October 22nd, 2012
06:17 PM ET

Are Chinese firms a cyber threat?

By A. Greer Meisels & Mihoko Matsubara, Special to CNN

Editor’s note: A. Greer Meisels is associate director and research fellow at the Center for the National Interest. Mihoko Matsubara is a cybersecurity analyst and was previously a research fellow at the Pacific Forum CSIS. The views expressed are their own.

The United States and its allies count technological innovations and critical infrastructure among their strategic resources and, as such, their military and economic strategies increasingly rely on information and communications technology. Unfortunately, as a recent U.S. congressional report on Chinese telecommunication equipment heavyweights Huawei and ZTE suggested, these technologies are now threatened by cyber espionage and sabotage.

After reading the congressional report, it’s hard not to breathe a sigh of relief that a general like Sun Tzu did not have cyber instruments in his arsenal. The report declared Huawei and ZTE potential threats to U.S. national security given their alleged ties to the Chinese government and its military, which some believe might increase the risk of their engaging in espionage and sabotage activities.

These two companies, the Chinese government, and certain economists have for their part criticized the report, claiming there is insufficient evidence to bar Huawei and ZTE from entering the U.S. market. Its opponents are crying “protectionism.”

However, setting aside the economic arguments, this case presents three security questions that Washington and its allies need to answer: What does this case mean for 1) cyber espionage, 2) cyber sabotage, and 3) supply chain risks?

First, the report argues about possible cyber espionage. The Chinese companies may, it suggests, implant malicious software or hardware on to U.S. networks to glean defense and trade secrets and to steal companies’ intellectual property. This is not the first time Washington has nailed China for this. Late last year, a U.S. intelligence report for Congress condemned China as “the world’s most active and persistent perpetrators of economic espionage.”

Nowadays, malicious actors resort to Advanced Persistent Threat or APT to tenaciously probe the vulnerabilities of their targets and steal sensitive information. Such installations, during either production or upgrading, diversify and increase the opportunities culprits may have to weaken the United States and its allies both economically and militarily. Malicious actors can even collect personally identifiable information by using wiretaps and then use it for future social engineering.

Second, the report points to cyber sabotage possibilities. Inserting malware onto systems may enable China to “shut down or degrade critical national security systems in a time of crisis or war” and harm critical infrastructure. The risks, however, may be even greater – directly affecting our military and turning its equipment into nothing more than hunks of metal. For example, the U.S. Senate Committee on Armed Services issued a report in May of this year warning that a year-long investigation found 1,800 cases of counterfeit parts in U.S. military helicopters and cargo planes. Over 70 percent of an estimated one million suspect parts were traced back to China. Regardless of whether or not the parts were installed intentionally, they have the capacity to impair the military superiority of the United States and, by extension, its allies. Given the changing dynamics and potential power shifts in the Asia-Pacific region, these actions cannot proceed unchecked.

Finally, the congressional report suggests that the chances of cyber espionage and sabotage increase in the supply chain – something which did not garner much attention during the Stuxnet incident. The Natanz case proved that cyber instruments can bridge air gaps to poach data and cause physical harm, and supply chains can easily assist these offenders. It takes rigorous and intense efforts to weed out back doors, kill switches, and insidiously implanted malware. Governments need to establish a flexible, risk-based and transparent standard to check supply chain risks – one that covers the entire lifecycle – from production to resale and system upgrade. After all, even if the United States successfully keeps Huawei and ZTE from entering its borders, current global manufacturing processes and markets make it impossible to shut out all Chinese-made products and components that may flow in. If the Chinese Communist Party, or any other perpetrator, wants to implant a kill switch, they can simply sneak it in. There is also a risk of receiving damaging equipment through resales by third countries.

What the United States and its allies need to do now is to coordinate their response to these threats. As countries pursue interoperability for the sake of military efficiency, they also face an increase in shared vulnerabilities. Washington should take advantage of its pre-existing alliance network and serve as a hub to synchronize such efforts. This requires developing robust, actionable intelligence capabilities that can provide real-time information to decision-makers in the United States, to private companies, and to its allies.

Of course, it would not be realistic to check each and every defense or critical infrastructure-related device, given the magnitude of such an endeavor. Yet, Washington and its allies could still categorize their priorities and agree on what is most important; for example, specific types of industrial control systems. This standard would enable the governments to effectively track the flow of these devices and minimize certain risks.

Regardless, each government should still be allowed to take unique defensive measures for their lower-level priorities; otherwise, it would take too much time for governments to reach a consensus. Moreover, a rigid, “one size fits all” standard would prove too difficult to implement.

Of course, in some instances, there may be a reason to alert non-allied countries to a potential threat if it would deter them from procuring contaminated equipment that could hurt assets in their own country as well as in third party countries. This requires the recalibration of security clearance and information assurance systems. And, while some may be wary of this suggestion, given the fact that anyone can now become a victim of cyber attacks, sometimes the need to share outweighs the need to know. In this same vein, governments could collaborate to develop a shared computer network that could plot and visualize current and potential threats to so-called “first priority devices” on a digital map. They might even be able to input data and information without specifically referencing where the intelligence originated. This system would save governments from being inundated by thousands of emails or flash reports.

Some countries may not want to allocate resources for supply chain probes in today’s ailing economy, and indeed may face strong private sector opposition due to perceived adverse affects on competition, innovation, and transparency. However, even in lean times, a country’s national security and future economic health cannot afford to be degraded by failing to notice what is lurking within the electronic devices we all rely on these days.

Washington and its allies have to work together to prevent the adversary from realizing a cyber version of the Sun Tzu strategy.

Post by:
Topics: China • Technology • United States

soundoff (14 Responses)
  1. David Day

    Excellent piece which underscores the critical necessity of Washington coordinating with its allies on the subject of cybersecurity–a task easier talked about than really accomplished. The additional challenge will be to coordinate with the private sector. I wonder how the issues of national security intelligence, corporate confidentiality, trade secrets, get handled in a cross-border cybersecurity scheme?

    October 22, 2012 at 7:18 pm | Reply
    • Lyndsie Graham

      Spoken like a true, Tea Partying nitwit. Gee David, do you honestly believe everything this government says? I sincerely hope not!

      October 22, 2012 at 7:26 pm | Reply
      • Jimda2nd

        Youre retarded shutup, thankyou

        October 25, 2012 at 5:17 pm |
    • Patrick

      Gee David, you ought to know better! We do.

      October 23, 2012 at 11:14 am | Reply
      • Jimda2nd

        I doubt it...

        October 25, 2012 at 5:18 pm |
    • Maersk

      David Day, you forgot to mention the day Chinese hackers hacked into your azz and stole your virginity. As a result, you can not sell yourself as virginn to your uncle. All you can do now is to zuck more kwoks for less money.

      October 23, 2012 at 5:53 pm | Reply
      • Jimda2nd

        Your randomness make me believe that you are Chinese, and dishonorable.

        October 25, 2012 at 5:20 pm |
  2. J. Foster Dulles

    I see that the politicians in Washington are finding yet another way to try to scare the general public, this time being China's new cyber capablities. In fact, we've been spying on the Chinese for decades so why should we now be afraid of them? This too is all politics as usual!

    October 22, 2012 at 7:21 pm | Reply
  3. j. von hettlingen

    Huawei and ZTE do business across 150 markets. In the UK David Cameron welcomed Huawei's investments of over £ 2 billion in the country. Huawei is a major supplier to British Telecom (BT) and involved in a new 4G superfast mobile network. It operates also closely with the UK's intelligence agency Government Communications Headquarters (GCHQ) in Cheltenham. It even employs the UK government's former chief information officer as its global cyber-security officer. The UK doesn't see Huawei as a cyber threat.

    October 23, 2012 at 4:21 pm | Reply
    • Maersk

      Basically, the so-called innovative and creative American kwok heads found themselves not as innovative and creative as they proclaimed, as a result, they accused the Chinese companies for spying. They are just losers who can't compete.

      October 23, 2012 at 6:03 pm | Reply
    • JP, Canada

      Nobody saw the threat of the Trojan horse back then!... What is better than IT/communication systems to trap and redirect every piece of information when these items are designed and manufactured in frenemy countries?

      October 24, 2012 at 10:48 pm | Reply
      • Maersk

        JP, Canada the kwok head, if that's the case, you should worry about the possibility that your Uncle Samm is peepping through your windows while you are kwok zucking.

        October 24, 2012 at 11:56 pm |
  4. Angel

    Being a real Novice, I will be eternally analyzing online for articles that'll assist me. Thanks! I am totally enjoying your web site and enjoy refreshing upgrades.
    Angel http://www.bridgedtech.com/wiki/wikka.php?wakka=CarAudioSpeakerSetUpForOptimumPerformance

    November 4, 2013 at 4:04 pm | Reply

Post a comment


 

CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.