US China Commission Reports that US Is Threatened by PRC Computer Network Operations
March 8, 2012. The US China Economic and Security Review Commission released a report [139 pages in PDF] titled "Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage". It finds that "Chinese capabilities in computer network operations have advanced sufficiently to pose genuine risk to U.S. military operations in the event of a conflict." See, also summary.
The report states that the People's Republic of China's (PRC) People's Liberation Army's (PLA) "sustained modernization effort over the past two decades has driven remarkable transformation within the force and put the creation of modern command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) infrastructure at the heart of the PLA's strategic guidelines for long term development."
"This priority on C4ISR systems modernization, has in turn been a catalyst for the development of an integrated information warfare (IW) capability capable of defending military and civilian networks while seizing control of an adversary's information systems during a conflict."
It also states that "PLA analysts consistently identify logistics and C4ISR infrastructure as U.S. strategic centers of gravity suggesting that PLA commanders will almost certainly attempt to target these system with both electronic countermeasures weapons and network attack and exploitation tools, likely in advance of actual combat to delay U.S. entry or degrade capabilities in a conflict", such as in defending Taiwan against PRC aggression.
One of the topics addressed in this report is supply chain vulnerabilities. It states that "The pervasiveness of globally distributed supply chain networks means that virtually every sector of private industry has the potential to be impacted by a compromise."
"The vectors into the telecommunications and integrated circuit (IC) supply chain specifically can come from either upstream (manufacturing channels) or downstream (distribution channels)." The report states that "The geographically distributed nature of IC production means that a single chip may incorporate circuits designed in multiple locations around the globe. This model reduces the cost of new product development but it also creates additional security and integrity risks." (Parentheses in original.)
It concludes that "Without strict control of this complex upstream channel, a
manufacturer of routers, switches, or other basic telecommunications hardware is
exposed to innumerable points of possible tampering and must rely on rigorous
and often expensive testing to ensure that the semiconductors being delivered
are trustworthy and will perform only as specified, with no additional
unauthorized capabilities hidden from view. Deliberate modification of
semiconductors upstream of final product assembly and delivery could have subtle
or catastrophic effects."