Fear of Chinese and other foreign hackers has prompted New Zealand government cyber-spooks to clamp down on equipment containing components manufactured outside of certain approved countries.
Computerworld has been told the Government Communications Security Bureau (GCSB) has beefed-up its policy requiring that computer and networking equipment — and components within equipment — used in government not be manufactured in China or other non-approved countries.
Given that so much technology is either directly manufactured or manufactured by outsourcers in China, that is a big ask.
An industry source told Computerworld the policy aims to ensure equipment used by government does not contain software that could be used in attacks or to compromise high-level information.
GCSB was unable to provide detail on the policy last week, but director of corporate services Hugh Wolfensohn says the focus of the bureau is mainly on networks that carry classified information. For those there would be some issues about country of origin, he says.
IT and security consultant Greg Harbers, a director of Auckland-based Finao, says he has noticed a lot more emphasis on GCSB-compliance in government tender requests since last year’s Chinese hacking scare.
Peter Benson, CEO of Security-Assessment.com, says government has “got to be right to be concerned” about modified hardware or firmware.
Benson says while much Chinese equipment is manufactured by corporations, many of these have relationships with the Chinese government.
“The likelihood of back doors or Trojans is low, but it is a risk,” he says.
Benson says New Zealand follows the Australian Defence Signals Directorate’s lead on these matters. Generally, equipment has to meet what he calls “common criteria”, which involves a full design review by a third party.
While government is prepared to pay the extra cost involved in procuring equipment that is compliant, private sector companies are more cost-driven and may not be so willing, the source says.
Trojans and malware has been discovered in equipment coming out of China recently. A password-stealing backdoor Trojan was found in USB picture frames sold in the US last month. The sophisticated software used the autorun feature to install itself on the PC and modified the registry to prevent viewing of hidden files and folders. It also disabled antivirus and other security features.
Last week, security concerns scuttled a plan for US-based Bain Capital Partners and China’s Huawei Technologies to buy networking equipment vendor 3Com. The US Committee on Foreign Investment (CFIUS) would not agree to the deal because of security issues.
The proposed US$2.2 billion (NZ$2.7 billion) deal, announced in September, raised security concerns because of networking giant Huawei’s close ties with the Chinese government.
Last year, computers at the German chancellery and three ministries were reportedly infected with a Trojan, allowing the attacker to spy on German government information. Germany’s intelligence service reportedly suspected hackers associated with the Chinese Army.
That news was followed by a statement from Security Intelligence Service chief Warren Tucker who said that foreign governments have hacked into New Zealand Government computer systems.