It's about frickin' time: US govt requires security review for Chinese tech purchases

We have been letting the fox guard the hen house for far too long, and it's high time the US government did something about it.
Written by David Gewirtz, Senior Contributing Editor

If you look out the window, you might notice that the moon is blue. If you check the Weather Channel, reports are that hell has indeed frozen over. As unlikely as it may seem, our politicians have apparently done something right.

In order for America's government to fund its operations, programs, and agencies, money has to be allocated for this purpose on a regular basis. In many years, that budget money is allocated through something called a "continuing resolution", which passed in Congress and signed by the President.

A continuing resolution passed this year as well, except this time, it had some teeth, in particular when it comes to China's ongoing acts of apparent espionage and skulduggery.

Put simply, the newly signed 240-page law requires law enforcement authorities to be consulted and to perform a cybersecurity and sabotage risk assessment when buying IT gear.

Here's the hot button, the once-in-a-blue-moon, hell-freezing-over smart move by our politicians. The formal risk assessment by law enforcement must (and I'm quoting the Reuters article that quoted the bill): "... include any risk associated with such system being produced, manufactured, or assembled by one or more entities that are owned, directed, or subsidized by China."

This. Is. Huge.

I'm not going to go over the whole China risk thing in-depth here because we've been down this trail before. See the links at the end of the article for a good set of reads on China's apparent inability to play well with others.

But I will say this: China, by all indications, wants it both ways. They want to sell us gear, bring our currency into their country, and grow their economy with the help of American purchasing power. But they also seem to want to sneak into our computer systems, constantly testing, probing, and attacking our networks, and otherwise cause us harm.

They want to make money from us at the same time they're willing to attack us.

What's been deeply disturbing me for years (and I've been writing about this here on CNN, and even giving lectures and advisories on this to government officials) is that Chinese gear is inside everything we use today.

The motherboard inside the computer I'm using right now was made in China. In fact, the computer I'm using right now was made in China. Your iPhone was assembled in China.

Many of the internal components and entire computers (Lenovo on its way to becoming the world's largest PC producer) are made in China. Telecommunications equipment is made in China. We even did a Great Debate here on ZDNet about whether it was wise to buy networking gear from Chinese Huawei, who has been involved in some dubious doings (and is becoming a major vendor of smartphones as well).

Think back to the Cold War days, when the Soviets and the Americans where banging shoes at each other and threatening total nuclear destruction. Would any of us (or our grandparents, I guess) have thought it made sense to buy security gear from the Soviets?

Of course not. Even the most pacifist peaceniks around would have thought that letting your enemy provide your security wasn't exactly a wise course.

And yet, that's what we've been doing. Nearly all of us rely on gear made by China. Nearly all of our personal and confidential passwords and logins travel over circuits made by China. Many of our networks and network switches, if not made by China directly, have Chinese components.

I applaud this action by Congress and the President (did you ever think I'd ever say anything like that?), and I encourage the government to take even more stringent action and due-diligence against foreign-supplied security equipment.

Related stories

Editorial standards