Toward a Safer and More Secure Cyberspace

Questions? Call 800-624-6242

About | Ordering | New

LoginRegister

| Items in cart [0]

PAPERBACK
price:$57.00
add to cart

Rights & Permissions

Free PDF Access

Free Resources

Related Titles

Toward a Safer and More Secure Cyberspace (2007)
Computer Science and Telecommunications Board (CSTB)

Citation Manager Export the bibliographic data for this book in your chosen format
Web Search Builder Use this book's key terms to search within this book, across our collection, or across the Web.
Skim This Chapter Skim this chapter and use this chapter's key terms to search within this book.
Reference Finder Paste in your own text to find books that relate to your topic.

Citation Manager

. "2 What Is at Stake?." Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press, 2007.

Please select a format:

Page
47


E-mail Share on facebook Facebook Share on delicious Delicious Share on stumbleupon Stumble Share on twitter Twitter More Sharing ServicesMore

The following HTML text is provided to enhance online readability. Many aspects of typography translate only awkwardly to HTML. Please use the page image as the authoritative form to ensure accuracy.

Toward a Safer and More Secure Cyberspace

BOX 2.5

Foreign Sourcing of Information Technology Used in the United States

In March 2006, the U.S. Department of State announced that it would purchase 16,000 Lenovo computers and related equipment for use throughout the department. (Lenovo, Inc., is the Chinese company to which IBM sold its laptop and desktop personal computer [PC] business in 2005. Lenovo was incorporated in Hong Kong but is currently headquartered in the United States, and is reported to have ties to the Chinese government as well.) About 900 of the 16,000 PCs were designated for use in the network connecting U.S. embassies and consulates. In May 2006, and after objections had been raised in the U.S. Congress concerning the use of computers made by Lenovo in a classified network, the State Department agreed not to use Lenovo computers for such classified work.

The use of computers made by a Chinese company for classified work was bound to raise a number of security concerns. But the State Department–Lenovo incident is symptomatic of a much larger issue. As computers and other information technology (IT) systems are assembled with components manufactured or provided by vendors in many nations, even an “American” computer is not necessarily “Made in the USA” in anything but name. Similar concerns arise with software components or applications that have been designed or coded or are maintained overseas but are being used in the United States.

The nations that supply IT components include many—not just China—that might well have an interest in information on U.S. national security or economic matters. In addition, as “American” companies increasingly send some of their work offshore or use foreign citizens in the United States to work on IT, it is easy to see many possible avenues of foreign threat to the integrity of the security of information technology used in the United States.

Of course, the committee also recognizes that threats to the integrity of information technology used by the United States do not emanate from foreign sources alone, and there is no evidence known today that the nondomestic origin of IT components has compromised U.S. interests in any way. But there is concern that compromises might occur in the future, or that such compromises in the past may have gone undetected. (As a saying in the intelligence community goes, “We have never found anything that an adversary has successfully hidden.”)

Third, the high-end cyberattacker is generally indifferent to the form that its path to success takes, as long as that path meets various constraints such as affordability and secrecy. In particular, the high-end cyberattacker will compromise or blackmail a trusted insider to do its bidding or infiltrate a target organization with a trained agent rather than crack a security system if the former is easier to do than the latter. Many hackers are motivated by the fame that they gain from defeating technological security mechanisms (sometimes by social engineering means rather than by technology exploitation).

Fourth, the motivation of a high-end cyberattacker is unambiguously