Maybe the Chinese espionage rhetoric is more than political hot air

Evidence has reportedly been found of China spying on more than 30 US companies, suggesting the anti-China rhetoric might be more than political posturing.

To date, little hard evidence has been displayed in the public domain regarding Chinese espionage, but that might be about to change. According to Bloomberg, a three-year old investigation has uncovered tiny microchips nestling on the motherboards of servers used not only in private corporations, but Department of Defense data centres, the CIA’s drone operations, and the onboard networks of Navy warships. These chips can be traced down the supply chain to a Chinese subcontractor used by SuperMicro.

While espionage has focused on locating and exploiting vulnerabilities in software in recent years, compromising hardware can be more effective. It is more difficult to do, but due to the life-cycle of these products, it can be longer until the issue is uncovered. Compromising hardware can be done in two ways; firstly, devices can be manipulated when on-transit between the supplier and the customer, or the nefarious activities can be conducted at the beginning of the manufacturing process. This is an example of the latter.

The microchips were first discovered after Amazon sought to acquire a company called Elemental. Elemental makes software for compressing massive video files and formatting them for different devices, but also provides expensive servers for customers installed on their sites to handle the video compression. These servers were assembled by SuperMicro, which in turn outsourced some processes to the Chinese subcontractor. These microchips allowed the controller to create stealth doorway into any network that had servers hooked up to it.

To conduct this sort of espionage is incredibly difficult. Not only does the microchip need to be small enough to avoid detection, and powerful enough to perform the desired actions, implanting the device would require an intimate knowledge of the products design. Considering how much of the worlds telecommunications manufacturing is done in China, the country is in an incredibly unique position to master the complex and intricate task. Sources states the microchips were inserted by operatives from a unit of the People’s Liberation Army, the armed forces of the People’s Republic of China and Communist Party of China.

Amazon has stated it had no knowledge of such a saga, though Bloomberg notes this is contradicted by its own sources. While the scale of such espionage activities are unknown for the moment, it is believed more than 30 companies could have been victims, including Apple which had planned to purchase servers from SuperMicro as part of the companies data centre expansion plans.

For the US government, this might just prove to be the justification it needs to chase Chinese companies off the shores. It has been battling to rid the country of Huawei and ZTE, though as little evidence has been released to the general public, a sceptic might suggest this was little more than anti-communist propaganda.

Unfortunately, this might simply compound the pressure which is being applied to China, instead of creating a resilient security framework. A whitepaper from the Rural Broadband Alliance entitled Domain5 suggests a supply chain can be compromised at any point and concentrating on one country might not be the best solution. Operatives are capable of infiltrating a manufacturing plant, in theory, irrelevant as to where it is, therefore concentrating too intently on one country might weaken the security protocols elsewhere.

This should not undermine what is perhaps the most damning evidence of Chinese espionage in recent years however. Various intelligence committees and sub-committees have pointed the finger of dodginess at China for years, though this is the most compelling evidence which we have seen.

5G could open us up to digital terrorism – GCHQ

Connecting our toothbrush to the internet might sound like a futuristic dreamland, but are we fast becoming the architects of our own downfall.

Writing for the Sunday Times, Head of GCHQ Jeremy Fleming has aired his concerns about the digital economy. Yes, it has the potential to create a sophisticated and efficient society with opportunity for all, but also runs the risk of a new form of danger with terrorists hijacking the very same 5G networks which are supposed to make our lives so wonderful. He even managed to drop China in, hinting at the threat of allowing the country to provide the majority of our critical communications infrastructure.

“They will transform healthcare, create smart, energy-efficient cities, make work lives more productive and revolutionise the relationship between business and the consumer,” Fleming writes. “But they also bring risks that, if unchecked, could make us more vulnerable to terrorists, hostile states and serious criminals.”

While it might sound very doom and gloom, Fleming is of course correct. The internet is a scary place with dark corners. New ideas are created every single day, some of them are a force for good, some of which will be utilised by nefarious individuals. The more light which is shed into these unexplored corridors of the web, the more we realise how exposed we are.

Unfortunately, Fleming is raising an argument which is not original; incorporating security into the building blocks of services and products, not simply treating it as an add-on. This should be the approach for making the digital economy secure, though this is rhetoric which we have been hearing for years. The more often it is said, the less impactful it becomes. Perhaps we are blindly wandering down the path to destruction purely because it is easier than tackling the difficulties of making consumers secure.

Another interesting point is collaboration. Again, this is not a new argument, but Fleming seems to be attempting justification for increased access to our digital lives. Using friendly words such as ‘collaboration’ or ‘public debate’ and ‘open co-operation’ should not put a smile on the face of an campaign which has been going on for years.

“We believe some principles allowing industry and governments to demonstrate responsible access that protects privacy are within reach,” Fleming states. “These do not require unfettered access for governments through so- called ‘back door’ or global ‘skeleton key’ schemes. But they do require public debate and close, open co-operation and agreement with technology companies. And when these solutions exist, they also require modern legislation and strong oversight to maintain public confidence.”

Fleming is right though. There does need to be a mechanism to ensure intelligence and police services can ensure our safety, but there is yet to be a sensible solution which offers security, accountability and justification. Last year, former Home Secretary Amber Rudd tried to scare us into submitting to government snooping by suggesting paedophiles use the same services as you and me. It didn’t work, though current Home Secretary Sajid Javid is yet to reveal his ambitions here. The encryption debate has been too quiet in recent months, perhaps another onslaught is on the horizon.

The dark corners of the web are full of nightmares which we are yet to discover. By connecting everything, we are making the digital dream a reality, but exposing ourselves more than ever before.