New U.S. law tightens screws on Chinese cyberespionage

President Barack Obama has made it more difficult for some government entities to buy information technology systems from China, sending a message that the country needs to curtail hackers stealing trade secrets from U.S. corporations.

Obama this week signed a spending law that included a provision requiring NASA and the Justice and Commerce departments to get clearance from the Federal Bureau of Investigation (FBI) before buying IT systems from companies "owned, directed or subsidized by the People's Republic of China."

The restriction follows months of warnings from government officials that Chinese hackers have been increasing their efforts to steal information from U.S. companies, including those connected to U.S. critical infrastructure.

"Make no mistake, there is a danger here [of spyware]," said Paul Henry, security and forensic analyst for Lumension. "This isn't a case of the government being overly paranoid."

On Thursday, Reps. Sander Levin, D-Mich., and Charles Rangel, D-N.Y., urged the Obama administration to tighten the screws on China further by formally targeting China for the theft of U.S. trade secrets, Reuters reported. If such an action was taken by the U.S. Trade Representative's office, then duties could be imposed on Chinese goods.

The provision signed by the President could lead to trouble with the World Trade Organization, Stewart Baker, a partner at Steptoe & Johnson and a former assistant secretary for policy at the Department of Homeland Security, said in a blog post. Countries outside of China where companies like Lenovo and Huawei have IT products made could challenge the new law in the WTO.

Countries such as Germany or Britain could claim that the provision violates the WTO's government procurement code that prohibits members from discriminating against other member countries, Baker said. China has never signed on to the code, so couldn't wage a challenge on its own.

"This means the U.S. could see WTO challenges to the provision from its own allies, unless they're so sick of Chinese hacking that they decide to emulate the new provision rather than attack it," Baker said.

[Also see: new malware shows Android has a target on its back]

Whether the WTO gets involved will depend on how the Obama administration interprets the law and implements it. In addition, China is sure to have its own response.

"How will China react? Not well," Baker said. "China has spent years trying to curtail its own purchases of IT from outside its borders, but that won't stop it from calling the bill protectionist and claiming a violation of U.S. WTO obligations."

In October 2012, the House Intelligence Committee recommended that the U.S. government and corporations not buy equipment from Chines telecom manufacturers Huawei and ZTE. The panel had found that the companies could not guarantee their products would be free from spyware.

The companies denied the allegations, and Chinese officials have said the government is not responsible for cyberattacks on U.S. companies. China claims its government entities and companies are also increasingly under attack.

Nevertheless, the threat of the U.S. government buying equipment with spyware is real, experts say. Such malware could be buried in hardware and move information to a command-and-control server.

"What that boils down to is a piece of malware executed at a level below the operating system, where it is virtually undetectable by just about every cybersecurity product on the market today," Henry said. "There is some amount of doubt in the security community about whether this sort of attack is even practically possible, but I assure you, it is."

At the Black Hat conference in 2006, Joanna Rutkowska, founder and chief executive of security researcher Invisible Things Lab, demonstrated a proof-of-concept rootkit ( that could be embedded in IT equipment.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyberespionageapplicationsobamasoftwarefbidata protectionData Protection | Data Privacy

More about FBIFederal Bureau of InvestigationHuaweiLenovoLumensionNASAReuters AustraliaWTOZTE

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place