By A. Greer Meisels & Mihoko Matsubara, Special to CNN
Editor’s note: A. Greer Meisels is associate director and research fellow at the Center for the National Interest. Mihoko Matsubara is a cybersecurity analyst and was previously a research fellow at the Pacific Forum CSIS. The views expressed are their own.
The United States and its allies count technological innovations and critical infrastructure among their strategic resources and, as such, their military and economic strategies increasingly rely on information and communications technology. Unfortunately, as a recent U.S. congressional report on Chinese telecommunication equipment heavyweights Huawei and ZTE suggested, these technologies are now threatened by cyber espionage and sabotage.
After reading the congressional report, it’s hard not to breathe a sigh of relief that a general like Sun Tzu did not have cyber instruments in his arsenal. The report declared Huawei and ZTE potential threats to U.S. national security given their alleged ties to the Chinese government and its military, which some believe might increase the risk of their engaging in espionage and sabotage activities.
These two companies, the Chinese government, and certain economists have for their part criticized the report, claiming there is insufficient evidence to bar Huawei and ZTE from entering the U.S. market. Its opponents are crying “protectionism.”
However, setting aside the economic arguments, this case presents three security questions that Washington and its allies need to answer: What does this case mean for 1) cyber espionage, 2) cyber sabotage, and 3) supply chain risks?
First, the report argues about possible cyber espionage. The Chinese companies may, it suggests, implant malicious software or hardware on to U.S. networks to glean defense and trade secrets and to steal companies’ intellectual property. This is not the first time Washington has nailed China for this. Late last year, a U.S. intelligence report for Congress condemned China as “the world’s most active and persistent perpetrators of economic espionage.”
Nowadays, malicious actors resort to Advanced Persistent Threat or APT to tenaciously probe the vulnerabilities of their targets and steal sensitive information. Such installations, during either production or upgrading, diversify and increase the opportunities culprits may have to weaken the United States and its allies both economically and militarily. Malicious actors can even collect personally identifiable information by using wiretaps and then use it for future social engineering.
Second, the report points to cyber sabotage possibilities. Inserting malware onto systems may enable China to “shut down or degrade critical national security systems in a time of crisis or war” and harm critical infrastructure. The risks, however, may be even greater – directly affecting our military and turning its equipment into nothing more than hunks of metal. For example, the U.S. Senate Committee on Armed Services issued a report in May of this year warning that a year-long investigation found 1,800 cases of counterfeit parts in U.S. military helicopters and cargo planes. Over 70 percent of an estimated one million suspect parts were traced back to China. Regardless of whether or not the parts were installed intentionally, they have the capacity to impair the military superiority of the United States and, by extension, its allies. Given the changing dynamics and potential power shifts in the Asia-Pacific region, these actions cannot proceed unchecked.
Finally, the congressional report suggests that the chances of cyber espionage and sabotage increase in the supply chain – something which did not garner much attention during the Stuxnet incident. The Natanz case proved that cyber instruments can bridge air gaps to poach data and cause physical harm, and supply chains can easily assist these offenders. It takes rigorous and intense efforts to weed out back doors, kill switches, and insidiously implanted malware. Governments need to establish a flexible, risk-based and transparent standard to check supply chain risks – one that covers the entire lifecycle – from production to resale and system upgrade. After all, even if the United States successfully keeps Huawei and ZTE from entering its borders, current global manufacturing processes and markets make it impossible to shut out all Chinese-made products and components that may flow in. If the Chinese Communist Party, or any other perpetrator, wants to implant a kill switch, they can simply sneak it in. There is also a risk of receiving damaging equipment through resales by third countries.
What the United States and its allies need to do now is to coordinate their response to these threats. As countries pursue interoperability for the sake of military efficiency, they also face an increase in shared vulnerabilities. Washington should take advantage of its pre-existing alliance network and serve as a hub to synchronize such efforts. This requires developing robust, actionable intelligence capabilities that can provide real-time information to decision-makers in the United States, to private companies, and to its allies.
Of course, it would not be realistic to check each and every defense or critical infrastructure-related device, given the magnitude of such an endeavor. Yet, Washington and its allies could still categorize their priorities and agree on what is most important; for example, specific types of industrial control systems. This standard would enable the governments to effectively track the flow of these devices and minimize certain risks.
Regardless, each government should still be allowed to take unique defensive measures for their lower-level priorities; otherwise, it would take too much time for governments to reach a consensus. Moreover, a rigid, “one size fits all” standard would prove too difficult to implement.
Of course, in some instances, there may be a reason to alert non-allied countries to a potential threat if it would deter them from procuring contaminated equipment that could hurt assets in their own country as well as in third party countries. This requires the recalibration of security clearance and information assurance systems. And, while some may be wary of this suggestion, given the fact that anyone can now become a victim of cyber attacks, sometimes the need to share outweighs the need to know. In this same vein, governments could collaborate to develop a shared computer network that could plot and visualize current and potential threats to so-called “first priority devices” on a digital map. They might even be able to input data and information without specifically referencing where the intelligence originated. This system would save governments from being inundated by thousands of emails or flash reports.
Some countries may not want to allocate resources for supply chain probes in today’s ailing economy, and indeed may face strong private sector opposition due to perceived adverse affects on competition, innovation, and transparency. However, even in lean times, a country’s national security and future economic health cannot afford to be degraded by failing to notice what is lurking within the electronic devices we all rely on these days.
Washington and its allies have to work together to prevent the adversary from realizing a cyber version of the Sun Tzu strategy.