U.S. Writes Its Worries About Buying IT Gear From China Into Law
The U.S. government officially remains concerned about the possibility of cyber attacks from China. And it has quietly imposed new restrictions on the information technology gear that certain branches of the government buy.
According to a pretty detailed report from Reuters, a provision of the government’s latest spending law requires three federal agencies — NASA and the departments of Justice and Commerce — to buy gear only after performing a cyber-security risk assessment carried out in consultation with law-enforcement agencies. Part of the assessment includes consideration of the fact that the equipment or its components may have been manufactured in China.
It’s the latest expression of official hand-wringing about China, and the fact that that country is proving not only to be a permanent and overpowering fixture in the world of tech manufacturing is complicated by the fact that it is also proving to be an adept and aggressive player in the ongoing digital cold war between the countries. It’s also a shot across the bow of China’s large tech equipment providers, like Lenovo and Huawei.
Last month, a U.S.-based research firm claimed to have traced numerous cyber attacks to a specific unit of China’s People’s Liberation Army, one operating within a particular building in Shanghai.
Before that, suspicions about China and its intentions, capabilities and actions in the cyber arena led to a White House-ordered review of claims of spying by the Chinese telecom firm Huawei. This followed a report by the House Intelligence Committee saying that Huawei and another Chinese telecom-equipment concern, ZTE, pose sufficient security risks that government agencies should avoid buying their equipment. This amendment, inserted into a continuing resolution intended to keep the government running through the end of September, essentially puts those worries into force with regard to those three agencies.
But, as I argued at the time, at least some of the federal worry has as much to do with what China might do as it does with what the U.S. is known to have already done. The joint U.S.-Israeli cyber campaigns against Iran using malware weapons like Stuxnet, Gauss and Flame say a great deal about the potential real-world damage that a cyber weapon might do. Stuxnet, you’ll recall, is said to have caused some of Iran’s nuclear centrifuges to spin out of control and explode in an attempt to set back that country’s nuclear research efforts.
Huawei in particular has had a difficult time proving that its links to China’s military establishment are sufficiently severed, and that in the event of open conflict its gear wouldn’t be turned into a surveillance and espionage tool against the U.S. Though, as Reuters notes in its story, Huawei doesn’t believe the bill applies to it. We’ll see.