Can you trust Chinese computer equipment?
Steven J. Vaughan-Nichols, a blogger for IT World, raised the question, but before answering it, let’s take a look at the current backdrop that should affect the decision.
Google has been hacked – supposedly by hackers employed by the Chinese government. “The source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof,” says a report by VeriSign’s iDefense security lab.
UK businessmen have been warned by the British security service against using “gifts” such as memory sticks or cameras given to them when attending exhibitions or doing business in China.
US oil giants have have been breached in the last few years by cybercriminals that left some clues pointing in the direction of the Middle Kingdom.
Way back in September of 2009, the US Government issued security policies for IT executives traveling to China. Obviously, they were well aware of the possible dangers of cyber espionage, data theft and (malicious) code manipulation.
Mozilla pulled two add-ons infected by Trojans from their official site. The company that developed one of them is apparently based in China.
And so on, and so forth. It came to a point when every major security breach that surfaces online is – sometimes jokingly, sometimes not – attributed to the Chinese.
Can all of this be just a coincidence? Vaughan-Nichols thinks not. “If I were in charge of any enterprise where I thought I had any reason to think that these Chinese authorities might be interested in what I was doing, I’d stop buying Chinese computer products today. Until this issue of Chinese cyber-espionage has been cleared up and cleaned up, I simply couldn’t justify buying or using hardware that might be working against me,” he says.
Now that suspicion is planted, hardware and software made in China will surely be put under intense scrutiny, especially if it’s cooing to be used by government bodies and agencies.
On the other hand, Mark Bregman, CTO at Symantec, makes also a valid point. Commenting on the issue of Chinese coders working for US companies and the mistrust on the part of the government towards those firms, he said that US developers can be as dangerous as the Chinese and the Government should check the tools and processes to test code from wherever it comes.
And I think he’s right. Today it’s maybe the Chinese, but tomorrow it could be another nation, or simply unaligned hackers looking for a quick buck. Defenses must be raised in general, and checking code and hardware should become a requirement.