The problem with computers is that they talk to one another. This is a great selling point, the seamless flow of information from relevant machine to relevant machine, but asset becomes liability the moment the computer holds secrets, or is in a position to collect secrets. Especially if those secrets then make their way in to the hands of the Chinese government.
This is why Rep. Mike Gallagher of Wisconsin and Roslyn Layton of China Tech Threat spoke Aug. 21 in support of banning commercial products they fear are particularly subject to compromise.
“Over the past year and a half, there has been increasing focus on the security vulnerabilities related to off-the-shelf Chinese brands,” said Gallagher. “What is at stake ultimately really goes beyond information security. [The Communist Party of China] is using market-leading firms to export its authoritarian model abroad, and to nurture dependence in foreign capitals.”
To back this up, the representative pointed to a recent story in the Wall Street Journal about Chinese telecom giant Huawei helping the Ugandan government use its technology to track dissidents. The risk was thus twofold: a deep concern over the military acquiring specific technologies that the Department of Defense Inspector General identified as likely to compromised in a redaction-heavy report. In broader terms, Gallagher expressed fear and concern that China’s outreach with technology abroad could lock countries into entanglement and exploitation by the government of China.
The Inspector General report specifically named printers from Lexmark, cameras from GoPro, and computers from Lenovo, citing supply chain vulnerabilities for Lexmark, Bluetooth exploits for GoPro, and cyber vulnerabilities identified in Lenovo machines.
“The IG audit shows that the U.S. Army and Air Force purchased thousands of products already flagged as security risks both form the brand name (Lexmark, Lenovo) and components (notably GoPro is a US company but it has vulnerabilities),” said Layton. Specifically looking at Lexmark, Layton said that vulnerabilities discovered in the printers “could allow remote attackers to use a connected Lexmark printer to conduct cyberespionage or launch a denial of service attack on a DoD network.”
Gallagher also pointed to his work with Sen. Chris Murphy, D-Conn., to ban China-made DJI drones in the annual defense policy bill, a move DJI specifically pushed back against, saying that the security of the drones it provides had been independently verified.
“I got language included in the House version [of the NDAA DJI ban] that would establish security as the fourth pillar of acquisitions, on par with cost, schedule, and performance,” said Gallagher.
Gallagher pointed to a story published by Bloomberg in October 2018 that suggested a tiny microchip had been inserted onto the server motherboards made by Super Micro, which could have allowed China to gain access to any network using a server with a compromised motherboard. Subsequent investigations have been unable to verify the claims originally made in the Bloomberg story, and in May 2019, Super Micro moved its production outside of China.
“I know there is some controversy behind the [Bloomberg] story,” said Gallagher, “but regardless of what happened in that case, we have to act with the understanding that something like that could happen in the future. The warning is out there, and we need to view supply chain security accordingly.”
This critique comes at a time that the Pentagon is looking with great interest towards incorporating the cost savings and modern advantages of a host of commercial off-the-shelf technologies.
Speaking at the DoDIIS conference August 19 in Tampa, Defense Intelligence Agency Director Lt. Gen. Robert Ashley said, “I would ask you to take the words “proprietary” and “no foreign” out of your lexicon. We cannot do that. We have got to be able to share with our allies and partners.”
As Gallagher explains it, adding security as a pillar of acquisitions does not mean automatically ruling out technology abroad. But it does mean greater scrutiny of the ways in which governments can shape that technology, with an eye towards risk and vulnerability.
“We have to be clear that we don’t have a problem with foreign components—we have a problem with the way in which the Chinese Communist Party uses its domestic champions to advance its security interests globally,” said Gallagher. “If anything, in recent years, I’d argue Congress has made our defense supply chain more interoperable with allies by incorporating countries like Australia and the UK into the National Technology and Industrial Base.”
Gallagher specifically pointed to the way the Committee on Foreign Investment in the United State screens foreign investment as a way to model component screening for technology.
“I think that there are a number of mechanisms to identify threats and vulnerabilities including but not limited to Commerce BIS Entity List and related process, the Vulnerabilities Database, Intelligence Reports and so on,” said Layton. “ These are working well identify threat. The problem is communicating the threats to the end users (in this case the holders of Government Purchasing Cards) and implementing the purchasing protocols. This is a vulnerability that adversaries will exploit.”
Because the stated risk extends not just to name-brand manufacturers and national champions, third-party components or small companies in the chain could in theory lead to new exploitable weaknesses, even if the Pentagon is diligent about adhering to both the warnings of the Inspector General and the laws passed by Congress specifically forbidding the use of certain companies.
It also likely means that, should security regularly become a pillar of acquisitions alongside cost, schedule, and performance, aligning all four values may increase cost, slow the schedule, and lead to some tradeoffs in performance. That’s an acute tension in a Pentagon eager to follow the rapid iteration model set by Silicon Valley, but there’s not a whole lot of security in moving fast and breaking things.