Reply to post: Sad to say, but this story is probably true...

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Marketing Hack Silver badge

Sad to say, but this story is probably true...

1) Everyone knows that China loves to acquire/steal/copy other countries intellectual property. They aren't the only ones who do this, but I think I am safe in assuming that most Regenistas would agree that they at least have the public reputation of being the worst actor in this area. There is a reason why if I were to use the phrase "Chinese knock-off" when talking about a product, pretty much every Regenista would pretty much know what I was saying

2) Like every sigint/intel community, the Chinese want to know what target governments/militaries/companies/organizations are doing.

3) Unlike most sigint/intel community members, the Chinese have a very large portion, and perhaps most of the sub-assembly and component supply chain in their own country.

4) The Chinese government is very authoritarian, and will openly throw up regulatory/legal/political roadblocks against companies that don't do what the government wants. I've seen this first-hand, and of course there are barge-loads of news stories about this.

5) The Chinese culture also has a higher-than-normal tolerance for bribery.

6) Thanks (once again!) to Edward Snowden, we know that both the U.S. and British intelligence communities have the capability, operational authorization and much past experience with intercepting and backdooring electronics shipments when they are in the supply chain. It is pretty much certain that the other members of the 5 Eyes agreement either have this capability in-house, or they subcontract this kind of work through relevant requests to their U.S. and British partners.

7) Given their reputation for corporate and governmental espionage, I would assume that at the very least France and Russia also have and use these capabilities in-house.

So why wouldn't huge, powerful and increasingly global China do this? It's not like China is morally like a giant version of Sweden or Switzerland. They have no compunctions about being very tough and aggressive versus potential regime opponents, ethnic and religious minorities, journalists and whistle-blowers, companies that want to invest in or export to China, neighboring countries that are not overt allies, etc.

So given that China and others are almost certainly doing this, then I guess the real issue is what do IT and tech professionals do about it? One, make sure that you have elaborate network monitoring, data and firewalls if you are dealing with strategically valuable or sensitive commercial or government information. Your average small/mid-sized business can get away with basic antivirus and email filtering, but once you are dealing with data where you can look at it and objectively say "I could see how country X would like to get this info to give an advantage to their government or corporate sectors.", then you should probably start pressing your management to get very serious about network security.

Two, give as little cover as possible to national security/intel agencies that try to get involved in standards-setting. Assume that they do not want secure IT for anyone but themselves. In fact, truly secure IT would tend to dramatically reduce their usefulness to political and strategic decision-makers, and therefore negatively impact the future of those agencies and the careers of their employees.

Three, if you are dealing with the kind of valuable information that I discussed above, and you have the resources to really audit and inspect your hardware, do that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019