Should the US Really Limit Chinese-Government Influenced IT Systems?

coondoggie writes "New federal restrictions now preclude four U.S. agencies from buying information-technology (IT) systems from manufacturers 'owned, directed or subsidized by the People's Republic of China' due to national-security concerns. But is this a smart tactic? It's clear that some in the U.S. government, including the House Intelligence Committee — which issued a scathing report last fall that called Huawei and ZTE a threat to national security — and the Treasury Department's Committee on Foreign Investment in the U.S. are also working in other ways behind the scenes to keep technology made by China-based manufacturers out of U.S. commercial networks as well."

Some, anyway

[Millennium]

When you know who the foxes are, you keep closer watch over the henhouse. That just makes sense. It can be argued that there's still a role for inclusivity, but it has to be tempered with a dose of common sense.

Re:Some, anyway

It's wise and good security policy when China does it. If the US does it it's irrational, xenophobic, and probably racist (arguents which you will likely see in today's comments)

Re:Some, anyway

The funny thing is most han Chinese are horribly racist and massively nationalistic. My wife's Chinese from Beijing (and han) and the things I've heard people say who don't realize this laowai speaks Chinese would make the KKK blush.

Re:Some, anyway

[Genda]

Isn't that an REM song???

Re:Some, anyway

[ron_ivi]

Considering the US actually did sabotage enemies using software trojans... even resulting in "the most monumental non-nuclear explosion and fire ever seen from space.'" ... it's not surprising people/governments are wary of it.

Seems to me all critical infrastructure should be based on Open systems -- both Open Source software and firmware, as well as Open hardware designs; so people can have the best chance possible at reviewing and verifying any critical infrastructure components.

Simply banning stuff from Chinese companies seems silly, though; since for every US company that has a foreign office and/or foreign employees, it's probable that their products have back doors too, from every intel agency in every one of those countries. Heck, I'd go so far as to speculate that most Microsoft security bugs might be such intentional back doors -- after all, if they don't it seems those intel agencies aren't really doing their jobs.

Re:Some, anyway

[gweihir]

The only problem is, this is all BS anyways and nobody knows who the foxes are. The label on the box is pretty meaningless. What counts is inside. And when you dig a little deeper, you find that even seemingly very American companies have their firmware written in China.

I am convinced that this is merely a thinly veiled hostile economic move and has nothing to do with IT security at all.

Re:Some, anyway

[Austerity+Empowers]

Reminds me of a program manager I dealt with once. I was one foot out the door with offers on the table, having given up on my employer whose name rhymes with hell. I flat out refused to support an ODM design (I actually refused my entire 7 years there, but never was obvious about it). He asked me why, and I said I only support my local businesses. He wanted to bring me to HR for all sorts of racism, xenophobism, protectionism, insubordination, accusing me of trying to unionize, etc.

Then I asked him (knowing the answer), why we are using this ODM at all, and his response was that the end customer (a large Chinese company) will only purchase through (a large Chinese manufacturer) and they would only support locally designed products. I asked why they can't just take my working, tested, FCC approved design and he said they wanted to change components. I asked "What's wrong with the components on my board, is there a defect?", and he said "They're not made in China".

The worst part, the part that made me furious, is that he couldn't see my point. He kept spouting off capitalist slogans and telling me to read this inane book about the new global economy.

Re:Some, anyway

[EndlessNameless]

When employees of American tech companies are issued disposable cell phones and told not to discuss anything sensitive because the phones will be hacked while they're there, it seems like an obvious extension of that stance to restrict the ingress of machines running Chinese code.

Personally, I don't care if someone in China wants to watch me stream Scrubs on Netflix. But there are things on government and corporate networks that are important or dangerous enough where I would rather take every reasonable precaution.

Re:Some, anyway

[borroff]

IIRC, in the case you're referring to, the US government booby-trapped code it knew a hostile power was going to steal - that's a long way from putting a backdoor into open market software

Re:Some, anyway

[TheCastro1689]

That's not true. When you know who the foxes are you watch the foxes, when you don't know who the foxes are you watch the hen house.

Seriously?

[saleenS281]

Is this even a real question? Of course they should. The Chinese government is openly attacking both corporate and government interests throughout the US. Why give them yet another avenue to attacks?

Re:Seriously?

[ebno-10db]

And you think the US isn't doing the same thing

What's your point? Maybe good advice to the Chinese government is not to use US made networking equipment (if there is such a thing anymore). That doesn't mean the US government avoiding Chinese equipment is a bad idea.

Re:Seriously?

[Genda]

Actually, we should use a substantial amount of Chinese equipment in places that are assured non-security related (who cares if they have current information on our disposition of stray cats and dogs), and then a bunch more attached to honeypots and decoy networks to watch them watching us.

Most martial arts show us that every attack is an opportunity to use an opponents momentum against them.

Re:Seriously?

[The+Grim+Reefer]

And you think the US isn't doing the same thing, but hiding it better?

As inept as most US government agencies have become...

No, I don't.

Re:Seriously?

[dwye]

China is also a trading partner with the United States, and still they attack us.
Dipshit.

France and Germany were each other's biggest trading partner right up until the declarations of war in WWII. I would not be surprised if that were true before WWI, as well. It happens.

They should first

[obarthelemy]

limit republican-leaning closed-source and un-auditable voting machines.

Re:They should first

[thestudio_bob]

Disallow the gingers.

Re:They should first

[phantomfive]

Of course. Republicans are all wise, upstanding citizens who would never go to war on false premises. They deserve two votes for that alone.

Take it further

[Nidi62]

Any government contract should be fulfilled with domestically sourced and manufactured parts whenever possible. If we can make it here, we should. If you want to create/protect jobs, it starts by keeping the money in the country as much as possible.

Re:Take it further

[rtb61]

More importantly by forcing local supply you enable continuity of supply and are never subject to a foreign government dictating levels of supply. Local sourcing of all goods for all national infrastructure projects should be compulsory regardless of cost to ensure all those national infrastructure projects can be maintained without being forced to gain approval from a foreign government to allow that supply. That is a sane logical thing to do by any government and failure to do so when it is readily possible to treasonously betray the citizens of that country to the demands of another country, apparently based purely upon corporate executive greed.

Re:Take it further

[demonlapin]

No, no, no. No. This is a terrible idea.

There is a very good argument to be made that all remotely sensitive government IT projects should use domestically designed and built products, because electronics can do sneaky things that are almost completely undetectable (cf. Stuxnet). When you're talking about steel for bridges, not so much. Forced local supply (especially for raw materials) ends up being just another opportunity for regulatory capture.

Re:Take it further

[ebno-10db]

And any economist will tell you trade creates wealth

What they'll actually do is cite a simplistic theory that claims that. Empirical verification is another story. But even the simplistic theory only holds under a very restrictive set of assumptions, like balanced trade. We haven't had balanced trade in 30 years.

The United States became an economic superpower because it has steadfastly refused to take up the ideology you're preaching

You're joking, right? Throughout most of its history the US was famous for its high tariff barriers, including the period when we became the world's foremost industrial power. Turns out Al Hamilton was a pretty smart guy.

Re:Take it further

[Nidi62]

Opening your economy to international trade provides enormous benefit to the domestic population -- provided that it is done with respect to maximizing trade for all citizens, not just the few and the wealthy.

And this is where it has failed. What have we gained by shipping electronic manufacturing overseas? People can buy a new phone or tablet or laptop every year for about $50-100 cheaper than if it were made here. But what have we given up? Tens of thousands of jobs, if not more that would have been generated by those factories: the construction to build the factories/houses/buildings, the workers to run the factories, the technicians to maintain the electronics and machinery in the factories (and the industries to make that machinery), the transportation(air, rail, and road) needed to move the supplies and the finished product. Require electronics used for government contracts to be made here, and all of this could come back to the country, since in all likelihood to maintain profitability these companies would have to expand into consumer products as well (at least the manufacturing ones would). Would the country not be better off with all these jobs, for the trade-off that you might have to work for an extra month to buy that new laptop, or wait one more year to get a new phone?

And the US became an economic powerhouse simply because it had the fortune of access to a large amount of natural resources and it avoided playing host to very destructive wars such as WWI and WWII(yes, I know, the Civil War, but the US was far from an economic powerhouse then). The US became the powerhouse because no other state was capable, and we were able to mobilize our workforce to massively increase industry during and after WWII. And remember, the US was largely isolationist during the interwar period.

Re:Take it further

[epyT-R]

It doesn't. It can however help protect a country's sovereignty, especially in complex products that are easily perverted into trojan horses: like networking equipment, SCADA control hardware, and crypto chips used in financial and military communications, etc.. Even if the firmware for these is developed state side, it is possible to hide backdoors in the hardware as well. If these products are used as interconnects for critical infrastructure, it gives the manufacturing country strategic leverage. Obviously, it's prudent that we act to protect such infrastructure as much as possible, so ensuring the building blocks are not manufactured in hostile nations should be first-step common sense. Unfortunately, political correctness on the left and greed on the right have shoved this fact down to the bottom of the priority pile.

The ability to provide the most critical and desired products locally is one of the cornerstones of a successful, free, and secure society. When it does come time to trade, it grants a stronger position, but, in our rush to build this 'global economy', we've undercut a lot of that intrinsic power, and without it, we'll always be someone else's bitch.

Re:Take it further

[Genda]

Okay let's give this a whack... so in the long haul, there may be valid arguments for opening borders to trade and flattening the global economy, but over the last 30 years, what has happened is that America has completely lost the ability to do heavy manufacture (robots are just now bringing that work back home, but not to human beings sadly.) Though corporations make out, workers get squished. More and more they begin to resemble the third world workers who have gotten their jobs, until the third world workers rising economically meet our workers on the way down. In 1950-70 the average American paid 20% of their wage to Housing, Interest and Taxes. Through the devaluation of American currency from pumping it by the trillions into the developing world's economies, through corporate interests spacing the American economy, through inflation/QE, through predatory corporate and government practice, the average American now spends 70% of his income on housing, interest and tax.

I'm not even saying that the unnaturally high standard of living for the average American at the middle of last century didn't come at some high prices with respect to global competitiveness. I'm just saying the last 30 years have been a superating wound on the middle class with no end in site, and our government is about to cut the social safety net completely away leaving the poorest and least able to take care of themselves without means to live. When I see the vanishingly small population of disturbingly wealthy and powerful who have all made out like bandits (bandits being the oprerative phase here), I myself tend to long for the days a somewhat more protectionist American economy. Of course you may be one of those folks who've done well so clearly your mileage may vary

Re:Take it further

[sjames]

I didn't see him advocate closing off international trade, just making sure there exists a domestic source of critical infrastructure by having government source domestically. We at least want enough domestic manufacturing that the experianced people get a chance to pass their knowledge on before they retire just in case we ever have to ramp up again.

Nothing in that says anyone else in the U.S. has to buy local.

Re:Take it further

[JBMcB]

Once the price rises enough, it becomes profitable to mine for the rare earth minerals in the US again. It's in China's best interest to keep supplies up, otherwise competition will start creeping in.

Besides, Japan just found a ton of rare earth minerals in the seabed off their coast.

Re:Take it further

[khallow]

I'm just saying the last 30 years have been a superating wound on the middle class with no end in site, and our government is about to cut the social safety net completely away leaving the poorest and least able to take care of themselves without means to live.

I have a somewhat bitter solution here. Gut US spending everywhere so that the federal budget isn't a boat anchor on US competitiveness. Second, in addition to that, seriously cut back on anything that makes US workers more expensive. This includes environmental and worker safety regulation as well as some cutting of those "safety nets", particularly Social Security and Medicare/Medicaid (both which greatly harm labor competitiveness in the US).

The focus here is on cost reduction of employment which means that some regulations may be retained just by changing how the business is required to report things to a less expensive method. But some other regulations should just be cut back or dropped such as weakening threshold limits for chemicals in the workplace.

In addition, drop minimum wage substantially. I'd favor getting rid of it altogether so that the US isn't spending money at all on that particular regulation. Remember that the actual minimum wage is always $0 per hour. Anything above that is a win for your economy.

Strip out prepaid medical care and elective medical care as a requirement of health insurance. Reverse Obamacare and get employers out of the health insurance business.

And finally, I suggest growing up and reducing your expectations. The fundamental problem is that the pool of labor for global business has increased by a factor of several. Most of those people will work for much less than developed world workers do. Similarly, regulations are much less stringent leading to the greatest economic migrations of capital of all time.

I'm somewhat sympathetic to concerns about the developed world and the US in particular becoming "third world". But keeping expensive systems in place while discouraging the growth of US businesses, is just hastening the US's decline in wealth. I figure a controlled reduction of standard of living is better than the "drowning man" approach of attempting and failing hard to maintain past standards of living. It's not going to be a wonderful place, if government is no longer able to regulate pollution or arrest criminals. You can have the best standards of law and regulation and still be a disaster merely because none of those laws are enforced.

The US labor market has a particularly hard time because of all the punishments that have been heaped upon the act of employing someone. For example, a number of businesses are restructuring their labor force this year so that they can get under the 50 full time employees mark and save a lot of money (Obamacare charges a fine of $2k per employee past the first 30 employees for businesses that don't provide insurance, it's at least $40k in savings with this trick).

For example, if you have 100 full time employees now, you can save $140k (which is several employees' salaries) by restructuring as a company that has oh, 40 full time employees and maybe 120 half time employees. That game is going to have nasty consequences for the US labor force down the road.

I myself tend to long for the days a somewhat more protectionist American economy.

So what? There are cases where protectionism has worked to build an economic powerhouse. Japan did it twice, once in the late 19th century and once after the Second World War in the "Japanese miracle". Paraguay did something similar in the mid 19th century (before its epic fail in the Paraguayan War). And a number of Far East countries have followed the blueprints of the Japanese miracle.

So protectionism can work. But what do all of those have in common? An obsessive focus on industry building over labor. Labor always gets short shrift. Protectionism with a focus on labor or the "safety net" i

Re:Take it further

[khallow]

Stop with teh common sense!

Now how about we start over and you can tell me how the restriction of international trade benefits a country's economy. If you can, step up and collect your nobel prize in Economics.

Several countries have successfully pulled off this protectionism trick. The idea is that you close your economy usually via high tariff barriers though there is at least one case of near complete banning of trade. And then you obsessive focus on building up your industry and such at the expense of everything else, particularly labor. When your industries are competitive again with the global market, then you can selectively open it back up to trade to bring in more capital for industry building. The problem comes in the end game. Your workers aren't going to want to do this forever. So you either normalize to a healthier less focused economy or do crazy stuff like invade neighbors in order to keep growing your economy.

So who has done this? Japan did it twice. First, after it was coerced into opening itself for trade in 1853, and second, after the Second World War. Several countries have copied to some degree the strategy of the second time, I know of Taiwan, South Korea, China, Singapore, and Vietnam.

Another case which is particularly bizarre is Paraguay of the early 19th Century. From 1814 until 1864, Paraguay built up a powerful, industrial police state and then subsequently obliterated it in a massive war with three of its neighbors (Brazil, Argentina, and Uruguay). It's particularly notable because virtually all trade with the outside world was blocked for most of that time.

Having said that, I note that it appears that the people advocating protectionism are doing so to protect labor benefits rather than hardcore industrial build up. I think that will be disaster at least of the scale of the Smoot Hawley tariff act during the Great Depression.

Re:Take it further

[drinkypoo]

Besides, Japan just found a ton of rare earth minerals in the seabed off their coast.

This is not good news. Japan only cares about their local environment, which is why they are buying up timber as rapidly as they can, and why they consistently lied about the extent of the Fukushima disaster, and why the Japanese are still known for whaling.

This does not distinguish them from the USA, but it's still not good news.

This will probably be my second shortest ever post

[redmid17]

Yes

I would rather they enforce auditability

[Omnifarious]

I would rather they insist that any such equipment bought by the US government be open and fully independently auditable. I think they would do a lot better for everybody if they simply made that a standard requirement of the procurement process.

Though, I can also well understand the paranoia. The US government has done the exact same thing to security equipment sold to other countries that they are now worried about China doing to us. They should be worried about that.

Re:Full Retard Mode Activate!

[Improv]

Depends on what you mean by conclusive, but there's a motive and there's a capability. For the capability part, see:

http://www.schneier.com/blog/archives/2012/05/backdoor_found.html

Re:Full Retard Mode Activate!

[ebno-10db]

Besides violating over a dozen international treaties

Which would be so awful because China always honors its treaty obligations. Oh, except for not having a convertible currency, even years after they were obligated to by treaty, and manipulating their currency, and having illegal tariffs of as much as 35% on car parts (not to mention many other things), and ...

The first couple of times you don't retaliate you're taking the high road. After that you're just being a chump.

due to a long two hundred plus year history of using this labor-saving device known as chinese people to build our railroads, infrastructure, factories, etc., we don't have much in the way of domestic production capabilities for many of the major components of modern IT systems

Wow, talk about confused history. Those Chinese people building our railroads were called immigrants, hence that production was domestic. As incredibly hard working as those people were, I don't think they spent much time building IT equipment. However, many of their descendants did, but they're now getting screwed just like other American citizens.

And let me be clear: No government or private agency has come forward with conclusive proof that any product made in China for commercial resale has these capabilities built into it at the direction of the Government.

Good point. Never take precautions. Here in NY we've decided not to prepare for another hurricane because we have no proof that another one will occur.

Re:Full Retard Mode Activate!

you basically can't buy a computer without having at least some of its parts source, assembled, or otherwise passing through China

For really top secret stuff, you can, they should, and they do. It goes as far as getting the NSA its own chip fabrication facility at ft. meade. Do you want to work there?

Re:Full Retard Mode Activate!

[girlintraining]

Depends on what you mean by conclusive, but there's a motive and there's a capability.

The motive is specious at best. China's economy is growing at 7.8% annually, and while its slowing down, that's still beating the snot out of our 2.2% rate. And the purchasing power of both the US and China are comparable -- about $12 trillion USD. China's economy depends heavily on international trade, and the major buyer of Chinese goods is the United States, clocking in at 17.1% of it's total export capacity. Screwing up trading with its biggest partner would cause them an unacceptable level of economic crisis, and quite possibly destabilize global markets as well. China may not like the United States, but it's not about to shoot itself and the rest of the world in the head.

As for capability, as Schneier points out in his own article, the majority of IT systems, commercial, industrial, residential, all have backdoors in them. It shouldn't be a surprise that military IT equipment also has some. And as he later points out, this may have simply been put in to assist in debugging; As so many backdoors are often created with that specific purpose in mind.

All I'm saying here is that the arguments being made by the intelligence committee are specious. I'm not saying they're meritless, but that they fall well short of conclusive, and barely meet the standard for suspicious.

Re:Full Retard Mode Activate!

[Tailhook]

Besides violating over a dozen international treaties

[Citation needed]

I suspect the treaty situation isn't anywhere near as clear cut as that. Those agreements are riddled with exceptions.

Besides, every single one of those treaties, like our Constitution, is not a suicide pact. The President has said "national security" and every one of those documents is trumped. If We The People don't like it we can, through our Representatives, impeach, amend the constitution or march on Washington with pitchforks.

I predict none of those things is going to happen.

And let me be clear: No government or private agency has come forward with conclusive proof

Not relevant. We need not wait until we're exploited by Chinese hardware to justify our actions. We have at least two good reasons to anticipate hostile intent. First, we already know we're dealing with a government that is actively attacking our IT systems. Second, we've done the same to others.

The economic and political rammifications of this are being glossed over -- this action doesn't just affect our relationship with China, but with any country we do business with, because they signed the same treaties, and now they're looking at our unilateral action and thinking: What makes us think the US won't renege on their deal with us?

You have as your premise some deep respect for all these treaties and agreements. I believe most of these documents, particularly the trade agreements, are products of narrow interests creating special conditions for their exclusive benefit. I believe most of them amount to throwing open the ports and hobbling the port authorities to flood the US with stuff from places with no EPA, OSHA, NLRB, IRS, etc. I do not share your reverence for that crap.

As for the economic consequences; we've managed to survive and prosper without running our government on Huawei gear. I predict we can continue to afford to do without it.

Re:Full Retard Mode Activate!

[viperidaenz]

Any backdoors that are hidden and not disclosed to the customer should be treated as malicious.

No, they can't.

[mbkennel]

Why suddenly has this come to forefront?

Because there has been classified evidence of compromises built into the hardware via the manufacturing process, which is in China or Taiwan. A shocking and deep threat.

They can't talk about it in public, but suddenly Sandia labs is upgrading its semiconductor manufacturing plant.

Re:No, they can't.

[Xest]

If it's classified then how do you know? If you have security clearance then why can you tell us?

An alternative explanation is simply because since the beginning of the financial crisis, US protectionism has increased considerably.

The conveniently timed attacks on Toyota in 2009 that turned out to be non-issues, to the more recent attacks on Chinese networking equipment, it's about one thing- trying to reduce confidence in non-US products and increase confidence in US products. It's about trying to bolster consumption of US goods to help ensure growth.

There's a reason most other countries governments findings into Chinese networking products were the opposite of the US' - they believe that protectionism is not an acceptable solution to the financial crisis, whilst for the US, it's a key policy component in relation to it. It's all somewhat related to the pre-election rhetoric about whether China is a currency manipulator to boot, that is the was US politicians are justifying it to themselves. It's also why Chinese state media recently ran a week or so of attacks against Apple- because that's China's response.

I'm not defending China per-se, I think they are at least somewhat manipulative of their currency (though also understand their justification of wanting to maintain internal stability) and I do think they use subversive practices to give their companies an artificial advantage in global trade, something which simply isn't defensible as I do not believe on one hand it's fair of them to accept the benefits of globalisation and on the other to try and cheat it, but in this particular case I think the US is just simply doing the exact same thing because it views it as easier and quicker than pursuing the proper path of WTO sanctions, although it part it probably feels these would be ineffective given that China could just point out that the WTO has ruled against the US in a number of cases and the US has just ignored it, despite the US being the driving force historically and to this day between the WTO, but then, that's what happens when you try and push one rule for you, and another set of rules for everyone else - everyone else tries to start doing that to.

It's all just part of a tit for tat trade war and little more. It's a childish game of name calling when it comes to, one that stems from hypocritical global trade policies.

There is a simple answer

[Gadget_Guy]

Surely the best thing to do would be to mandate the inclusion of the source code to the firmware with any government contract, and provide the ability to upload your own firmware image so you can ensure what you see in the code is what you are running.

Yes, I realise that this comes from a particular ideology that would be against the business interests of the hardware manufacturers. And while this wouldn't necessarily mean the firmware would be provided in an open source format to non-government users, it might make it more likely that they would do it.

What Proof Neccessary?

[interval1066]

How much proof do you need that a little attention to national security might be a good thing?

Re:What would Sun Tzu do?

[dwye]

Get to the battle field first, knock out the communications, and obliterate the enemy.

Obviously AC has never read Sun Tzu. He was not a Chinese Nathan Bedford Forrest. A battle avoided, because the enemy had to retire rather than risk it, was always his best solution.

Tu quoque is not a good defense

[MikeRT]

Just because the US has done this stuff doesn't mean we have any obligation to take the risk that it would be done to us. Or do you also believe that a rapist should be raped in order to punish them for their crime?

It's funny

[gr8_phk]

Funny how people lose any ability to think when the conclusion is that they're wrong, or even just contradicting themselves.