Remembering the Trojan horse

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Remembering the Trojan horse

As readers of this journal know, theUnited Statesis under increasing intelligence attack, with the most obvious being cyber attack. Of late, there has been increasing realization that the risk of attack has been heightened by outsourcing of manufacture of computers. Let us assume, for the sake of discussion, that:

1. The Chinese are our geopolitical and economic competitors.

2. The Chinese consider espionage to be a viable means of competition.

3. The Chinese will use cyber-attacks against their competitors.

4. The Chinese are not total idiots.

Assuming that we accept these assumptions, it would be both unreasonable and insulting to posit that computers designed and built in China would not have hardware backdoors built in.

What does this mean in practical terms? Well, we know that we have areas of vulnerability. Thus, we know that when we make phone calls there is no longer an expectation of privacy, that the facility to listen in has been built into the system. You can expect that people might be listening in under court order, to test the system, by the government without court order, of if someone at the phone company has been bribed. Therefore you need to be careful about what you say, based on your expectation that anything you say will be overheard. By the same token, it is not unreasonable to expect that in the near future anything on your foreign-made computer will be accessible to those who built it.

Is this something that will concern you? It should concern you, but whether or not it actually does depends on several factors. At IPCI 2007 there was a general view that the only reasons to be concerned about loss of IPCI was

(a) if there would be an enforced compliance issue;

(b) if dealing with it would produce a profit in the current quarter; or

(c) if you were a really small company. (If you are a $35 billion company and lose $100 million or have to close a division, who cares?).

If you have an OPSEC program you will care, and are probably already dealing with this issue, as well as others.

More To Explore