According to a recent study on electronic espionage vulnerabilities, the U.S. government is significantly at risk to Chinese espionage and cyber attacks as we are so dependent on electronics and software made in China This is an increasing risk as China seeks global technological dominance, according to a study for a congressionally chartered advisory commission.
Much of the U.S. Government’s annual $90 billion spent on information technology is devoted to Chinese products, which creates the opportunity for China to seed U.S. government offices with spyware and electronic backdoors that can be exploited for cyber attacks, said Jennifer Bisceglie, chief executive of Interos Solutions, which conducted a recently released study.https://www.uscc.gov/sites/default/files/Research/Interos_Supply%20Chain%20Vulnerabilities%20from%20China%20in%20U.S.%20Federal%20ICT_final.pdf
“They are doing it,” Bisceglie said. “We’re not even making it difficult right now.”
Advanced technologies are a notable flash point. Under its “Made in China 2025” program, the Chinese government is funneling $300 billion into 10 strategic industries including artificial intelligence, semiconductors and robotics. The avowed aim is for China to shed its role as a maker of toys and clothes to become the global leader in the technologies needed for commercial and military dominance.
Last month, the U.S. trade representative accused China of forcing foreign companies to surrender trade secrets in return for access to the Chinese market and of waging a cybertheft campaign.Compelling U.S. technology companies to share software source code and other performance details with their Chinese suppliers also could allow Chinese officials to “exploit vulnerabilities in a product,” the report warned.
“China is a First World economy, behaving like a Third World economy. And with respect to technology and other matters, they have to start playing by the rules,” Larry Kudlow, director of the National Economic Council, told reporters this week.
The U.S.-China commission report depicts a fragmented acquisition system and lack of clear rules about the assessment of foreign risks. “The conflicting and confusing laws and regulations result in loopholes, duplication of effort and inconsistently applied policies,” concluded the report by Interos, an Alexandria, Va.-based supply chain consultant.
Top federal suppliers of computers, routers, software, and printers such as Hewlett-Packard Enterprise/HP Inc., IBM, Dell, Cisco, Unisys, Microsoft and Intel rely on Chinese factories for many of their components. Citing publicly available data, the report said 51 percent of parts shipped to those companies originated in China.
Microsoft had the largest share of Chinese components at 73 percent, the report said.
Many of the technology companies’ suppliers also have links to the Chinese government. Dell buys batteries from Lishen Power Battery Systems, a subsidiary of Tianjin Lishen Battery Joint-Stock Company, a state-owned enterprise, the report said.
Other Chinese state-owned companies supply magnets, shielding materials, cables, and power connectors. Dell and HP buy liquid crystal displays for tablet and notebook computers from state-linked Chinese companies, the report said.
Although the report focuses on China, it says other countries also pose supply-chain risks. In September, the Department of Homeland Security ordered federal agencies to stop using anti-virus software from Russia’s Kaspersky Lab, citing “ties between certain Kaspersky officials and Russian intelligence.”
DHS said that Russian officials might be able to penetrate U.S. government networks using their links to Kaspersky. The company sued DHS, arguing it was denied due process.
The report recommends designating a central U.S. authority for supply-chain protection in the General Services Administration or DHS. Congress also should tie program budgets to supply-chain monitoring and require government contractors to disclose suppliers of information and communications technology (ICT).
Existing mandates “are not designed to mitigate risk posed by ICT products that may have been compromised during the manufacturing, programming or deployment process,” the report said.