China spyware embedded in the drivers of US router and network equipment

by Chris Zappone

US-based tech security reporter John Casaretto writes that four major producers of routers and network equipment have been infiltrated with Chinese spyware. If this is true, it could be a game-changer in the back and forth between the US and China over cyber espionage.

First, the heart of Casaretto’s findings:

A confidential government-affiliated source reports that the top networking gear in the US, from at least four of the major manufacturers of routers and network equipment, has been found in several cases to be infiltrated with Chinese spyware for quite some time. It has been detected in the code that is embedded into drivers, as these networking companies rely on a very small group of Chinese-manufactured components.

A high level source at a major networking company asked not to be named, but privately confirmed these findings. Advanced testing conducted in the investigation has seen trace-marked digital information slip outside the network stream off to its final destination.

In his article, Casaretto notes that this issue of Chinese spyware is distinct from the US ban on Huawei-made equipment in US government contracts. Yet, if this can be confirmed, it helps explain the timeline of the Washington-based furor around Huawei. Since the warnings began about Huawei, there has been a lack of evidence offered up by the US, presumably because any evidence would also expose information the government wouldn’t want out there. But this would be precisely the kind of the thing US info security experts, including government ones, would worry about. Casaretto writes that the issue “parallels but is distinct from the accusations and eventual US ban of spy-loaded network gear from the Chinese network equipment manufacturer Huawei.”

The Snowden revelations detail US efforts to intercept network hardware bound for target organizations and to implant US bugs in them. So why wouldn’t manufacturers in China build their spyware into the equipment bound for the overseas destinations? In China there is no real line between the state and business.

If China is doing this, it certainly puts the Snowden accusations in context. More broadly, it’s a blinking red light over the risks of outsourcing too much equipment manufacturing abroad, something American manufacturing groups are quick to point out.  I imagine US government elites are making the case to private sector IT elites about the need to onshore more manufacturing, lest the US industry hands all of its expertise to its China rivals.