US Navy, NATO and NASA use shady Chinese company's encryption chips
US Navy, NATO and NASA use shady Chinese company's encryption chips
Expand
Bet_Noire/Getty
From TikTok to Huawei routers to DJI drones, growing tensions between China and the United States have made Americans - and the US government - increasingly suspicious of Chinese-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips sold by a subsidiary of a company specifically flagged in US Commerce Department warnings for its ties to the Chinese military ended up in the hardware. storage for military and intelligence networks. across the West.
In July 2021, the Commerce Department's Bureau of Industry and Security added Hangzhou, China-based encryption chipmaker Hualan Microelectronics, also known as Sage Microelectronics, to its so-called "entity list", a vaguely named trade restriction. list that highlights companies "acting contrary to the foreign policy interests of the United States". Specifically, the bureau noted that Hualan was added to the list for "acquiring and ... attempting to acquire US-sourced items in support of the military modernization of the People's Liberation Army [of China]".
Yet nearly two years later, Hualan - and in particular its subsidiary known as Initio, an originally Taiwan-based company it acquired in 2016 - is still supplying encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that are listed as customers on their Western government aerospace, military and intelligence agencies: NASA, NATO and the US and UK armies. Federal procurement records show that US government agencies, from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy, have also purchased encrypted hard drives that use the chips.
The disconnect between Commerce Department warnings and Western government customers means the chips sold by the Hualan subsidiary have found their way deep into sensitive Western information networks, possibly due to the ambiguity of their Initio brand and its Taiwanese origin prior to 2016. The chip's Chinese ownership of the vendor has raised concerns among China-focused security researchers and national security analysts that they may have a backdoor that would allow the government Chinese to stealthily decipher the secrets of Western agencies. And while no such backdoor has been found, security researchers warn that if there was, it would be nearly impossible to detect.
"If a company is on the Entity List with a specific disclaimer like this, it's because the U.S. government says that company is actively supporting another country's military development," says Dakota Cary, China researcher at the Atlantic Council, a Washington, DC-based think tank. "That means you shouldn't buy from them, not only because the money you spend is going to a company that will use those profits in pursuit of another country's military objectives, but because you can't make confidence in the product."
Technically, the Entity List is an "export control" list, says Emily Weinstein, a research fellow at Georgetown University's Center for Security and Emerging Technologies. This means that US organizations are prohibited from exporting components to companies on the list, rather than importing components from them. But Cary, Weinstein and the Commerce Department note that it is often used as a de facto warning to American customers not to buy from a publicly traded foreign company either. Networking company Huawei and drone maker DJI were added to the list, for example, for their alleged links to the Chinese military. "It's kind of used as a blacklist," Weinstein explains. "The entity list should be a red or perhaps yellow alert to anyone in the US government who works with this company to take a second look at this."
When WIRED contacted the Commerce Department's Office of Industry and Security, a spokesperson responded that the BIS is not authorized by law to comment to the press about specific companies and that a company's unlisted subsidiary, such as Initio, is technically unaffected. by the legal restrictions of the entity list. But the spokesperson added that...
From TikTok to Huawei routers to DJI drones, growing tensions between China and the United States have made Americans - and the US government - increasingly suspicious of Chinese-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips sold by a subsidiary of a company specifically flagged in US Commerce Department warnings for its ties to the Chinese military ended up in the hardware. storage for military and intelligence networks. across the West.
In July 2021, the Commerce Department's Bureau of Industry and Security added Hangzhou, China-based encryption chipmaker Hualan Microelectronics, also known as Sage Microelectronics, to its so-called "entity list", a vaguely named trade restriction. list that highlights companies "acting contrary to the foreign policy interests of the United States". Specifically, the bureau noted that Hualan was added to the list for "acquiring and ... attempting to acquire US-sourced items in support of the military modernization of the People's Liberation Army [of China]".
Yet nearly two years later, Hualan - and in particular its subsidiary known as Initio, an originally Taiwan-based company it acquired in 2016 - is still supplying encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that are listed as customers on their Western government aerospace, military and intelligence agencies: NASA, NATO and the US and UK armies. Federal procurement records show that US government agencies, from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy, have also purchased encrypted hard drives that use the chips.
The disconnect between Commerce Department warnings and Western government customers means the chips sold by the Hualan subsidiary have found their way deep into sensitive Western information networks, possibly due to the ambiguity of their Initio brand and its Taiwanese origin prior to 2016. The chip's Chinese ownership of the vendor has raised concerns among China-focused security researchers and national security analysts that they may have a backdoor that would allow the government Chinese to stealthily decipher the secrets of Western agencies. And while no such backdoor has been found, security researchers warn that if there was, it would be nearly impossible to detect.
"If a company is on the Entity List with a specific disclaimer like this, it's because the U.S. government says that company is actively supporting another country's military development," says Dakota Cary, China researcher at the Atlantic Council, a Washington, DC-based think tank. "That means you shouldn't buy from them, not only because the money you spend is going to a company that will use those profits in pursuit of another country's military objectives, but because you can't make confidence in the product."
Technically, the Entity List is an "export control" list, says Emily Weinstein, a research fellow at Georgetown University's Center for Security and Emerging Technologies. This means that US organizations are prohibited from exporting components to companies on the list, rather than importing components from them. But Cary, Weinstein and the Commerce Department note that it is often used as a de facto warning to American customers not to buy from a publicly traded foreign company either. Networking company Huawei and drone maker DJI were added to the list, for example, for their alleged links to the Chinese military. "It's kind of used as a blacklist," Weinstein explains. "The entity list should be a red or perhaps yellow alert to anyone in the US government who works with this company to take a second look at this."
When WIRED contacted the Commerce Department's Office of Industry and Security, a spokesperson responded that the BIS is not authorized by law to comment to the press about specific companies and that a company's unlisted subsidiary, such as Initio, is technically unaffected. by the legal restrictions of the entity list. But the spokesperson added that...
Expand
Bet_Noire/Getty
