China poses a serious and immediate cybersecurity threat to the federal supply chain in part because of connections Chinese state-owned enterprises (SOEs) have to key tech companies working in the government sector, a report recently issued by the U.S. China Commission has found.
The report, undertaken by Interos Solutions and the first of its kind, found that China has a number of strategic relationships with U.S. tech companies through partnerships with Chinese state owned enterprises that have ties to China’s military, nuclear, or cyber-espionage programs. Major US firms including VMWare, Dell and Microsoft are named in the report.
The ties put the federal supply chain at increased risk in myriad ways, the report found. “This risk could present itself as a supply chain attack through a compromised product, such as batteries or acoustic components supplied to federal ICT (information and communications technology) providers,” the report found. Other more subtle actions due to these partnerships also could threaten the federal supply chain, including federal technology providers revealing design information, product specifications or other sensitive information to their suppliers as part of standard business practices.
“Business information that may be innocuous when passed to a standard business partner becomes less innocuous when passed to individuals or entities associated with a rival government,” according to the report.
Lack of supply chain oversight
Ties between federally approved technology companies and Chinese state-owned firms have slipped through the cracks of those responsible for managing cybersecurity threats because the U.S. federal government lacks a supply chain risk management (SCRM) plan, the report found.
For example, federal agencies don’t take a comprehensive approach to managing supply chain risk, with policy-making and enforcement of supply chain risk management a victim of bureaucratic confusion, the report concludes. “SCRM of federal ICT systems has been divided in multiple ways—among federal information systems and other initiatives designed to protect critical infrastructure or high-value assets and among national security systems (NSS) as a subset of federal information systems,” according to the report.
[Like what you’re reading? Check out this podcast: Podcast Episode 92: Uncle Sam Ices Tech Acquisitions and RSA Conference 2018]
As is often the case in the federal government, related duties and responsibilities are spread across separate and silo’d departments. For example, the Office of Management and Budget has purview over federal information systems used or operated by federal agencies or their authorized contractors. But the National Institute for Standards and Technology (NIST) is responsible for creating standards and guidelines for these systems. NIST, however, has no regulatory authority; it merely makes its recommendations using a comprehensive public review process. That responsibility lies with Congress and the Executive Branch, which must create and pass the laws and policies within the federal government for how the NIST standards and guidelines will be carried out on federal information systems.
While there have been a number of these laws enacted–particularly under President Obama–to boost supply chain risk management, the policies have not prevented federal technology suppliers from cozying up to China, the report found.
Cloud is future cybersecurity battlefield
The report cites a relationship between VMware, a subsidiary of Dell, and a Chinese state owned enterprise called Sugon (which goes by the English name Dawning Information Industry). The two firms launched a cloud-computing joint venture in April 2016.
Sugon–a Tianjin-based company that specializes in high-performance computers, servers, storage products and software systems—has the Chinese government as its largest shareholder. The VMware-Sugon joint venture is called VMsoft and provides cloud computing and virtualization software and services. VMware holds a 49 percent stake in VMsoft, while Sugon holds a 51 percent stake.
While hardware companies long have had relationships with Chinese suppliers, the true cybersecurity battleground is in the cloud, making these types of relationships more risky, the report found. “Future risks will involve software, cloud-based infrastructures, and hyper-converged products rather than hardware,” according to the report.
Further, VMWare sports “product relationships” with Kaspersky Lab–the Russian-owned cybersecurity provider that has become the focus of suspicion within the U.S. intelligence community for its ties to Russia’s intelligence services.
“A recent reported shift in the leadership of Kaspersky Labs has seen people with close ties to Russian military and intelligence services filling more executive positions,” according to the report. “Speculation exists that these executives actually participating in investigations on behalf of the Russian government and may share Kaspersky customers’ data with the government.”
Hardware vendors still pose risk
Existing hardware partnerships also continue to be a problem as China raises its profile as a cybersecurity rival, the report found. Dell has other component partnerships in China that could pose SCRM risks. Among them: Lishen Power Battery Systems Co. Ltd. is a subsidiary of Tianjin Lishen Battery Joint-Stock Company Limited, an state owned entity affiliated with CETC, a network of former military labs that operates both commercial and military technology businesses. CETC also is Lishen’s sole shareholder.
And both Dell and HP both source liquid crystal displays (LCDs) from the state-owned TPV Technology Ltd. and Shenzhen Laibao Hi-Tech Co. Ltd. Dell also sources LCDs from six sites controlled by BOE Global, a company whose largest shareholder is the Beijing state-owned Capital Management Center.
Those companies aren’t alone. Redmond, Washington-based Microsoft also has ties to China that don’t bode well for the state of federal supply-chain cybersecurity. The company buys LCDs from Tianma Microelectronics–a primary shareholder of which is the State-Owned Assets Supervision and Administration Commission, which manages the central government’s SOEs. Tianma shareholders also have ties to China’s largest defense supplier.
Microsoft further sources magnetic materials and acoustic components from two Chinese companies–Hengdian Group DMEGC Magnetics Co. Ltd. and GoerTek Inc., respectively. The former is a subsidiary of Hengdian Group Holdings, a state-supported enterprise that has cooperated with the state-owned China National Nuclear Corporation. The latter also has Chinese state-backed investment, as well long-term strategic partnerships linked to China’s cyber espionage programs at various state-run universities.
No surprises, but action needed
While stakeholders did not seem blindsided by the findings of the report, they agree that the feds are facing real challenges on the cybersecurity front that not only aren’t going away but are becoming more critical.
In an e-mail to Federal News Radio published in an online report, Larry Wortzel, a commissioner with the U.S. China Commission, said the government already knew of the risks associated with hardware coming from U.S. tech companies. However, in the future the government will have to keep a closer eye on threats from the increase in cloud-based software and services.
“In my opinion, the big takeaway from the report is that ‘any information and communication technology component’s physical structure pales in importance compared with the firmware and software operating within in it,'” Wortzel said, quoting the report itself. He said that the government will have to monitor more closely business alliances, investment sources and joint R&D efforts for potential risk.
The report makes six specific recommendations to the federal government to undertake a national SCRM strategy to prevent future cybersecurity incidents from threats to the supply chain.
Those actions are: enacting an adaptive SCRM process; centralizing federal SCRM efforts; linking federal regulations to appropriations; promoting supply-chain transparency and partnership with industry; and crafting forward-looking policy.