[Update: the Washington Post article to which "A Dude" refers in his comment is here.]
Back in 2009 I blogged about the fact that UK telecoms giant BT was buying in components for its £10 billion network from the Chinese telecoms supplier Huawei. This article came in part from a leaked memo demonstrating concerns in Whitehall at the time that this could, in theory at any rate, give China the ability to launch a serious attack on UK communications.
I didn't then and don't now wish to delve too deeply into the ambivalence of the relationships between China and the West, but I did say that:
it seems unfortunate that "government departments, the intelligence services and the military" are apparently committed to the use of the new BT network if that network cedes significant potential control, even at component level, to a nation that clearly isn’t trusted at high levels of government.
I have to wonder how many elements of the UK’s Critical National Infrastructure (CNI) are labelled "made in China". Not that I want to buy into the universal xenophobia that seems to dominate this story, but if you’re building or maintaining a CNI, don’t you try to keep it in-house, even if it costs more to buy from trusted sources?
I still don't have an answer to the question in that second paragraph. But I was reminded of it today by an article from Business Insider flagged by my colleague Aryeh Goretsky: it concerns 59,000 fake microchips purchased by the US Navy for use in systems "from missiles to transponders" ultimately sourced from China. Somewhat alarmingly, the article claims asserts that the chips "had been made with a 'back-door' and could have been remotely shut down at any time.
In fact, the article in Wired from which this assertion derives makes a rather less sensational claim:
Instead of crappy Chinese fakes being put into Navy weapons systems, the chips could have been hacked, able to shut off a missile in the event of war or lie around just waiting to malfunction.
A hypothetical then, not a clearcut attempt at sabotage. But by no means far-fetched. Fortunately for the US, the Intelligence Advanced Research Projects Agency is aiming to mitigate that risk with its Trusted Integrated Circuit programme. But the issue goes beyond silicon, and perhaps even beyond defence of the realm (whichever realm you're talking about)…
At a time where the West is, generally speaking, not at the top of its game economically, I can see why defence contractors, like anyone else, are anxious to save money, but outsourcing critical systems purely for economic advantage in the hope of submitting the lowest tender is a risky strategy.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, We Live Security