US urged to act immediately to save its systems from the ‘growing threat of Chinese cyber theft’
‘Nefarious actors’ tied to China target networks of US government contractors to exploit vulnerabilities in federal information systems, report says
The US government must urgently address growing threats posed by “nefarious actors” in China infiltrating American intelligence bodies and critical infrastructure systems through information technology systems and components, a congressional body warned.
“Nefarious actors linked to China have targeted the networks of private sector entities and private sector government contractors in order to obtain sensitive government information and to exploit vulnerabilities within federal information systems,” according to a report commissioned by the US-China Economic and Security Review Commission.
“China has expanded its efforts to obtain economic advantage by pursuing knowledge of key technologies through corporate acquisitions and by using the economic power of Chinese companies as tools of the state,” the report said.
Internet of Things (IoT) and 5G mobile telecommunication networks “will expand the attack surface” of federal information and communication technology networks for China’s cyber criminals, “while decreasing time required to breach them”, according to the report.
Some of the report’s statistics highlight how much components made in China are part of the US government’s IT networks.
For example, shipments from China account for 51 per cent, on average, of imports by the seven largest commercial IT manufacturers that supply the US federal government. At 73 per cent, Microsoft’s dependence on China-origin components is the highest among the seven.
The commission recommends a more centralised system of supervision for the federal government’s supply chain risk management (SCRM) effort, possibly with a role for the departments of homeland security and defence.
The report calls for “open source” accounting for the origin of all inputs used in products or systems ICT vendors supply to the US federal government, which accounts for more than 8 per cent of all IT spending in the country. Federal authorities spent some US$90 billion in 2017, making it “the largest single vertical market for IT in the US”, followed by the banking industry.
It also calls out ZTE, a Chinese telecommunications equipment maker already facing sanctions from the US Department of Commerce for false statements about its sales to Iran, for state-sponsored corporate espionage.
The US is not the only country to identify cyber threats by China.
A 2017 report by PwC and the UK’s BAE Systems detailed the evolution of a China-based cyber-espionage campaign known by several names including “APT10” and “Stone Panda”.
APT10 has been known to target US defence industrial base organisations, managed IT service providers and their clients, as well as several directly targeted organisations in Japan, according to the report, with the earliest known activity occurring in December 2009.
“Espionage attacks associated with China-based threat actors … have traditionally targeted organisations that are of strategic value to Chinese businesses and where intellectual property obtained from such attacks could facilitate domestic growth or advancement.”
Warnings about China’s cyber theft efforts are the latest in a series of friction points between Washington and Beijing, which started when US President Donald Trump, during his election campaign, cited alleged unfair trade practices and investment rules by China as the main reason for US job losses and economic stagnation.
In December, Trump accused China of “attempting to erode American security and prosperity” in his national security assessment speech.
Then, after trade data showed the 2017 US deficit with the country grew to a record high, Trump announced punitive tariffs to be slapped on Chinese imports, a move that drew reciprocal action from Beijing.
The commission, which reports to Congress with recommendations on legislative action related to China, has also played a role in a separate but related effort to prevent the transfer of some advanced technologies to China through acquisitions.
Last year, the body recommended an expansion in the authority of the Committee on Foreign Investment in the United States (CFIUS) to review – and if necessary, halt – acquisitions of US companies by Chinese firms if the technologies developed or produced by a US party could be adapted for military purposes.
Several bills strengthening CFIUS are making the rounds in Congress, including the Foreign Investment Risk Review Modernisation Act, co-sponsored by ranking senators John Cornyn, a Republican, and Dianne Feinstein, a Democrat. The proposed legislation would widen the scope of government reviews of foreign investments to any “non-passive” investments and joint ventures.
Currently, CFIUS only reviews acquisitions that give the foreign party majority control.
The security review commission’s report addresses the threat to US economic competitiveness caused by technology transfers from subsidiaries of US companies like Intel and Apple.
Regulations that require US tech companies operating in China to give up source code and store data in government-owned cloud computing infrastructure are part of Beijing’s efforts to build “national champions” in the tech industry.
“Government support can take many forms, but it often includes preferential financing rates, preference in government contract bidding, and sometimes oligarchy or monopoly status in protected industries,” the report said.
“In the case of Chinese national champions, the support also appears to include officially sanctioned or officially conducted corporate espionage designed to improve the competitiveness of Chinese firms while potentially advancing other government interests. Huawei, [ZTE] and Lenovo are three Chinese ICT companies that exhibit some of these characteristics.”
Earlier this week, the US commerce department activated a ban on sales by American companies to ZTE to punish the Chinese telecommunications equipment maker after it allegedly made false statements in an investigation into measures it was supposed to take against employees running a unit that was doing business with Iran and covering up those deals.
ZTE’s sales of “hundreds of millions of [US] dollars” worth of routers, microprocessors and servers to Iranian entities for several years starting in 2012 violated the US’s Export Administration Act of 1979, according to an order issued by the commerce department.