Good article for information and anecdotes but it also rubbed me wrong: smacking a bit of American Exceptionalism.
I am so used to hearing what is basically propaganda in our press about how much better we are than the rest of the world, that now articles like this inspire scepticism.
Our country (USA) does indeed have a lot of advantages with: technology and geographic isolation.
But we also have problems in income inequality and increasing corruption in our political system (Clintons, Trump, etc., etc.)
I really like the ‘Sputnik’ analogy because just as my country had an ‘oh shit’ moment when we realized we were behind, I expect the Chinese to go through the expensive and long process of owning the entire stack, micro chips, and up.
> I expect the Chinese to go through the expensive and long process of owning the entire stack, micro chips, and up.
None of America's allies have chosen to "go through the expensive and long process of owning the entire stack" - America's allies use Windows, Android, Qualcomm, Intel, etc.
If China really does want it's own home-built silicon running it's own written-at-home operating systems, they need decades and they'd just replicate what Microsoft or Google have done to date (and probably less well.) I don't doubt that the CCP do want that independence from American technology, but to truly be independent is really quite an extreme proposition.
There's certainly no need to write custom operating systems. China already happily customizes Android and Linux extensively across a wide range of devices. You can see this today just by walking down the street where there are street lights running linux.
As for silicon China doesn't have much choice in the matter. Their dependence on American silicon may in fact be their greatest security risk. It's clear that the US and its allies will weaponize this advantage (see Stuxnet) so anybody relying on these chips is ultimately at their mercy.
> Their dependence on American silicon may in fact be their greatest security risk. It's clear that the US and its allies will weaponize this advantage (see Stuxnet)
Please elaborate on this point, my understanding is Stuxnet relied purely on software vulnerabilities (to spread and to take control of the centrifuges). I don't think it used any hardware backdoors or anything. If it did, I'd have expected the roar to be enormous, probably several times what we just had with Spectre/Meltdown.
The actual attack vector relies upon drivers signed by Taiwanese chip makers. (Taiwan happens yup be a country whose continued existence depends entirely upon the US.) If you depend upon say a Realtek card reader you're vulnerable.
> The actual attack vector relies upon drivers signed by Taiwanese chip makers.
But that's not a hardware attack. IIRC, Stuxnet used driver signing certificates to bypass some OS-level safeguards. It's quite possible that the needed certificates were stolen from a manufacturer that poorly protected them.
When you said:
>> Their dependence on American silicon may in fact be their greatest security risk. [emphasis mine]
The implication is that American silicon itself is backdoored. That may be true, but I don't think Stuxnet is in any way an example.
> The implication is that American silicon itself is backdoored.
There was no such implication. Compromising hardware never makes sense unless you can intercept the hardware en route (something the NSA has been known to do [1]).
> It's quite possible that the needed certificates were stolen from a manufacturer that poorly protected them.
It's also possible that unicorns exist. Considering that certificates have been "stolen" from Taiwanese firms multiple times [2] I'd say it's not irrational to consider the possibility that these firms either are directly or via the Taiwanese government cooperating with US cyberattacks.
All of this indicates that yes, relying on such foreign chipsets is huge security threat. China imports an incredible $200 billion a year in such chips so even putting aside the huge technological attack surface associated with such a dependency the dependency constitutes an immediate economic vulnerability.
> I'd say it's not irrational to consider the possibility that these firms either are directly or via the Taiwanese government cooperating with US cyberattacks.
But to be totally clear: that's no more than speculation.
It's also not irrational to consider the possibility that there's been no cooperation but that the certificates were stolen.
> It's also possible that unicorns exist. Considering that certificates have been "stolen" from Taiwanese firms multiple times [2]
Malware that uses stolen certificates is less unique than once thought. If a group building a bank trojan can steal certs, I'm sure state intelligence agencies can too.
There is also some reason to think their certificates would be targeted for theft, because code signed by those firms would be some of the least conspicuous. There are a lot of Taiwanese firms that make a lot of low-profile specialized support silicon that's literally everywhere (Sound, USB, Wifi, etc), and a driver signed by one will arouse less suspicion. Inconspicuousness would be a high priority for a nation-state hacker trying to avoid detection.
The possibility that the Stuxnet and Duqu certs were stolen is speculation too, but it's less inflammatory and more likely in my judgement.
It's also worth noting that getting explicit cooperation from a company to use their certificate would be risky for clandestine nation-state operation, since the more organizations that know about aspects of it, the more likely it will fail. If word got out that a particular code signing cert was shared, a rival actor could focus attention on suspicious code signed by that cert and be more likely to detect it.
>> The implication is that American silicon itself is backdoored.
> There was no such implication. Compromising hardware never makes sense unless you can intercept the hardware en route (something the NSA has been known to do [1]).
That's wrong. If the silicon is comprised from the get-go, there's no need for an interception step.
I’m not refuting your broader point (I have no opinion).
But corruption & income inequality exist in China as well. Depending on how you measure China has waaaay worse problems in those areas than the States do.
Like most things you read in NY Times it's about 5-10 years too late. It's been widely known for a while that China imports huge amounts of microchips and this creates enormous dependence on the West while also posing as a significant security risk [1]. China has no choice but to invest tens of billions into growing an alternate, "reliable" semi-conductor industry [2] and there's reason to believe the real number may be a multiple of the headline number. Nobody knows whether China will pull it off; the next ten years will tell but there's reason to believe they're already closing in on 14nm fabrication (no hard evidence here yet) and they're in it for the long game.
I suspect this will be a big problem for existing chip makers in the long run. Chinese chip makers will happily attack the fat margins that exist today and will offer (quasi-subsidized) prices that will prove irresistible elsewhere.
I am so used to hearing what is basically propaganda in our press about how much better we are than the rest of the world, that now articles like this inspire scepticism.
Our country (USA) does indeed have a lot of advantages with: technology and geographic isolation.
But we also have problems in income inequality and increasing corruption in our political system (Clintons, Trump, etc., etc.)
I really like the ‘Sputnik’ analogy because just as my country had an ‘oh shit’ moment when we realized we were behind, I expect the Chinese to go through the expensive and long process of owning the entire stack, micro chips, and up.