Some interesting articles lately about the threat of cyber espionage coming through the supply chain.
Essentially, this amounts to the threat that Chinese-made computer equipment could have holes (or Trojans, or backdoors, or malware, or whatever) that would either allow a malicious (assumedly Chinese) user to access the compromised computer or that would automatically exfiltrate data back to a location the malicious user can access.
Problems like this strike at the heart of the issue of all national security (or corporate security, for that matter) issues: trust. How do you know that the computer you just bought won’t send all your data to China? You have to trust the manufacturer when they say it won’t. Can you trust them? Maybe. Maybe not. After all, another Chinese spy was just convicted this week – these things are happening. Combine that with the fact that some of the most popular machines on the market today are all made in China, and you can see how this could happen.
For the record, the Mac mini, Macbook Air, Macbook, iMac and Macbook Pro are all manufactured in China, as are the latest netbooks from Dell.
Lest we jump to conclusions, or grow overly paranoid, let’s think rationally about ways to prevent our data from heading overseas. One industry writer suggests that the best way to avoid this is to
stop buying Chinese computer products today. Until this issue of Chinese cyber-espionage has been cleared up and cleaned up, I simply couldn’t justify buying or using hardware that might be working against me. If you consider it for a minute, I think you’ll agree.
This is a great theory, but extremely difficult to do in practice. Can you buy an entirely American made computer? Sort of: ZTSystems assembles and services their computers in the United States. Their systems are fast, and would be great machines, no doubt. But the parts? They’re all from China or Taiwan. The graphics card? Made in Canada, with parts sourced from China. The network card? Made in Taiwan. The other parts are not listed as being any particular brand, indicating that they, too, are made in China.
Other devices, like USB Picture Frames, have already been verified as containing Chinese malware. What makes anyone think that other devices wouldn’t also do this? It’s low hanging fruit, difficult to spot, and easy to maintain plausible deniability.
I’ve heard from several professionals that this is a very real concern for US businesses and government entities, with no apparent solution on the horizon.
Where does that leave us? With the need to be careful and conscious about the data we put on our computers. It’s often easier to assume that anything you put on a computer is compromised and operate from that standpoint. You’ll find yourself being more careful, something that never hurts in today’s day and age. There are some tools that can help you along the way, but ultimately a solution to this problem will have to come in the form of data-centric, or even built-in, security. We must move towards a model where our data is intrinsically protected, as it is created, regardless of location – this would eliminate the worry when it becomes compromised in ways like this. We’re not there yet, but I suspect there are those who are working on it.
In the meantime, give some thought to what your data means to you and what you might do if it were lost, breached, or compromised. It’s an enlightening experiment.
Shay 2.0 
