Symantec chief technology officer Mark Bregman told an IT publication this week that he was "advised by people in three-letter agencies in the US Government" to not bring his phone and laptop to China. The government urged him to instead buy new gadgets. He should weigh the laptop before and after the trip to see if any spy electronics were installed, they told him, and throw the cell phone away upon his return.
Wow! What are they afraid of?
This episode reminds me of something that occurred back in May, 2008. American authorities launched an investigation into suspicions that the laptop hard drive of then-US Commerce Secretary Carlos M. Gutierrez was copied by Chinese agents during a meeting in Beijing. Of course, we never heard the outcome of that investigation. But apparently the three-letter powers that be have since determined that China can't be trusted anywhere near our gadgets.
A report delivered to Congress last year by U.S.-China Economic and Security Review Commission warned that "Chinas current cyber operations capability is so advanced, it can engage in forms of cyber warfare so sophisticated that the United States may be unable to counteract or even detect the efforts."
According to the report:
"The global supply chain for telecommunications items introduces another vulnerability to U.S. computers and networks. Components in these computers and networks are manufactured overseas many of them in China. At least in theory, this equipment is vulnerable to tampering by Chinese security services, such as implanting malicious code that could be remotely activated on command and place U.S. systems or the data they contain at risk of destruction or manipulation. In a recent incident, hundreds of counterfeit routers made in China were discovered being used throughout the Department of Defense. This suggests that at least in part, Defense Department computer systems and networks may be vulnerable to malicious action."
Concern about Chinese manufacture of phones and telecommunications equipment, and access to cell phones and laptops are two doorways into devices. But the Chinese government apparently doesn't need direct access.
In March, the New York Times reported on a discovery by Canadian researchers of China's so-called GhostNet system. Researchers at the University of Toronto's Munk Center for International Studies found that China's GhostNet hacking program had to date "infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lamas Tibetan exile centers in India, Brussels, London and New York." The program "continues to invade and monitor more than a dozen new computers a week," according to the report.
In addition to targeting and collecting very specific kinds of data, the GhostNet system can turn on the microphone and cameras attached to a PC, and listen to and watch conversations in the room.
Since being outed in March, GhostNet awareness has grown. The term even has its own Wikipedia page, which is probably the best single accounting of the program available to the public.
The United States isn't the only country wary of Chinese cyber spying. The Indian national government is currently mulling a ban on all telecommunications equipment from China. The Indian department of telecom has proposed a ban on Chinese phones and other gear in all Indian border states, fearing that the devices could contain hidden spy electronics or Trojan spyware that could enable a Chinese attack on Indian infrastructure.
The Indian government is also concerned about Chinese "direct foreign investment" (involvement by Chinese investors in Indian businesses) in the telecommunications arena.
Indian concerns may reflect the American experience. Some 50 people have been successfully prosecuted in the United States since 2006 for stealing mostly militarily sensitive trade secrets for the Chinese government.
According to a Chinese diplomat, who defected in 2005, China uses three approaches to espionage. The first approach is to use conventional spies, who have been trained by, and who work directly for, the Chinese government. The second is to use a looser group of semi-professionals, which would include more than 200 hacker organizations and a variety of businesses owned by people eager to curry favor with the Chinese government. The third is called the "thousand grains of sand" approach, which involves gathering tiny bits of intelligence from thousands of Chinese students and workers who live and work abroad, and piecing them all together later.
Chinese authorities routinely criticize such accusations and prosecutions as politically or commercially motivated falsehoods or exaggerations.
But knowledge of these wide-ranging accusations creates a challenge for all of us. If you're an IT professional; work for an IT company; buy routers and other networking equipment; work for a technology startup; work for a company that gets defense-related contracts; work at a university that does anything related to defense or security; or travel to China on business, what should you do?
If you travel to China on business, do you really have to weigh your laptop before and after? Do you throw away your cell phone after the trip? Should you be wary of partnerships with Chinese companies? Should you avoid Chinese telecom equipment?
Let's hear your thoughts and opinions in the comments section below!