During the Opening Session at the November 2019 Executive Summit Series forum in Washington D.C., one of the government officials I interviewed was William Evanina, Director of the National Counterintelligence and Security Center. The focus of the interview was on the threat landscape facing companies operating around the world. No one was surprised that a significant portion of the time was spent on the threat posed by China. A portion of the interview focused on the aggressive nature China has taken in its stated goal in its Made in China 2025 doctrine of global domination in virtually every category of products and services. It also touched upon the other stated goal of the Made in China 2025 doctrine of supplying domestic markets predominately from local Chinese suppliers.
Warning to Security System End Users
Evanina made a point of highlighting an area that should be of significant concern to Chief Security Officers (CSOs) and other end-users of all types of security systems. The majority of security devices today and in the future are IP-based and typically sit on an enterprise’s network. Evanina stated that the intelligence community has identified Chinese manufactured physical security devices as well as those containing Chinese manufactured electronic components and software as a high risk for cyber intrusion and data exfiltration from those enterprises deploying them.
I asked Evanina if the risk was sufficient to suggest that enterprises replace security devices, video cameras, and software of Chinese origin or containing software or electronic components originating in China. He agreed and urged everyone to proceed rapidly in replacing the types of devices we discussed. The intelligence community has found security hardware and software of Chinese origin transmitting data and video images back to China. These devices also pose a high risk of exposing your enterprise’s network to hacking and loss of critical data due to inherent vulnerabilities that exist in Chinese security hardware, software, and video cameras. Based on China’s stated goal of market domination, these vulnerabilities or portals have more than likely been purposefully designed into them. Don’t think for a minute, though, that private entities are the only ones that have this problem. Several U.S. Government facilities and military installations have been found to have these devices installed at many of their sites. The same goes for state and local government facilities as well as school and university campuses.
Evanina also explained that drones produced by Chinese companies and those containing electronic components and software developed in China have also been found to be transmitting data and video images back to China. The U.S. Department of Agriculture and the Department of Interior have grounded their entire fleet of drones as a result of these revelations and are in the process of replacing their drones with ones that are secure.
Mitigating This Clear and Present Danger
So, what are some of the steps enterprises should seriously consider adopting to mitigate these significant risks identified by the Intelligence Community?
- The first steps to consider is to determine if your enterprise has any security devices or video cameras installed in your security system that are Chinese products, have Chinese produced electronic components or software contained in them.
- Check with your security integrator /installer to provide the provenance on all security devices, video cameras and security software they have installed. If you do not feel that your current integrator/installer will be able to provide full and accurate details, then find an independent security integrator/installer to conduct the assessment for you.
- Once the assessment has been completed, determine what security devices and/or video cameras need to be replaced.
- Develop a new specification that either directly specifies that only the exact security devices and video cameras listed in the bid specification can be proposed/installed. There are a few independent security consulting firms that are experts in assisting enterprises in developing specifications for clients to utilize in the bidding process. The other approach is to require that the bidding firms certify that no Chinese produced devices or video cameras and no security devices or video cameras containing Chinese produced electronic components or software are being bid or will be installed. Once installed, make sure the firm provides a complete inventory with the provenance of all components, devices, cameras, and software.
- As a final step to mitigate future vulnerabilities, seriously consider removing all your security devices, video cameras, and software from your enterprise’s computer network and placing them on a standalone fiber optic-based network dedicated exclusively for security. This will virtually eliminate the risk of the security system being the attack vector responsible for a major data breach of the enterprise’s network. If you decide not to take this step and a devastating data breach is traced back to a security device, video camera or security software as being the portal from which the hackers gained access to your enterprise’s network, perhaps your successor will be able to get the segregated security network authorized and installed.
Another vital step an end-user should take is to gain control over the bidding and contract process for all security-related products and services. In many enterprises, the procurement organization has taken over these processes in their effort to produce the lowest costs to the enterprise for any products or services purchased. At the end of the day, the procurement department is not held accountable for the service level of the guard force or the functioning of security systems; that falls on the shoulders of the CSO who is stuck with what they have been handed by procurement. Procurement organizations are even utilizing online auction-type bidding for security guard services and other human-based services. This online bidding process is fine for commodities and office supplies, but when human services like security forces and cleaning crews are involved, on-line bidding of these services should be banned due to the optics alone, if for no other reason, but likely are in direct conflict with the stated values of the enterprise.
Even if you can’t control the bidding process, make sure that you develop detailed specifications, as previously mentioned, and work closely with your legal department in drafting contractual protections. You will want to ensure that bidders are required to provide detailed provenance on all security devices, video cameras and security software that is being bid and installed. Some savvy enterprises are not only requiring these certifications but are also demanding a performance bond, which can be utilized to replace elements of the security system should it be determined that the installed devices, cameras and/or software did not meet specifications.
Increasing Threat Environment Requires Diligence
Evanina also highlighted several other concerns during the Executive Summit Series forum. He told the audience of 150 senior risk, security and resiliency executives that he had briefed more than 1,000 Chief Executive Officers of corporations across virtually all industry sectors. He was quite surprised at their naiveté when it came to the risks faced by their respective enterprises relative to nation-state sponsored electronic intrusions and intelligence gathering. Additionally, he said that most of the CEO’s seemed surprised that the warnings about taking a cellphone or laptop into China were based on a real and not imaginary threat. The ability of the intelligence organizations of countries like China to download software onto cellphones and laptops as soon as they connect with the local in-country network is something they considered an urban myth.
The CEOs were generally unaware of the ability of the Chinese (and other nation-state actors) to remotely turn on the camera and microphone of a cellphone or laptop once it had been in-country and connected to the local network. He explained to them that this was a real threat to documented cases. They seemed shocked to find out that once the software had been installed, it could be activated on their phone or laptop anywhere the device was in the world.
Evanina went on to discuss another area that should be of great concern to any company working with the research arms of universities. He provided detailed briefings to the presidents of over 100 major universities housing large research centers on the threat posed by Chinese students working in their labs. He explained that the Chinese government has been systematically siphoning off leading-edge scientific research and industrial advancements being developed at these key universities. Examples of individuals stealing leading-edge research and returning to China with it to support Chinese advancements in areas of critical technology have become commonplace. Recently, one of the Chinese students here on an education visa and working in a prestigious university’s lab was found to be a Lieutenant in the Peoples Liberation Army and was receiving direction from her superiors in China on specific technologies they wanted her to focus on appropriating.
In another twist, Dr. Charles Lieber, Chair of the Department of Chemistry and Chemical Biology at Harvard University, was recently arrested and charged with making a materially false, fictitious and fraudulent statement. The professor is noted for his research and development of advanced nana technology. A quote from the government’s complaint stated: “Unbeknownst to Harvard University beginning in 2011, Lieber became a ‘Strategic Scientist’ at Wuhan University of Technology (WUT) in China and was a contractual participant in China’s Thousand Talents Plan from in or about 2012 to 2017.” Another portion of the charging document stated “China’s Thousand Talents Plan is one of the most prominent Chinese Talent recruit plans that are designed to attract, recruit, and cultivate high-level scientific talent in furtherance of China’s scientific development, economic prosperity, and national security. These talent programs seek to lure Chinese overseas talent and foreign experts to bring their knowledge and experience to China and reward individuals for stealing proprietary information.”
The Chinese Government utilizes stolen advanced scientific research and technology to support its stated goal of Chinese dominance in virtually every major sector globally and to support its Made in China 2025 doctrine. Made in China 2025 involves government subsidies, heavy investments in research and innovation and targets for local manufacturing content. It also builds on earlier government policies encouraging or requiring foreign companies seeking to access the Chinese market to enter joint ventures with and transfer technology to domestic firms. Another of China’s long-term goals with Made in China 2025 is to domestically produce everything needed to support their domestic markets serving over 1.4 billion people.
Evanina urged the attendees at the summit to double their efforts on increasing awareness relative to the significant threats to their enterprises. He recommended that they conduct an assessment to identify the most important technology and trade secrets that their enterprise has as its Crown Jewels. He further recommended that once the assessment has been conducted, they should deploy significant measures to segregate those Crown Jewels and protect them like the future of their enterprise depends on it. The viability and survivability of their enterprise do depend upon enterprises taking these risks seriously, as the Chinese and a whole host of other countries are working diligently to steal their Crown Jewels and dominate the market segments that their companies presently hold global leadership positions.
In closing, Evanina emphasized the importance of building an effective insider threat program, conducting defensive briefings and ensuring that employees only carry a clean phone and clean laptop when traveling to China. He also recommended that they only be allowed to take a very limited amount of data with them on those trips and limited to what they specifically need to conduct business within China.
If you would like recommendations on an integrator that has its own lab to test and evaluate security devices, cameras and software; a physical security consultant that can assist you in developing a detailed specification for an RFP; or want to discuss becoming an intelligence-led security organization that proactively identifies and mitigates risks for your enterprise, you can contact Mr. Mattice directly at [email protected]
About the Author: Lynn Mattice is the co-founder of the Executive Summit Series™ forum and is a well-known enterprise risk, cyber, resiliency, intelligence, and security consultant with over 30 years’ experience as a CSO serving three major global corporations