It has been just about two months since I last discussed the Congressional revolt against Chinese manufactured computers and for a while I thought that perhaps the story was dead, but leave it to a Congress member to not merely flog, but actually hitch his wagon to a dead horse. Washingtonpost.com is running an AP story saying that the State Department has declared that the 16,000 computers they purchased from Lenovo will not be used for classified work. This followed a complaint by Virgina Representative Frank Wolf, who while he may have been elected to represent the good people of Virgina, seems unlikely to qualify for a job setting up internet connections at people’s homes.
The government, Griffin wrote, is committed to making sure the purchase from Lenovo, the world’s No. 3 PC maker, will not “compromise our information and communication channels.”
Wolf, R-Va., chairman of the House subcommittee that finances State Department operations, said he raised alarms after he discovered that officials planned to use at least 900 of the computers in classified work and at U.S. embassies and consulates abroad. That, he said, possibly could give China access to sensitive U.S. information.
While there may in fact be a miniscule theoretical possiblity of a security breach resulting from some sort of clever trojan hidden deep in the firmware of a China manufactured computer (such as if State were stupid enough to use the Lenovo security chip), there is something unaccounted for by Mr. Wolf that would prevent them from buying computers entirely manufactured inside the United States. Namely, there aren’t any.
As a chart in this piece at DailyTech.com illustrates, over the past several years every single PC manufacturer, whether Chinese, Taiwanese, Japanese or even American, has come to do at least some of their manufacturing and basically all of their final assembly in China.
Unfortunately for Representative Wolf, banning the purchase of computers manufactured in China essentially means banning the purchase of computers. At least, unless he wants the government to trove attics and garage sales to collect 1980s models like my old Mac Classic.
But as for the real issue of whether or not manufacturing in China is a security risk. I would have to say, not particularly. While the computers may be “made” in China, they aren’t designed there. Just because a piece of electronics has “Made in China” stamped on its outer shell does not mean that the entire contents was made in China, only that the case was. But while the system may have been assembled and some of the components manufactured there, virtually none of the highest tech components responsible for the actual processing of the computer are made there.
Does it seem likely that it is possible to add a trojan to imported AMD chips made in Germany, or modify the design of an Nvidia chipset, designed in California and manufactured in Shenzhen, China by a Taiwanese company, so that it stealthily transmits keystrokes over the internet to Chinese servers?
Regardless of where the hardware is from, while the systems are preconfigured by the maker, we can assume the State’s IT department will wipe the hard drive and reinstall their own carefully tweaked (hopefully) secure disk image, and then replace the BIOS and firmware with vetted software written by the American or Taiwanese companies that actually designed the components.