New U.S. law tightens screws on Chinese cyberespionage

President Barack Obama has made it more difficult for some government entities to buy information technology systems from China, sending a message that the country needs to curtail hackers stealing trade secrets from U.S. corporations.

Obama this week signed a spending law that included a provision requiring NASA and the Justice and Commerce departments to get clearance from the Federal Bureau of Investigation (FBI) before buying IT systems from companies “owned, directed or subsidized by the People’s Republic of China.”

The restriction follows months of warnings from government officials that Chinese hackers have been increasing their efforts to steal information from U.S. companies, including those connected to U.S. critical infrastructure.

“Make no mistake, there is a danger here [of spyware],” said Paul Henry, security and forensic analyst for Lumension. “This isn’t a case of the government being overly paranoid.”

On Thursday, Reps. Sander Levin, D-Mich., and Charles Rangel, D-N.Y., urged the Obama administration to tighten the screws on China further by formally targeting China for the theft of U.S. trade secrets, Reuters reported. If such an action was taken by the U.S. Trade Representative’s office, then duties could be imposed on Chinese goods.

The provision signed by the President could lead to trouble with the World Trade Organization, Stewart Baker, a partner at Steptoe & Johnson and a former assistant secretary for policy at the Department of Homeland Security, said in a blog post. Countries outside of China where companies like Lenovo and Huawei have IT products made could challenge the new law in the WTO.

Countries such as Germany or Britain could claim that the provision violates the WTO’s government procurement code that prohibits members from discriminating against other member countries, Baker said. China has never signed on to the code, so couldn’t wage a challenge on its own.

“This means the U.S. could see WTO challenges to the provision from its own allies, unless they’re so sick of Chinese hacking that they decide to emulate the new provision rather than attack it,” Baker said.

[Also see: new malware shows Android has a target on its back]

Whether the WTO gets involved will depend on how the Obama administration interprets the law and implements it. In addition, China is sure to have its own response.

“How will China react? Not well,” Baker said. “China has spent years trying to curtail its own purchases of IT from outside its borders, but that won’t stop it from calling the bill protectionist and claiming a violation of U.S. WTO obligations.”

In October 2012, the House Intelligence Committee recommended that the U.S. government and corporations not buy equipment from Chines telecom manufacturers Huawei and ZTE. The panel had found that the companies could not guarantee their products would be free from spyware.

The companies denied the allegations, and Chinese officials have said the government is not responsible for cyberattacks on U.S. companies. China claims its government entities and companies are also increasingly under attack.

Nevertheless, the threat of the U.S. government buying equipment with spyware is real, experts say. Such malware could be buried in hardware and move information to a command-and-control server.

“What that boils down to is a piece of malware executed at a level below the operating system, where it is virtually undetectable by just about every cybersecurity product on the market today,” Henry said. “There is some amount of doubt in the security community about whether this sort of attack is even practically possible, but I assure you, it is.”

At the Black Hat conference in 2006, Joanna Rutkowska, founder and chief executive of security researcher Invisible Things Lab, demonstrated a proof-of-concept rootkit (http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html) that could be embedded in IT equipment.