China's penetration of U.S. supply chain runs deep, says report

A new report sounds calls on the U.S. government and industry to develop a comprehensive strategy for securing the technology supply chain from foreign sabotage and espionage.

By BeeBright shutterstock ID: 789734968
 

A new report sounds alarm bells over the extent to which China has penetrated the technology supply chain, and calls on the U.S. government and industry to develop a comprehensive strategy for securing their technology and products from foreign sabotage and espionage.

These products could be modified to fail or perform at below expectations, facilitate espionage or compromise U.S. federal and private sector networks. Software supply chain attacks could become more common as the nation collectively moves towards 5G wireless networks and connected devices become more common.

The report, authored by Interos Solutions on behalf of the U.S.-China Economic Security Review Commission, posits that Chinese leaders have executed a multi-pronged strategy over the years to put their homegrown companies at the nexus of the U.S. and global technology supply chain, incentivizing corporations to build products locally and acquire businesses with contracting footholds in other nations.

"China did not emerge as a key node on the global ICT supply chain by chance," the report's authors write. "The Chinese government considers the ICT sector a 'strategic sector' in which it has invested significant state capital and influence on behalf of state-owned ICT enterprises."

An analysis of seven major U.S. based tech companies – HP, IBM, Dell, Cisco, Unisys, Microsoft and Intel – found that more than half of the products they and their suppliers use are shipped from China. Microsoft relies on such products the most, with analysts tracing 73 percent of their shipments between 2012 and 2017 back to China.

At the same time, Bejiing has moved to prevent other countries from using similar strategies to crack the Chinese market, accelerating indigenous production of IT and communications parts and requiring outside businesses to turn over their source code store data on Chinese servers and allow the government to conduct security audits on their products before gaining access to the Chinese market.

Furthermore, the report argues that the U.S. government lacks an overall strategy to anticipate future developments in supply chain, identify potential threats and mitigate threats. The overall push for IT modernization means the government will increasingly rely on a web of complex supply chain operations that eventually originate with commercial suppliers in China. Laws like the Federal IT Acquisition Management Act and the Modernizing Government Technology Act put pressure on agencies to modernize through commercial-off-the-shelf products that are more likely to originate from China.

However, some argue that some of those actions, like inspecting source code and security audits, are part of the reality of operating within a global supply chain. John Pescatore, a former NSA cryptologist and current director of emerging security trends at SANS, told FCW that most countries distrust technology that originates from other countries.

"The Microsofts and Googles and Apples of the world have to deal with [questions about] 'are they doing the bidding of the NSA?'" said Pescatore. "It's a global economy and everybody wants to sell everywhere in the world, so you can’t simply say ‘I’m not going to buy things from a certain country.'"

U.S. officials believe telecommunications infrastructure is particularly vulnerable. The Federal Communications Commission has proposed a new rule preventing any subsidies from their $8.5 billion Universal Service Fund from being spent on U.S. companies that buy equipment from foreign companies deemed to be a national security threat.

Supply chain dependences cut both ways. Last week, the U.S. government imposed export restrictions preventing U.S. companies from selling their technology to ZTE, a Chinese telecommunications firm that has been fined a collective $1.4 billion in recent years for selling communications equipment and technology to Iran and North Korea. It's estimated that the company sources 25 percent of its tech, including Qualcomm chips, from U.S. firms. Shares in ZTE lost value and Chinese investments funds are reevaluating their exposure to ZTE in light of restrictions.

National security officials have sounded similar alarms about another Chinese telecom company, Huawei, and the Department of Defense has barred products from both companies from being used on DoD networks. The moves appear to have spooked U.S. partners like Verizon and AT&T, who have both backed away from selling Huawei cellular phones in the U.S. domestic market this year.

The U.S. has also imposed restrictions on tech sourced from Chinese government-owned firms in government procurement. But unavoidably, Chinese-made tech does find its way in to U.S. government systems. At an April 18 event hosted by the Aspen Institute, William Evanina, director of the U.S. National Counterterrorism and Security Center, specifically mentioned 5G and the federal government's IT modernization initiatives as areas of the U.S. supply chain ripe for exploitation. The ability of Chinese businesses to dramatically underbid U.S. companies on subcontracting opportunities is a problem, he said, and the government doesn't always succeed getting some companies to see past the substantial cost-savings.

"When you go to a board of directors of a CEO and say 'Hey, I know you have two bids, you have Cisco or Oracle, and then you have the Chinese company which is forty percent cheaper,' it's hard to explain to them and hard for them to explain to their constituents that they're going to pay 40 percent more for a U.S.-based company because it doesn’t threaten national security."

Pescatore argues that with some exceptions, like connections to terrorism or international pariahs like North Korea, it is impractical and ineffective for the government to base its IT supply chain security strategy around prohibiting the use of products based on their country of origin. Instead, he suggests federal agencies and companies are better off focusing on utilizing best practices for supply chain risk management. 

"Supply chain risk management requires testing of the products you buy, and in a software world it requires testing of the software, and in global software market it requires countries to test foreign vendors and local vendors the same," said Pescatore.

NEXT STORY: Bhagowalia moves to CBP

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.