It’s no secret that Chinese companies are major suppliers to U.S. technology companies that serve the Federal government, and a report issued last month says the Chinese government is leveraging that manufacturing capability to create significant security risks across the U.S. Federal enterprise.
The U.S.-China Economic and Security Review Commission tasked Washington-based Interos Solutions with probing supply chain risks of information and communications technology (ICT) providers that support the Federal government. Interos’ report concludes that the Chinese companies used mammoth U.S. tech players like HP, Cisco, and Microsoft as their backdoors into Federal systems.
“China did not emerge as a key node on the global ICT supply chain by chance,” the report states. “The Chinese government considers the ICT sector a ‘strategic sector’ in which it has invested significant state capital and influence.”
It goes on to describe the systematic approach that the Chinese government took “to obtain economic advantage by pursuing knowledge of key technologies through corporate acquisitions and by using the economic power of Chinese companies as tools of the state.”
The report found that many U.S.-owned ICT products are subject to oversight from Chinese authorities, or interaction with Chinese servers, making them potential tools to gain unauthorized access to Federal networks.
“New policies requiring companies to surrender source code, store data on servers based in China, invest in Chinese companies, and allow the Chinese government to conduct security audits on their products open Federal ICT providers–and the Federal ICT networks they supply–to Chinese cyberespionage efforts and intellectual property theft,” the report concludes.
So, what can the Federal government do about it? We’ve already seen steps to curb Chinese telecommunications giants like Huawei and ZTE over national security concerns. Cutting off all use of Chinese suppliers is both untenable and unlikely.
A key step, the report suggests, could be tied to future procurement through the Modernizing Government Technology Act.
“Congress should tie policy revisions to a funding strategy that ensures federal agencies take action in ways that are auditable,” the report recommends. “A near-term opportunity is to tie the Supply Chain Risk Management requirements of this regulation to agency funding for the Modernizing Government Technology Act, in ways that require a SCRM program review for new ICT investments and modernization efforts.”
Auditing future government acquisitions is a major piece in the “adaptive” SCRM model the report advocates. We’ve also seen steps on government’s end, updating the NIST Cyber Framework with a robust section on SCRM. Government, at least, seems more aware that a crack in its armor could be no bigger than a chip in a server.