Roman Khimich, researcher of trust and security in the digital environment

 

The National Security and Defense Council of Ukraine has begun studying the feasibility of banning Chinese equipment in Ukrainian networks. As follows from a recent interview with the director of the fixed network development department at MDT, the government does not have its own position on this subject. So far, it is available only to the specialized committee of the Council and, apparently, network operators, whose opinion is now being clarified by the MDT.

Unfortunately, we have to state once again that the efforts of the professional community to highlight what is happening in the industry yield insignificant results. Two years ago, in 2021, market participants initiated the process of implementing European approaches to risk management in Ukraine. The author of this article and his colleagues have done a lot of work on translation and adaptation of European regulations. However, less than two years have passed and all this seems to have gone to waste. Since there are no prophets in their homeland, let's look at the experience of initiators of all these bans, namely the USA.

A report by one of the American think tanks published in October 2022 indicates a crisis, if not a failure in policy of pushing Chinese manufacturers and technologies out of the United States. According to the document, the US authorities have not been able to create effective procedures for detecting and banning high-tech products created using "untrusted" technologies and manufacturers. Given already three-year delay in removing Chinese equipment from mobile networks, we can talk about failure of the federal government's efforts.

The document entitled "Banned in D.C. Examining Government Approaches to Foreign Technology Threats" was prepared by the Center for Security and Emerging Technologies at Georgetown University's Walsh School of Foreign Service. It is dedicated to discussion of results at the policies of both federal and regional (states, counties and individual municipalities) authorities regarding the prohibition of so-called untrusted suppliers, products and technologies. The main source of threats in this kind, as usual, is named China.

Content of the report, at least, calls into question both the long-standing rhetoric of United States officials and the actual results of their policies. It turns out that private companies and public institutions of the USA continue to buy products and services from Chinese companies that are included in various "black lists". The researchers identified 1,681 state and local government entities that purchased equipment and services from sanctioned Chinese companies Huawei, ZTE, Hikvision, Dahua, and Hytera between 2015 and 2021. In every state, except for Vermont and the District of Columbia, at least one local government was distinguished by such purchases.

 

Figure 1. Number of State and Local Government Transactions Involving Covered ICTS

by State, 2015-2021 (including the District of Columbia)

 

In total, there were 5,700 contracts for a wide range of equipment, including smartphones, surveillance cameras, temperature scanners, portable radios and networking equipment. The study is based on data provided by GovSpend, which tracks purchases by federal, state and local governments across the country. Their combined value was approximately 45.2 million US dollars.

The authors of report insist that "while the scale of operations may seem small in terms of cost, it is significant in terms of potential risk. Every piece of untrusted hardware is a potential entry point into a user's network, regardless of its cost."

 

 

Figure 2. Annual State and Local Government Transactions Involving Covered ICTS, 2015-2021 (including the District of Columbia)

 

The report, on the one hand, contains a number of revealing confessions. On the other hand, its authors carefully balance, trying not to say too much, not agreeing even quite obvious, well-known things in the professional community.

“Is there a boy?”

The report recognizes that presence of vulnerabilities in the products of Chinese companies is not a reason to accuse them of having the intention to create the so-called backdoors. What's more, it explicitly states that "no technology is perfectly secure, and Chinese hackers have repeatedly proven their ability to compromise government networks using existing vulnerabilities. These more conventional breaches are in many cases easier to orchestrate than supply chain attacks involving backdoors, and they carry fewer potential economic costs as well.” Simply saying, the use of backdoors is neither necessary nor even the best way for cyberattacks.

The report points to the risks of using any foreign technology, as the personnel of manufacturing companies who service them are a source of risk in themselves. If recruited by an adversary, employees of these companies can also use their powers to attack computer systems and networks. "Without the proper safeguards in place, any organization that uses foreign ICTS is exposed to these operational security risks," authors of the report state.

Recognizing that any products of foreign origin are exposed to the risks of compromise, the authors avoid making their point to the end. As practice has shown, the products of American companies are no different from all others and give hackers enough opportunities for successful attacks. Because of this, the selection of "foreign" products makes little sense.

One of the report’s fragments is indicative, where in one sentence it is reported that "numerous local authorities became victims of Chinese hackers during the Microsoft Exchange Server data breach in early 2021." The next sentence states that "if the Chinese government or other competitors use foreign technology in this way, thousands of state and local governments could become victims of potentially devastating breaches." Meanwhile, Microsoft Exchange Server is a product of an American company, which thus turned out to be a source of real problems, not potential.

Several revealing confessions show worthlessness of the accusations leveled against Chinese manufacturers. "While national security officials often discuss the general risks associated with equipment from Huawei and other companies, they rarely provide details about specific vulnerabilities or breaches related to specific products. Given the lack of clarity, state and local government leaders may hesitate whether it is worth spending energy, resources, and political capital on eliminating unreliable technologies," American researchers confirm a long-known fact in the professional environment. In five years of the "crusade" against Huawei, US government officials have not been able to name a single properly documented incident.

Given the virtual lack of evidence of malicious intent on the part of Chinese manufacturers, there is no surprise in the following statement: "Many government organizations do not have sufficient competencies to understand and eliminate such threats, and those that do may prioritize the elimination of immediate threats such as ransomware, and not more abstract risks created by foreign products". The euphemism "abstract risks" indicates the actual absence of proven threats.

Money, money, money

One of the reasons for failure in current policy of eliminating Chinese products and technologies, the report cites excessive costs. "One major obstacle is that procurement bans can increase the cost of acquiring equipment. Chinese ICTS is generally cheaper than equivalent products from nonChinese companies, making it an appealing option for cash-strapped government agencies. A basic Hikvision dome camera retails for about $90, while similar cameras made by firms in Canada, Japan, and South Korea sell for more than double the price. Therefore, prohibiting the use of this cheaper Chinese equipment and forcing government agencies to buy costlier but trustworthy alternatives drives up IT expenses. Costs are even higher if agencies are required to rip and replace the covered ICTS that already resides in their networks."

Local communities in the form of municipalities, counties, and state governments are particularly sensitive to price issues. Many of them, if not the majority, have been in a situation of permanent budget crisis for more than a year and are forced to save literally on paper clips. As a result, the decision to eliminate Chinese products and technologies and related efforts are concentrated at the federal level. Only five states – Florida, Georgia, Louisiana, Texas and Vermont – have adopted relevant policies. However, as the report admits, "they are not structured for effective countermeasures against the threats of foreign technologies."

A separate problem is the lack of experience and knowledge necessary for the successful removal and replacement of Chinese equipment at state and budget institutions. The report acknowledges that "cybersecurity departments at these organizations tend to be underfunded and understaffed (if they exist at all), and those with resources are likely to prioritize more pressing security issues such as combating with terrorism". "Therefore, it should not be expected that state and local authorities will actively replace foreign technologies without federal support," the authors emphasize.

Meanwhile, federal support is in dire straits. The only compensation program for the private sector is in its third year. In 2020, Congress approved an allocation of approximately $1.9 billion to compensate for the losses of regional mobile operators caused by the replacement of Huawei and ZTE equipment. Initially, market participants requested more than $5.6 billion, but authorities rejected most of the bids. Now these requests have been recognized as not just justified, but insufficient. It was decided to direct the already agreed funds to operators with a subscriber base of no more than 2 million connections as the most vulnerable category of private companies. Regional operators have not yet received a single dollar from these funds, so they have not replaced a single unit of Chinese equipment.

It is worth noting that the current policies do not cover the cost of replacing products from Hikvision, Dahua, Hytera and most other sanctioned companies. If this equipment is included in the program, reimbursement requests will be much higher.

"Replacing every single piece of unreliable equipment currently installed on American networks is impossible, so resources must be directed to areas where they will have the greatest impact. (...) "Remove and replace" programs divert resources from other government services, such as education and infrastructure. Politicians must consider the trade-offs associated with this redistribution," authors summarize one of the report’s sections.

87 thousand licenses per week

Another key problem of the current policy is detailed in the report – excessive labor-intensiveness and low efficiency of administrative procedures. The supply chains of high-tech products and services that are subject to monitoring to identify and eliminate "untrusted" technologies are very large and complex. They cover tens of thousands companies scattered around the world, and the connections between them are not always obvious. Equipment manufactured by one company may contain components obtained from many different suppliers and be sold under the brand name of another company.

For example, cameras manufactured by Dahua Technology, a Chinese video surveillance company, are sold both under the Dahua brand and under the trademarks of subsidiaries such as Canada's Lorex. In addition, Dahua acts as an OEM for dozens of other vendors, selling them products that are then repackaged and sold under other brands. "Such agreements, common in the technology industry, make it difficult for governments, private companies and other consumers to determine exactly whose equipment and services they are buying," authors of the report explain.

The idea life-controlling of a giant industrial ecosystem involves a document flow of an incredible scale. The Committee on Foreign Investment in the United States, which reviews foreign investments in American companies for threats to national security, heard an average of 152 cases a year between 2008 and 2020. If the existing laws against untrusted suppliers and products are followed, the US Department of Commerce must review thousands, if not tens of thousands, of transactions every day.

According to internal US administration estimates cited in the report, up to 4.5 million US businesses import foreign technology subject to oversight. If each of these businesses submitted only one license application per year, the Department of Commerce would be required to process up to 87,000 licenses per week. Meanwhile, the Commerce Department's Bureau of Industry and Security, which is responsible for enforcing anti-China sanctions, currently has just 16 positions with an annual budget of about $4.7 million allocated to administer the sanctions program. In the 2023 budget request, the bureau is asking Congress for 114 more positions and $36.2 million. It is not yet known whether the request will be approved by lawmakers.

The report acknowledges that federal legislation aimed at eliminating Chinese technology poses serious challenges for the private sector. "It's already difficult for companies to keep up with rapid technological change, and under these rules they risk slowing down or blocking IT projects at the hands of federal regulators. (...) For example, Section 889 prohibits federal insitutuions from entering into agreements with contractors, that use the specified technologies, even if that equipment is not involved in performance of the contract. Thus, this precautionary measure is effectively a procurement ban for both Federal institutions and Federal contractors. Given the costs associated with implementing this order , companies that do not already sell products to the federal government may be unwilling or unable to do so (...) Depending on their structure, procurement bans may disincentivize suppliers from doing business with government insitutions."

All this leads to the fact that even federal structures, including the US Army, the US Air Force and the Drug Enforcement Administration, have ignored the mentioned prohibitions amid extremely strong and uncompromising statements. In some cases, the purchases were made through the GSA Advantage portal, an e-commerce platform that declares products available on it comply with regulatory requirements, including inspections by the General Services Administration.

 

It should be noted separately that the current policy of the United States regarding the elimination of "untrusted" technologies from the PRC contains a number of compromises that are meaningless from the point of view of its declared goals. In particular, the so-called Section 889 of the National Defense Authorization Act, one of the key regulations in this area, is not retroactive. Thus, institutions are allowed to continue using "untrusted" products and solutions that they purchased before the law came into force.

"Remove-and-replace programs are not a silver bullet for protecting government networks. All hardware has vulnerabilities, and products and services that replace the discussed foreign technologies may contain their own bugs and tricks. So developers policymakers should critically assess the costs and benefits of programs to replace untrusted products and technologies before funding them," authors of the report conclude.

It must be said that even the richest country in Western world cannot refuse high-tech products and services from the PRC. One of the consequences of long-term symbiotic relations between the People's Republic of China and the United States was the highest degree of their mutual dependence. Dated in fall of 2022, the report not only testifies to the failure in American policy of technological "decoupling" from the PRC. It clearly demonstrates the difference between European and American approaches to risk management in the field of high technologies.

The difference between these approaches was repeatedly covered by national mass media. US policy is based on slogans and simply ignores the facts. The EU bases its regulation on facts, and its design ensures variability and adaptability. There seems to be no reason why Ukraine cannot use EU approaches, especially since the course of European integration requires it. Processes initiated by market participants must be supported by authorities and brought to a logical conclusion.