Feeds

US bill prohibits state use of tech linked to Chinese government

Has anyone on Capitol Hill heard of the global supply chain?

Combat fraud and increase customer satisfaction

In one of the first clear signs of a tougher stance on China, a new US spending bill has banned government agencies from buying any technology from companies thought to be “owned, operated or subsidised” by the People’s Republic.

The Consolidated and Further Continuing Appropriations Act of 2013, signed by president Obama on Tuesday, only pertains to non-defence government spending up until the end of the fiscal year on 30 September, but could be a sign of things to come.

The key passage, Section 516, prohibits the Commerce and Justice departments, NASA and the National Science Foundation from buying any IT systems “produced, manufactured or assembled” by any organisation which is “owned, operated or subsidised” by Beijing.

The only exceptions are if a piece of technology is deemed to be in the national interest, or if, after consulting the FBI, there is thought to be no risk of “cyber-espionage or sabotage associated with the acquisition of the system”, AP reported.

The rhetoric has certainly been ramping up on the US side since a House of Representatives Intelligence Committee report recommended Shenzhen telecoms kit makers Huawei and ZTE be locked out of the US market because they represent a national security risk.

That was followed with several high profile hacking attacks on US media groups, allegedly traced back to Chinese groups, and then the motherload – the Mandiant report, which detailed a direct link between the PLA and attacks on the New York Times and other US firms.

President Obama himself even went on TV to confirm the US is engaged in “tough talks” with China over state-sponsored attacks.

It’s unclear how much progress can be made in such talks when the official Chinese line is that it doesn’t condone hacking and that it is very often the victim, especially from attacks launched from US servers.

It also may be pretty difficult, given the global nature of the IT supply chain today, for government agencies to follow Section 516 faithfully.

Many if not most US technology companies, for example, have components produced, manufactured or assembled in China or by Chinese firms, so these will all need checking out if these firms are government suppliers.

Huawei said as much in its response to the Committee report:

Almost every ICT firm is conducting R&D, software coding and production activities globally; they share the same supply chain, and the challenges on network security is beyond a company or a country.

The problem then comes in trying to ascertain if said firms are “owned, operated or subsidised” by Beijing.

The House of Representatives Committee reported several times in its findings that it was unable to get the level of information required from Huawei and ZTE to allays its concerns over links to the Chinese government or Communist Party, so it’s unlikely that a US government agency is going to succeed where this detailed 11-month investigation failed. ®

SANS - Survey on application security programs

More from The Register

next story
EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?
Wait 'til this one hits your pension fund where it hurts
Systems meltdown plunges US immigration courts into pen-and-paper stone age
Massive outage could last four weeks, sources claim
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.