Foreign Sourcing of Information Technology Used in the United States
In March 2006, the U.S. Department of State announced that it would purchase 16,000 Lenovo computers and related equipment for use throughout the department. (Lenovo, Inc., is the Chinese company to which IBM sold its laptop and desktop personal computer [PC] business in 2005. Lenovo was incorporated in Hong Kong but is currently headquartered in the United States, and is reported to have ties to the Chinese government as well.) About 900 of the 16,000 PCs were designated for use in the network connecting U.S. embassies and consulates. In May 2006, and after objections had been raised in the U.S. Congress concerning the use of computers made by Lenovo in a classified network, the State Department agreed not to use Lenovo computers for such classified work.
The use of computers made by a Chinese company for classified work was bound to raise a number of security concerns. But the State Department–Lenovo incident is symptomatic of a much larger issue. As computers and other information technology (IT) systems are assembled with components manufactured or provided by vendors in many nations, even an “American” computer is not necessarily “Made in the USA” in anything but name. Similar concerns arise with software components or applications that have been designed or coded or are maintained overseas but are being used in the United States.
The nations that supply IT components include many—not just China—that might well have an interest in information on U.S. national security or economic matters. In addition, as “American” companies increasingly send some of their work offshore or use foreign citizens in the United States to work on IT, it is easy to see many possible avenues of foreign threat to the integrity of the security of information technology used in the United States.
Of course, the committee also recognizes that threats to the integrity of information technology used by the United States do not emanate from foreign sources alone, and there is no evidence known today that the nondomestic origin of IT components has compromised U.S. interests in any way. But there is concern that compromises might occur in the future, or that such compromises in the past may have gone undetected. (As a saying in the intelligence community goes, “We have never found anything that an adversary has successfully hidden.”)
Third, the high-end cyberattacker is generally indifferent to the form that its path to success takes, as long as that path meets various constraints such as affordability and secrecy. In particular, the high-end cyberattacker will compromise or blackmail a trusted insider to do its bidding or infiltrate a target organization with a trained agent rather than crack a security system if the former is easier to do than the latter. Many hackers are motivated by the fame that they gain from defeating technological security mechanisms (sometimes by social engineering means rather than by technology exploitation).
Fourth, the motivation of a high-end cyberattacker is unambiguously