Paranoia will destroy you: Why Chinese tech isn't spying on us


(Image: ZDNet)

At CES 2018 in Las Vegas, the US President of Huawei’s consumer business, Richard Yu, went off-script in his presentation to lament that the Chinese smartphone giant has been unable to consummate a deal to sell its smartphones at any large US-based cell carrier.

The exact reasons why Huawei has been unable to do this have not been verified, but it is thought that political pressure being applied by lawmakers in US Congress on AT&T and other carriers may be the root cause — that these US telecom firms would be putting government contracts in jeopardy by doing further business with the Chinese firm.


Read also: Going rogue at CES 2018: Is Huawei a 21st century Dell?

China and the US: A complex relationship

Huawei does not just make smartphones. It is also a gigantic telecommunications equipment manufacturer and is actively involved in determining the global 5G standard, which it is collaborating on with AT&T.

US Republican representative Michael Conway of Texas has sponsored a bill — H.R. 4747 — that, if passed, would prohibit any US government agency from doing business with Huawei and ZTE.

China possesses one of the most sophisticated security apparatus in the entire world.

The verbiage of the proposed bill claims that, according to our security agencies, Huawei and ZTE have shared sensitive information with China, and that Chinese security agencies can access private US business communications using Huawei and ZTE’s equipment.

Huawei and ZTE, of course, have repeatedly denied these allegations since Congress began accusing both of these firms of using their commercial networking products for espionage back in the Fall of 2012.

It should be noted no substantial proof of espionage by China or Huawei/ZTE has ever been established from these accusations and the House intelligence committee report released at the time did not offer much in terms of substance either.

There’s no question that the relationship between China and the US is a highly complex one, and that China possesses one of the most sophisticated security apparatus in the entire world, rivaling that of Russia, the US, and other western nations.

Just as the US routinely spies on many countries, China’s security agencies also spy on the US and other nations of interest.

Read also: Made in China: Four horsemen of the iPhone apocalypse

Our economic reality

So, what is the solution? To stop buying equipment from China and to cease doing business with them?

Well, the short answer is not only no, but basically, it would be impossible, financially, and also from a practicality standpoint.

In 2016, US exports to China were $116 billion, whereas the value of China’s exports to the US was $463 billion — making that year’s trade deficit $347 billion.

Our debt to China, financed by US Treasury notes, is $1.2 trillion. This financing of Treasury notes has kept US interest rates low.

If China stopped buying US Treasury notes, the interest rates would rise and could throw the entire world into a global recession. This wouldn’t be in China’s best interests because shoppers would buy fewer Chinese exports.

The US — and the western world as a whole — is China’s best customer next to its own domestic market.

China also cannot call in that $1.2 trillion loan — it would utterly poison its well.

That’s the economic reality. The US — and the western world as a whole — is China’s best customer next to its own domestic market. The country has zero desire to jeopardize this, regardless of its own national security interests.

If it were discovered that China was, in fact, using consumer electronics exports to spy on American citizens and businesses en masse, the consequences would be utterly disastrous for it.

Not just in terms of jeopardizing its export business in the US but also in every country it does business with. It would be catastrophic for the country’s image and would throw the global consumer electronics industry into utter chaos.

Read also: 10 best smartphones not made in China

All kinds of stuff come from China

Chinese firms aren’t just responsible for final assembly and productizing and shipping product abroad, they also form a large portion of the overall supply chain of manufacturing electronic components used in just about every electronic device manufactured all over the world.

I’m talking about all kinds of stuff that go into not just smartphones and mobile devices, but also the Internet of Things (IoT), major appliances, medical devices, automobiles, aerospace, you name it.

If a product has semiconductors in it, there is a good chance they came from China. Yes, there are other countries that make products that have semiconductors and electronics, such as Japan, Korea, Taiwan, Singapore, Vietnam, Malaysia, and, of course, the European and South American nations.

But they too use Chinese firms as not just suppliers for certain things but also for partial and final assembly, because it is that much cheaper to do there.

Read also: Chinese censorship cracks down on WeChat, Weibo, WhatsApp

Keeping China out of products

So, what do we do? Well, we can’t prohibit American firms from doing business with Chinese companies or foreign firms that use Chinese-made components just because we are nervous they might use their products to spy on us.

We can set internal procurement controls on certain types of products and have rigorous monitoring and testing of stuff before it ends up being used in government agencies, but that’s about it.

There is no practical or legislative way of keeping China out of products being brought into the US. Such efforts would be counterproductive.

That being said, the threat of our devices being used to spy on us is very much real — but China should not be the focus of concern. Rogue nation states such as North Korea and malicious/criminal groups seeking financial gain are really what we need to be concerned about.

Read also: Apple transfers iCloud operation in China to a local government-backed firm

An international effort is needed

I believe there needs to be an international effort to monitor and certify consumer electronics so that we can better understand the nature of these threats and then take appropriate action when they are discovered.

The software development and hacker communities residing within the major technology firms already have informal inter-firm efforts to monitor embedded operating systems and applications for potential malware.

To date, they’ve done a very good job overall of discovering major security exploits and malware, but we can improve this by formalizing how this is done by having our government form and fund organizations with our allies — as part of overall international treaty negotiations — with the express effort of increasing due diligence in analysis and monitoring of software that runs on consumer electronics.

The efforts to date have only covered “In-band” types of exploits and malware. In other words, code/processes that exist in software, such as Android or iOS applications distributed in the respective app stores or that are sideloaded, or processes that run in the different OEM distributions of the mobile operating systems themselves.

So far, no such state-sponsored malware or an exploit has ever been detected in a semiconductor component originating from China.

This needs to continue, but we have to go deeper. The real concern would be “out-of-band” exploits and malware that would not be discovered within applications or operating systems but in the components, such as firmware or hard-coded routines within the semiconductors themselves (like a baseband communications chip) that would not be detected as a high-level process.

So far, no such state-sponsored malware or an exploit has ever been detected in a semiconductor component originating from China. Or, at least, such a discovery has never been made public.

The only comparable out-of-band exploits that have been discovered are the Spectre and Meltdown bugs in Intel, AMD, and ARM processors, which are categorized as unintentional but exploitable architectural flaws and common issues related to modern microprocessor design — and they have nothing to do with China.

Oh, and the most significant discovered out-of-band exploit prior to those two? Also Intel in origin.

Read also: In rapid onslaught, Chinese phone makers take control

We can’t preoccupy ourselves with this

So, should we be concerned about out-of-band exploits and potential malware in a society that is increasing its use of electronic devices in every aspect of our lives? Yes.

Should we closely examine this with much more organized and international efforts? Absolutely.

Should we worry that China is plotting some master plan to Hoover all our data and penetrate our government?

Should we worry that China is plotting some master plan to Hoover all our data and penetrate our government and corporations using undetectable malware embedded in the fundamental components found in consumer electronics manufactured in that country?

No. There’s a chance it could happen, and we should be vigilant and take our best efforts to monitor that it isn’t happening, but we can’t preoccupy ourselves with this.

Let American consumers decide which products they want to buy. Legislation that prevents competition is not only stupid and unproductive but also puts our citizens at a disadvantage by not allowing them to purchase inexpensive products that other countries can freely and easily access.

Should you be allowed to buy Chinese brands of phones in the US? Is Congress and the Trump administration interfering with the fundamental principles of capitalism? Talk Back and Let Me Know.

Previous and related coverage

Chinese manufacturers fuel global smartphone sales

Worldwide smartphone sales climbed 9.1 percent to 380 million units in first-quarter 2017, driven by Chinese vendors such as Huawei and Oppo offering competitive price-points for feature-packed phones.

Elite Chinese hackers target board directors at some of the world’s largest firms

The APT 10 hacking group has struck again, this time using a watering hole attack to compromise the National Foreign Trade Council website and gather sensitive data about its directors.

Source link

Leave a Reply

Your email address will not be published.