China's penetration of U.S. supply chain runs deep, says report

A new report sounds alarm bells over the extent to which China has penetrated the technology supply chain, and calls on the U.S. government and industry to develop a comprehensive strategy for securing their technology and products from foreign sabotage and espionage.

These products could be modified to fail or perform at below expectations, facilitate espionage or compromise U.S. federal and private sector networks. Software supply chain attacks could become more common as the nation collectively moves towards 5G wireless networks and connected devices become more common.

The report, authored by Interos Solutions on behalf of the U.S.-China Economic Security Review Commission, posits that Chinese leaders have executed a multi-pronged strategy over the years to put their homegrown companies at the nexus of the U.S. and global technology supply chain, incentivizing corporations to build products locally and acquire businesses with contracting footholds in other nations.

"China did not emerge as a key node on the global ICT supply chain by chance," the report's authors write. "The Chinese government considers the ICT sector a 'strategic sector' in which it has invested significant state capital and influence on behalf of state-owned ICT enterprises."

An analysis of seven major U.S. based tech companies – HP, IBM, Dell, Cisco, Unisys, Microsoft and Intel – found that more than half of the products they and their suppliers use are shipped from China. Microsoft relies on such products the most, with analysts tracing 73 percent of their shipments between 2012 and 2017 back to China.

At the same time, Bejiing has moved to prevent other countries from using similar strategies to crack the Chinese market, accelerating indigenous production of IT and communications parts and requiring outside businesses to turn over their source code store data on Chinese servers and allow the government to conduct security audits on their products before gaining access to the Chinese market.

Furthermore, the report argues that the U.S. government lacks an overall strategy to anticipate future developments in supply chain, identify potential threats and mitigate threats. The overall push for IT modernization means the government will increasingly rely on a web of complex supply chain operations that eventually originate with commercial suppliers in China. Laws like the Federal IT Acquisition Management Act and the Modernizing Government Technology Act put pressure on agencies to modernize through commercial-off-the-shelf products that are more likely to originate from China.

However, some argue that some of those actions, like inspecting source code and security audits, are part of the reality of operating within a global supply chain. John Pescatore, a former NSA cryptologist and current director of emerging security trends at SANS, told FCW that most countries distrust technology that originates from other countries.

"The Microsofts and Googles and Apples of the world have to deal with [questions about] 'are they doing the bidding of the NSA?'" said Pescatore. "It's a global economy and everybody wants to sell everywhere in the world, so you can’t simply say ‘I’m not going to buy things from a certain country.'"

U.S. officials believe telecommunications infrastructure is particularly vulnerable. The Federal Communications Commission has proposed a new rule preventing any subsidies from their $8.5 billion Universal Service Fund from being spent on U.S. companies that buy equipment from foreign companies deemed to be a national security threat.

Supply chain dependences cut both ways. Last week, the U.S. government imposed export restrictions preventing U.S. companies from selling their technology to ZTE, a Chinese telecommunications firm that has been fined a collective $1.4 billion in recent years for selling communications equipment and technology to Iran and North Korea. It's estimated that the company sources 25 percent of its tech, including Qualcomm chips, from U.S. firms. Shares in ZTE lost value and Chinese investments funds are reevaluating their exposure to ZTE in light of restrictions.

National security officials have sounded similar alarms about another Chinese telecom company, Huawei, and the Department of Defense has barred products from both companies from being used on DoD networks. The moves appear to have spooked U.S. partners like Verizon and AT&T, who have both backed away from selling Huawei cellular phones in the U.S. domestic market this year.

The U.S. has also imposed restrictions on tech sourced from Chinese government-owned firms in government procurement. But unavoidably, Chinese-made tech does find its way in to U.S. government systems. At an April 18 event hosted by the Aspen Institute, William Evanina, director of the U.S. National Counterterrorism and Security Center, specifically mentioned 5G and the federal government's IT modernization initiatives as areas of the U.S. supply chain ripe for exploitation. The ability of Chinese businesses to dramatically underbid U.S. companies on subcontracting opportunities is a problem, he said, and the government doesn't always succeed getting some companies to see past the substantial cost-savings.

"When you go to a board of directors of a CEO and say 'Hey, I know you have two bids, you have Cisco or Oracle, and then you have the Chinese company which is forty percent cheaper,' it's hard to explain to them and hard for them to explain to their constituents that they're going to pay 40 percent more for a U.S.-based company because it doesn’t threaten national security."

Pescatore argues that with some exceptions, like connections to terrorism or international pariahs like North Korea, it is impractical and ineffective for the government to base its IT supply chain security strategy around prohibiting the use of products based on their country of origin. Instead, he suggests federal agencies and companies are better off focusing on utilizing best practices for supply chain risk management. 

"Supply chain risk management requires testing of the products you buy, and in a software world it requires testing of the software, and in global software market it requires countries to test foreign vendors and local vendors the same," said Pescatore.