On one hand, policymakers in the United States, from local leaders to national figures, have voiced strong opposition to Chinese products, calling for sweeping bans on Chinese technology across American soil. Yet, there appears to be a significant disconnect between the rhetoric and the reality of how deeply Chinese influence pervades the nation’s technology infrastructure. The uncomfortable truth is that nearly every critical electronic component and software used in American systems has Chinese provenance in some form, whether directly or indirectly.
This troubling fact has been brought to light in a recent report by Fortress Information Security, a Florida-based company dedicated to protecting public and private entities from cyber threats, including those posed by state actors. The report, titled “Beyond the Bill of Materials: The Silent Threat Lurking in Critical Infrastructure Software”, paints a sobering picture of how deeply embedded Chinese-made software code is within the critical infrastructure that underpins the U.S. economy and security.
The Scale of the Problem
The findings of the report are nothing short of alarming. According to Fortress, a staggering 90% of the software powering products in the U.S. critical infrastructure contains code that originates from China. This software, which is widely used across industries such as energy, transportation, and telecommunications, has been identified as highly vulnerable to exploitation. These vulnerabilities, often present in the form of hidden backdoors or unpatched flaws, make the infrastructure ripe for cyberattacks or sabotage, should an adversarial state actor choose to exploit them.
To arrive at these conclusions, Fortress used advanced Binary Analysis technology to create a Software Bill of Materials (SBOM) for products stored in the North American Energy Software Assurance Database (NAESAD). This database houses data on thousands of products, including components used in network management, operational technology, and other critical systems.
The report highlights a staggering total of 9,535 vulnerabilities across more than 8,700 components used in over 2,000 products. These products, sourced from over 240 vendors, are essential for the functioning of critical infrastructure, making them prime targets for exploitation by malicious actors. While these vulnerabilities have existed for years, they have largely remained “silent threats,” hidden in the background, unnoticed until now.
The Silent Threat of Chinese Code
Fortress Information Security further emphasizes the scale of the danger by using the Exploit Prediction Scoring System (EPSS), a method for assessing the likelihood of vulnerabilities being exploited in real-world scenarios. The findings suggest that Chinese-made code could provide the Chinese government or affiliated hackers with the means to undermine U.S. economic and physical security. With tensions rising between the U.S. and China, Fortress CEO Alex Santos warns that, in the event of an escalated conflict, these vulnerabilities could be weaponized to disastrous effect.
“Hence, all software and physical products running on Chinese code should be weeded out from the national critical infrastructure,” Santos said in a statement. This call to action underscores the gravity of the situation, urging policymakers to take swift and decisive action before it is too late.
The Global Supply Chain Dilemma
The issue of Chinese-made components in critical infrastructure extends beyond China-U.S. relations. In a globalized economy, supply chains are deeply intertwined, and the reach of Chinese manufacturing is far-reaching. Even products manufactured in countries like Vietnam, South Korea, or Japan—nations often viewed as geopolitical allies—contain significant portions of Chinese-made components. Whether it’s a microchip or a software module, many of the essential parts of modern electronic products come from China.
This poses a difficult dilemma. On one hand, the reliance on Chinese components is not easily ignored, as they are integral to the functioning of many electronic devices. On the other hand, the security risks posed by these components are real, and the stakes are incredibly high. As Fortress’s report suggests, if these vulnerabilities are left unchecked, they could expose the U.S. to significant cyber risks, potentially undermining national security, economic stability, and even public safety.
A Call for Immediate Action
With the presidential election on the horizon, the timing of this report couldn’t be more critical. The next U.S. president must recognize the growing threat posed by foreign-influenced software and hardware in critical infrastructure. To protect the nation from potential cyberattacks and safeguard its economic and physical security, policymakers need to take immediate steps to assess and address these vulnerabilities.
One possible solution is the development of stronger, more comprehensive policies that mandate greater scrutiny of foreign-sourced software and hardware in critical infrastructure systems. This could include more stringent cybersecurity audits, the creation of more robust software supply chain standards, and stronger collaboration between the public and private sectors to identify and eliminate vulnerabilities before they can be exploited.
The stakes are high, and the time to act is now. The coming years will be pivotal in determining how the U.S. addresses this silent and growing threat. As technology becomes increasingly essential to the nation’s security, the importance of securing critical infrastructure from foreign influence will only continue to grow.
Ad