Despite the growing animosity towards Chinese technology, a recent report reveals a stark reality about the pervasive influence of Chinese-made components in the U.S. critical infrastructure. Policymakers across various levels of government have rallied for stringent bans on Chinese technology, yet a thorough examination uncovers that a significant portion of essential electronic components and software utilized in American systems has roots in China, either directly or indirectly.
This crucial insight emerged from a report by Fortress Information Security, a firm specializing in safeguarding entities from cyber threats, especially those originating from state actors. Titled “Beyond the Bill of Materials: The Silent Threat Lurking in Critical Infrastructure Software,” the report delineates the alarming extent to which Chinese software is embedded in the very fabric of U.S. economic and security systems.
The magnitude of the situation is evident: Fortress reveals that approximately 90% of software utilized in U.S. critical infrastructure houses Chinese-origin code. This software spans various sectors including energy, transportation, and telecommunications, and it harbors multiple vulnerabilities that could be exploited. These security weaknesses often manifest as hidden backdoors or unpatched flaws, rendering the infrastructure susceptible to cyberattacks by hostile state actors.
To substantiate these claims, Fortress employed advanced Binary Analysis technology to construct a Software Bill of Materials (SBOM) for products cataloged in the North American Energy Software Assurance Database (NAESAD). This repository includes extensive data on thousands of products, which encompass components critical to operational technology, network management, and other vital systems.
The report identifies a staggering 9,535 vulnerabilities across more than 8,700 components utilized in over 2,000 products sourced from over 240 vendors. These vulnerabilities have remained largely unnoticed, existing as “silent threats” until the recent revelations brought them to light. Their presence underscores the critical risk they pose to the integrity of essential infrastructure.
Fortress Information Security strengthens its argument by employing the Exploit Prediction Scoring System (EPSS), which evaluates the likelihood of vulnerabilities being exploited in critical scenarios. The findings indicate that software originating from China could offer avenues for the Chinese government or affiliated hackers to compromise U.S. economic and physical security. With rising tensions in U.S.-China relations, Fortress CEO Alex Santos cautions that these vulnerabilities could be weaponized in the event of heightened hostilities.
In light of the escalating risks, Santos advocates for a comprehensive review of all software and hardware employing Chinese code within national critical infrastructure. This statement encapsulates the urgency and seriousness of the situation, calling for policymakers to proactively address these vulnerabilities.
Further complicating the landscape is the intricacy of global supply chains, wherein Chinese components feature prominently even in products produced by nations considered geopolitical allies, such as Vietnam or Japan. This interconnected manufacturing ecosystem presents a dual challenge: while reliance on Chinese components is difficult to circumvent, the genuine security threats they pose cannot be overlooked. If proactive measures are not implemented, the ongoing vulnerabilities may expose the U.S. to significant cyber risks, jeopardizing national security and economic stability.
As the next presidential election looms, the timeliness of Fortress’s report is critical. The incoming administration must be acutely aware of the threat posed by software and hardware influenced by foreign entities within critical infrastructure. Swift and thorough assessments of these vulnerabilities will be necessary to bolster defenses against potential cyberattacks and to maintain both economic and physical security.
Potential strategies include the establishment of more rigorous policies mandating scrutiny of foreign-sourced technologies in critical systems. This might involve stringent cybersecurity audits, the development of robust software supply chain standards, and enhanced collaboration between private and public sectors to preemptively identify and mitigate vulnerabilities. The implications of inaction are substantial; as technology becomes increasingly integral to national security, securing critical infrastructure from foreign influence must be prioritized.
Ad
