12 October 2018

China's Just Been Caught Spying. Or Has It?

By Matthew Bey

The accuracy of a report that China inserted specialized chips in electronic hardware used by the U.S. government and major companies still needs to be verified. Nevertheless, the United States will use the claim as evidence in its wider campaign against China, both domestically and abroad, while working to secure critical aspects of its supply chain. Though Washington may wish to untangle the interwoven supply chains between the United States and China, companies will not do so by themselves, meaning the government will have to enact new regulations if it wishes to enforce change.


The news was a bombshell: China had infiltrated tech supply chains and installed a malicious chip in equipment that was eventually used by nearly 30 U.S. companies — including defense contractors and even the CIA, Bloomberg reported Oct. 4. If true, the story would confirm the United States' worst fears about China infiltrating U.S. security networks at will, but that possibility might be beside the point. Even if the story isn't true — and two of the companies in question, Amazon and Apple, rapidly denied that any such infiltration occurred — the report will still add more grist for the mill as Washington seeks to beat back Beijing's rise in technology.

The Big Picture

China and the United States are in the middle of a tech cold war — and unlike the Cold War of the 20th century, the two are deeply tied to each other in trade, with the United States especially dependent on hardware assembled or manufactured by China. As a result, Washington harbors great fear that Beijing will one day exploit that weakness for espionage. And after a new report, the United States may finally have proof of one of its biggest worries.

Supplying an Entire World

China has become the epicenter of the global technology sector's supply chain. While Western, Korean, Taiwanese and Japanese companies remain leaders in designing semiconductor chips and other critical hardware, much of the assembly line for components and finished products, varying from motherboards to iPhones, runs through China.

The United States has complained that this step in the manufacturing process represents a strategic risk, because it allows China to embed malicious code and gain direct access to sensitive U.S. information through the back door, thereby compromising the security of Chinese-built products. The Bloomberg report alleged a high degree of operational planning and sophistication, noting that the perpetrators were able to explicitly target certain overseas customers and single out components sold to them. In one case, the news outlet revealed that members of the People's Liberation Army (PLA) are suspected of installing chips the size of a rice grain into motherboards that eventually went into servers used by a U.S. video compression firm that had been awarded defense contracts, as well as one with the CIA.

Creating the Truth

All this said, there are reasons to doubt the full account of the report. Amazon Web Services, which was said to have alerted U.S. authorities after finding the malicious chip on a motherboard, denied that it knew about any compromise to supply chains. Apple echoed Amazon's comments, rebutting "virtually every aspect of Bloomberg's story relating to Apple." Meanwhile, the company behind the motherboards, Supermicro, said it was not aware of any investigation into the matter.

It is certainly possible that the Trump administration may be trying to leak details or pump up a story as part of its campaign against China. U.S.-based tech firms may also want to distance themselves from the federal U.S. investigation out of fear that China could retaliate or that their reputations could suffer harm. Moreover, only a small handful of individuals at each of the affected companies may be privy to the details of any federal national security investigation and even then, they might have no authority to disclose the matter or alert their respective public relations departments. Nevertheless, the veracity of the report may not even matter that much, because the Trump administration is likely to use it as evidence against China. That's because, like any good spy novel, the details are realistic enough to capture everyone's imagination.

The veracity of the report may not even matter that much, because the Trump administration is likely to use it as evidence against China. That's because, like any good spy novel, the details are realistic enough to capture everyone's imagination.

The Trump administration has already launched a two-pronged assault against China's tech sector. The first is the trade assault involving intellectual property theft, which has led to tariffs on more than $250 billion worth of imports. The second is a drive to reduce U.S. supply dependency on China and its ostensibly untrustworthy tech companies. Fears about the activities of China's tech companies are on the rise, as the United States, Australia and other Western governments have banned the use of Huawei or ZTE products for certain applications. In addition, the United States has implored other countries to cease using Chinese equipment due to the alleged risks.

The Department of Defense, one of the targets of the alleged operation, recently launched its "Deliver Uncompromised" strategy to add security — both the cyber and supply chain varieties — as the fourth pillar of its acquisition framework, which includes cost, schedule and performance. In making such a significant shift, the department has demonstrated its recognition of the threats facing its supply chains and cybersecurity in general. From now on, companies competing for defense contracts will need to evaluate their supply chain security. And though China is not the only foreign adversary the Pentagon is facing — Russia is another — it is possible that the shift in strategy stems from a secret investigation into the PLA's intrusion into the Pentagon contractor's supply chains.
Untangling the Links Between the U.S. and China

In pursuing its overall trade strategy — while devoting an increasing focus to technology — the Trump administration is ultimately seeking to untangle U.S. and Chinese tech supply chains. Shifting away from China, however, won't be an easy task for companies due to the East Asian giant's prevalence in the sector's manufacturing value chain and, more importantly, its growing size as an electronics consumer. Instead, companies will try to compartmentalize what they can and conduct more internal reviews and more thorough screenings of components. In the end, however, companies are unlikely to turn their back on China unless the U.S. government implements regulations and a long-term incentive structure to reduce reliance. One aspect of such a drive could be the United States' new push to enact export controls on strategically and industrially significant emerging technologies, such as artificial intelligence.

Beyond any formal U.S. action, the alleged infiltration could spark a backlash against Chinese companies and their connections to the PLA and Beijing. Huawei, for instance, maintains that it is a private company with no ties to the PLA, but it has struggled to dissociate itself from the army, especially because its founder is former PLA member Ren Zhengfei. More importantly, the incident demonstrates that even if Huawei or another Chinese company affirms that it has no connections to the PLA, the fact that Huawei, like Supermicro, uses Chinese contractors or assemblers means that the army could infiltrate it in other ways. For China, a consumer backlash against its own companies could imperil some of its long-term economic and tech goals.

At present, it's difficult for anyone to verify how much of the Bloomberg report is accurate, but to channel one of China's biggest accusers on the world stage, "it's yuge" in its significance. The consequences, meanwhile, are just beginning.

No comments: