US Govt Squeezes Hi-Tech Security Threats—and China

February 18, 2014 Updated: February 18, 2014

New measures targeting the counterfeit and grey electronics markets promise to dramatically transform the global supply chain for electronics. A new U.S. law and accompanying new standard that aim to ensure quality and security could also put a serious damper on China’s hopes for a high-tech economy.

Driving the shift is the 2014 U.S. federal budget, passed on Jan. 17. It includes a new law that requires federal review and approval on information technology (IT) products purchased by federal government agencies. The review will check for risks of cyberespionage or sabotage, and bans products with supply chains tainted by elements that pose cyberthreats—which includes anything “that may be owned, directed, or subsidized by the People’s Republic of China.”

The problem with the government policy is that the majority of what the government purchases comes from private companies that sell products to the public, and few companies can currently say for sure whether their supply chains are free from threats.

Thus, just two weeks after the federal budget was passed, a new standard was created for businesses to follow. The Open Group released its accreditation program for supply chain security, the Open Trusted Technology Provider Standard Accreditation Program.

The group’s standards will be the foundation for the new federal policy, and the seal of approval will also tell consumers the electronics are legitimate products from the company on their labels, and are free from pre-installed spying tools and risk of sabotage. Among its 422 members are most of the top technology companies in the world, including, in the “platinum level,” Hewlett-Packard, IBM, Oracle Corporation, and Philips.

The accreditation doesn’t rule out Chinese manufacturers altogether. In fact 11 members of the group are based in China. Rather, it will start holding companies accountable at every level of the supply chain.

Businesses that are trying to certify a product will need to track and rate suppliers, and if a supplier engages in an activity that violates that trust—such as installing malware or counterfeiting a product—the company can be blacklisted.

Consequences for China

The same day the 2014 federal budget was signed, with its requirement for review of supply chain threats in electronics for government contracts, China’s Ministry of Commerce released a statement saying it would “have a negative effect on Chinese companies, besides harming the interests of U.S. firms.”

The statement, which was carried in China’s state-run newspaper Global Times, added, “The U.S. side should correct its mistaken ways.”

The new standard on quality and security comes as China is trying to establish itself as a source of high-tech products. The shift was laid out in the Chinese Communist Party’s (CCP) 12th Five-Year Plan, which covers 2011 to 2016.

In China’s push to establish itself in the global high-tech market, “Industries such as IT and industrial equipment take top positions, reflecting Chinese interest in U.S. technology,” states a November 2013 congressional report.

It notes that close to 17 percent of China’s foreign direct investment in the United States goes into IT, making it China’s largest area of investment. The foreign investments, which totaled $45.6 billion in the first half of 2013, are part of the CCP’s push for stronger influence over the global technology market.

The CCP has clear reasons for being concerned about the new standard. As previously reported in Epoch Times, China is the largest source of counterfeit goods. An estimated 15 to 20 percent of all products made in China are counterfeits, and close to 8 percent of China’s GDP comes from counterfeit goods.

Meanwhile, the majority of threats in the supply chain that have been uncovered have originated in Chinese factories.

Tainted Supply Chains

The extent of the problem was highlighted in May 2012 when the Senate House Armed Services Committee released a report showing that counterfeit electronic parts from China had found their way into U.S. military vehicles, including a Navy surveillance plane.

The report concluded that “China is the dominant source country for counterfeit electronic parts that are infiltrating the defense supply chain,” and “The Chinese government has failed to take steps to stop counterfeiting operations that are carried out openly in that country.”

Sen. Carl Levin (D-Mich.) said in a press release “this flood of counterfeit parts, overwhelmingly from China, threatens national security, the safety of our troops, and American jobs.”

While the nature of the problem elicited a strong response from the defense community, there was a fundamental problem standing in the way: the U.S. military—just like government departments, and the consumer market—lacked a clear picture of its supply chain.

Security threats are only half the problem, however. For the private sector, it is not just parts finding their way into electronics. It is not uncommon for companies to have entire products copied and distributed without their knowledge.

Consumers, meanwhile, are then unwittingly duped into buying fake products, often with lower quality, with a trusted label.

Security researcher Andrew “Bunnie” Huang uncovered an elaborate grey market of SanDisk and Kingston micro SD memory cards in 2010. With SanDisk, it turned out the counterfeit cards were coming from the same Chinese factory that was making the legitimate cards.

“SanDisk was paying them to run shifts to make the chips. The factory manager in China was just running another shift of his own, and was making more of them and selling them on the side,” Chester Wisniewski, senior security adviser at security company Sophos, said in a telephone interview.

Microsoft uncovered a similar scheme, and in December 2012 won a $5.7 million lawsuit against a Chinese retailer that had sold 1.3 million copies of counterfeited Microsoft software.

Bob Parisi is the managing director at Marsh. The company is an insurance broker and risk management firm, but also covers supply chain risks.

Parisi said in a telephone interview that the supply chain is a “fundamental risk” that companies today face, even if it is not on their radar screens at the moment.

Follow Joshua on Twitter: @JoshJPhilipp