exploited for cyberattacks, said Jennifer Bisceglie, chief executive of Interos Solutions, which conducted the study.

“They are doing it,” Bisceglie said. “We’re not even making it difficult right now.”

The study comes amid a deteriorating trade relationship between the United States and China, as President Trump and Chinese President Xi Jinping swap tariff threats. After decades of growing commercial ties, Trump has attacked China for “economic aggression” and labeled it a “hostile” economic power.

Advanced technologies are a notable flash point. Under its “Made in China 2025” program, the Chinese government is funneling $300 billion into 10 strategic industries including artificial intelligence, semiconductors and robotics. The avowed aim is for China to shed its role as a maker of toys and clothes to become the global leader in the technologies needed for commercial and military dominance.

Last month, the U.S. trade representative accused China of forcing foreign companies to surrender trade secrets in return for access to the Chinese market and of waging a cybertheft campaign.

Compelling U.S. technology companies to share software source code and other performance details with their Chinese suppliers also could allow Chinese officials to “exploit vulnerabilities in a product,” the report warned.

“China is a First World economy, behaving like a Third World economy. And with respect to technology and other matters, they have to start playing by the rules,” Larry Kudlow, director of the National Economic Council, told reporters this week.

The U.S.-China commission report depicts a fragmented acquisition system and lack of clear rules about the assessment of foreign risks. “The conflicting and confusing laws and regulations result in loopholes, duplication of effort and inconsistently applied policies,” concluded the report by Interos, an Alexandria, Va.-based supply chain consultant.

Top federal suppliers of computers, routers, software and printers such as Hewlett-Packard Enterprise/HP Inc., IBM, Dell, Cisco, Unisys, Microsoft and Intel rely on Chinese factories for many of their components. Citing publicly available data, the report said 51 percent of parts shipped to those companies originated in China.

Microsoft had the largest share of Chinese components at 73 percent, the report said.

Many of the technology companies’ suppliers have links to the Chinese government. Dell buys batteries from Lishen Power Battery Systems, a subsidiary of Tianjin Lishen Battery Joint-Stock Company, a state-owned enterprise, the report said.

Other Chinese state-owned companies supply magnets, shielding materials, cables and power connectors. Dell and HP buy liquid crystal displays for tablet and notebook computers from state-linked Chinese companies, the report said.

“We hold our suppliers to high standards of responsible business practices by conducting risk assessments and through programs that monitor our suppliers’ policies and practices for mitigating social, environmental, and security risks,” Dell said in a statement. “We also engage customers regularly to ensure we are addressing their specific concerns surrounding supply chain risks.”

A Chinese Embassy representative said: “Trade is mutually beneficial by nature, and we hope the U.S. will work with China to create a fair, nondiscriminatory, and sound business environment for normal trade and investment of both Chinese and American companies.”

Any attempt at obstruction serves neither country’s interest, the person said, speaking on the condition of anonymity.

Although the report focuses on China, it says other countries, such as Israel and Russia, also pose supply-chain risks. In September, the Department of Homeland Security ordered federal agencies to stop using anti-virus software from Russia’s Kaspersky Lab, citing “ties between certain Kaspersky officials and Russian intelligence.”

DHS said that Russian officials might be able to penetrate U.S. government networks using their links to Kaspersky. The company sued DHS, arguing it was denied due process.

U.S. officials for several years have raised concerns over China’s growing role in the technology industry pipeline. Last year, DHS issued an alert about security cameras made by Hikvision, 42-percent-owned by the Chinese government, saying they could be remotely controlled by hackers.

The company later said it had released a software update to fix the problem before the alert went out.

Given China’s central role in producing all kinds of electronic wares, it is virtually impossible for manufacturers to avoid Chinese parts suppliers, Bisceglie said. Over the past decade, U.S. imports of Chinese information and communications gear roughly doubled, growing almost twice as fast as overall purchases from China. Americans bought more than $155 billion of such Chinese products last year, according to the Census Bureau.

The report recommends designating a central U.S. authority for supply-chain protection in the General Services Administration or DHS. Congress also should tie program budgets to supply-chain monitoring and require government contractors to disclose suppliers of information and communications technology (ICT).

Existing mandates “are not designed to mitigate risk posed by ICT products that may have been compromised during the manufacturing, programming or deployment process,” the report said.

In 2014, Congress passed the Federal Information Technology Acquisition Reform Actt, which was designed to overhaul the government’s approach to buying electronics. But lawmakers crafted the law “to prevent costly spending” rather than to boost security, the report said.

Replacing outdated governmentcomputers has created new vulnerabilities, the report said. “Modernization will actually increase risk if newly adopted technologies are not assessed appropriately,” it said.

The problem is likely only to worsen as Internet-connected devices spread throughout homes and offices, multiplying potential entry points for cyberattacks, the report said.

The introduction of 5G wireless networks, the next generation of Internet systems, also may increase supply-chain risks, because China is seeking a greater role in setting international technical standards for such systems.

“The problem is growing in magnitude,” said Michael Wessel, a member of the U.S.-China commission. “We don’t have a plan to address China’s increasing role on the world stage and its plan to dominate ICT.”

No comments: