Is it safe to buy Chinese-made computer equipment?
With Google and the National Security Agency now teaming up to investigate supposed Chinese hacking and most of our PC hardware coming from China, it's a fair question. And a hard one to answer with certainty.
It is made more urgent by a report in the Sunday Times newspaper that Chinese spies in the U.K. have been handing out bugged memory sticks and cameras to targeted businesses in an attempt to steal the companies' intellectual property.
Headlined, "China bugs and burgles Britain," the story quotes a classified report from MI5--their equivalent of our CIA--and says, "The gifts--cameras and memory sticks --have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users' computers."
My friend, security blogger Steven J. Vaughan-Nichols, yesterday posted an item suggesting it wouldn't be too difficult for Chinese PC manufacturers to build backdoors into their products and use them to spy on pretty much anyone.
"If China's government really is hell-bent on keeping an eye on American and European businesses, why not just incorporate 21st century backdoors into their products? Then, you could just have them automatically call home to do a data dump of documents. If there's anything interesting in the files, it can be set to monitor its user on a regular basis," Vaughan-Nichols wrote.
"There's nothing difficult about doing this. Not only are backdoors easy to create, running an automatic check for words of interest, even in terabytes of documents, just requires some servers. After all, Google does it every day with far more data than such a plot could ever uncover."
Vaughan-Nichols goes on to state that if he were running IT at a company that might be a Chinese target, he'd "stop buying Chinese products today."
I think that's a tad over the top, but appreciate the sentiment. I believe we need to look to our manufacturers to protect us.
After all, with the exception of Lenovo, the big PC companies doing manufacturing in China are American-based and all have a huge interest in protecting their customers. Can you imagine the firestorm that would breakout if it could be proven that Dell, HP, Apple or even Lenovo computers were bugged?
The manufacturers have a responsibility to routinely audit their machines for malicious code of all types. The U.S. government has a responsibility to work with these companies to provide the technical assistance and intelligence necessary to make these audits effective.
In light of recent events, there should probably be some new urgency to this work, but nothing more.
I see no reason to be concerned about Chinese hardware today, but do appreciate the importance of the question. On matters like this, I often default to the approach taken by a great American President in dealing with the Soviets.
"Trust, but verify."