China spyware embedded in the drivers of US router and network equipment

US-based tech security reporter John Casaretto writes that four major producers of routers and network equipment have been infiltrated with Chinese spyware. If this is true, it could be a game-changer in the back and forth between the US and China over cyber espionage.

First, the heart of Casaretto’s findings:

A confidential government-affiliated source reports that the top networking gear in the US, from at least four of the major manufacturers of routers and network equipment, has been found in several cases to be infiltrated with Chinese spyware for quite some time. It has been detected in the code that is embedded into drivers, as these networking companies rely on a very small group of Chinese-manufactured components.

A high level source at a major networking company asked not to be named, but privately confirmed these findings. Advanced testing conducted in the investigation has seen trace-marked digital information slip outside the network stream off to its final destination.

In his article, Casaretto notes that this issue of Chinese spyware is distinct from the US ban on Huawei-made equipment in US government contracts. Yet, if this can be confirmed, it helps explain the timeline of the Washington-based furor around Huawei. Since the warnings began about Huawei, there has been a lack of evidence offered up by the US, presumably because any evidence would also expose information the government wouldn’t want out there. But this would be precisely the kind of the thing US info security experts, including government ones, would worry about. Casaretto writes that the issue “parallels but is distinct from the accusations and eventual US ban of spy-loaded network gear from the Chinese network equipment manufacturer Huawei.”

The Snowden revelations detail US efforts to intercept network hardware bound for target organizations and to implant US bugs in them. So why wouldn’t manufacturers in China build their spyware into the equipment bound for the overseas destinations? In China there is no real line between the state and business.

If China is doing this, it certainly puts the Snowden accusations in context. More broadly, it’s a blinking red light over the risks of outsourcing too much equipment manufacturing abroad, something American manufacturing groups are quick to point out.  I imagine US government elites are making the case to private sector IT elites about the need to onshore more manufacturing, lest the US industry hands all of its expertise to its China rivals.

How to create a new market for laptops

Remind the public that people in sensitive work don’t trust the fundamental security of a brand of computers.

That’s what this article on spy agencies not using China-made Lenovo computers does.

From the Australian Financial Review

The ban was introduced in the mid-2000s after intensive laboratory testing of its equipment allegedly documented “back-door” hardware and “firmware” vulnerabilities in Lenovo chips. A Department of Defence spokesman confirmed Lenovo ­products have never been accredited for Australia’s secret or top secret ­networks.

The classified ban highlights concerns about security threats posed by “malicious circuits” and insecure firmware in chips produced in China by companies with close government ties. Firmware is the interface be­tween a computer’s hardware and its operating system.

And while spy agencies are in the upper end of the sensitive work, in a knowledge economy, most knowledge that is not broadcast has some level of sensitivity, whether they are corporate spending plans, sales contacts lists, leads, schematics, blueprints, code, strategy, etc, etc.