When most of us think of cyberattacks, we think of hackers breaching the networks of companies or governments, then proceeding to steal valuable data. In reality, many cyberattacks are more fundamental—exploiting vulnerabilities that work their way through the supply chain, in chips or devices that were already infected when they hit the market.
The issue of supply chain threats means that many devices are fundamentally breached through back doors and viruses installed on the inner parts of a device. Even if the user wiped the device, the vulnerability would remain. In past years, this was cited by many experts in the defense and cyber community as a threat not only for the customers and companies in the United States, but also for the military.
The problem is common in Chinese-made devices. Pre-installed spyware have been found in everything from Chinese smartphones to Chinese electric kettles. Chester Wisniewski, senior security adviser at cybersecurity company Sophos, told The Epoch Times in 2013: “They could be in anything you plug in. Anything that gets power, this kind of thing can be hidden inside it.”
This problem may soon be addressed, however. Federal Communications Commission (FCC) Chairman Ajit Pai unveiled a proposal on March 26 to help resolve the threats to U.S. communications networks found in their supply chains.
“Although the FCC alone can’t safeguard the integrity of our communications supply chain, we must and will play our part in a government- and industry-wide effort to protect the security of our networks,” Pai said in a statement.
“Threats to national security posed by certain communications equipment providers are a matter of bipartisan concern,” he said. “Hidden ‘backdoors’ to our networks in routers, switches—and virtually any other type of telecommunications equipment—can provide an avenue for hostile governments to inject viruses, launch denial-of-service attacks, steal data, and more.”
Pai proposed in a draft notice that money from the FCC’s Universal Service Fund should not be allowed to be spent on technology or services from companies that, according to the statement, “pose a national security threat to United States communications networks or the communications supply chain.”
While the statement does not name any companies or countries directly, many analysts noted it could have a direct impact on Chinese companies—especially telecom companies Huawei and ZTE, which have in the past been listed as security threats.
Many other Chinese technology companies could also be affected by the policy, since many have been found in the past to have backdoors or other security threats in their products. Policies from the Chinese Communist Party could also impact tech firms, since Chinese companies are required to provide the regime with access to customer data.
Best Buy, the largest U.S. consumer electronics retailer, is allegedly cutting ties with Huawei, according to a source with knowledge of the matter. This follows a similar move from AT&T Inc. While Best Buy did not confirm the move, a company spokesman told Reuters, “We make decisions to change what we sell for a variety of reasons.”
Chinese chat and social media platform WeChat has also been recently accused of security threats. India’s defense ministry listed WeChat and close to 40 other Chinese apps as “spyware” in December 2017, and Russia blocked WeChat in May 2017 for violating laws on personal data.
In 2015, cybersecurity researchers found pre-installed spyware on smartphones from Chinese companies Lenovo, Huawei, and Xiaomi. Similar technology, which could allow spying on users through any function on the devices, has been found on many other forms of Chinese technology.
Pai’s proposal is meant to address these threats and others, and he called for a vote on it on April 17.
He said the proposal would prohibit the FCC’s $8.5 billion Universal Service Fund from going to equipment “from any company that poses a national security threat to the integrity of communications networks or their supply chains.”
“The money in the Universal Service Fund comes from fees paid by the American people,” he said, “and I believe that the FCC has the responsibility to ensure that this money is not spent on equipment or services that pose a threat to national security.”