America's counterintelligence czar, Dr. Joel F. Brenner, painted an alarming picture of economic espionage in 2006, albeit in the objective tones and neutral parlance of the intelligence community. He reported to Congress that "foreign collection efforts have hurt the United States in several ways":
Foreign technology collection efforts have "eroded the US military advantage by enabling foreign militaries to acquire sophisticated capabilities that might otherwise have taken years to develop."
"[M]assive" industrial espionage has "undercut the US economy by making it possible for foreign firms to gain a competitive economic edge over US companies."
Dr. Brenner's report goes on to say that foreign intelligence efforts increasingly "rely on cybertools to collect sensitive US technology and economic information." Foreign intelligence agencies do this by "placing collectors in proximity to sensitive technologies or else establishing foreign research" by "forming ventures with US firms." The report specifically identifies China and Russia as the leading culprits.
Dr. Brenner characterized China as "very aggressive" in acquiring U.S. advanced technology. "The technology bleed to China, among others, is a very serious problem," he said in March 2007, noting that "you can now, from the comfort of your own home or office, exfiltrate information electronically from somebody else's computer around the world without the expense and risk of trying to grow a spy."
On November 15, 2007, the bipartisan, congressionally chartered U.S.-China Economic and Security Review Commission (USCC) put a finer point on it: "Chinese espionage activities in the United States are so extensive that they comprise the single greatest risk to the security of American technologies." Cyberpenetration is by far China's most effective espionage tool, and it is one that China's spy agencies use against America's allies almost as much as against U.S. targets.
Genesis of China's Cyberwarfare
In the 1990s, China's Ministry of Public Security (MPS), which manages the country's police services, pioneered the art of state control of cyberspace by partnering with foreign network systems firms to monitor information flows via the Internet. By 1998, according to an insider's account of China's Internet development, the MPS and its subordinate bureaus found that their resources for monitoring the Internet had been overwhelmed by the sheer volume of Internet traffic -- which by 1998 had not yet reached 1 million users in China. Several U.S. firms reportedly aided the Chinese security services in constructing a new Internet architecture and training a vast Army of cyberpolice to monitor Internet sites in real time and identify both site owners and visitors. In August 1998, the cyberpolice announced their first arrest of a Chinese hacker via online monitoring.
China's MPS has been successful beyond its wildest dreams. Using widely available sophisticated telecommunications equipment and services and using its own software tailored to China's requirements, China can effectively monitor all domestic Internet and wireless traffic of its netizen population of 137 million.
The People's Liberation Army (PLA) organized its first cyberwarfare units (zixunhua budui) in early 2003. They have since become a highly active element in China's ground force organization, no doubt building on the expertise developed in the late 1990s by China's police and state security services, which are well trained and equipped in using the Internet and cell phone networks to monitor, identify, locate, and censor cyberdissidents. China's 2006 Defense white paper states the PLA's intention to "basically reach the strategic goal of building informationized armed forces and being capable of winning informationized wars by the mid-21st century."
PLA cyberwarfare units are both active and highly sophisticated. They are apparently the only PLA units that regularly target enemy military assets in the course of their duties. New PLA doctrine sees computer network operations as a force multiplier in any confrontation with the United States and other potential adversaries, including Taiwan, Japan, and South Korea as well as Canada, France, Germany, and the United Kingdom.
No Ordinary Hackers
The first public indication that PLA cyberwarriors had achieved initial operational capability came on November 1, 2004, Beijing time. As Time magazine melodramatically set the scene, on that day, PLA cyberwarfare troops "sat down at computers in southern China and set off once again on their daily hunt for U.S. secrets." Pentagon computer security investigators had monitored their operations since 2003, when the unit began their attacks on U.S. government networks as part of an information operation that U.S. investigators have codenamed Titan Rain.
Using a simple but elegantly modified "scanner program," the PLA's Titan Rain cyberwarriors identified network vulnerabilities in scores of Pentagon systems, including the critically important computers at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona; Defense Information Systems Agency in Arlington, Virginia; Naval Ocean Systems Center in San Diego, California; and Army Space and Strategic Defense Command in Huntsville, Alabama. The attacks were traced to a network in China's Guangdong Province, and the software and hacking techniques, according to one expert, identified it as a professional military operation. The hackers "were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?"
Are the Titan Rain attacks military operations run by the PLA or purely espionage collection efforts by the Ministry of State Security, China's civilian spy agency? One need only ask who benefits from penetrating the vast range of U.S. military targets. Chinese military doctrine discusses the importance of penetrating an adversary's military logistics and personnel networks. Furthermore, the multiple intrusions into what nuisance and criminal hackers would regard as boring, mundane networks -- networks that do not offer the treasure trove of credit card numbers, bank accounts, and identity data that criminal hackers typically seek -- suggest a military purpose. The attacks yielded a "substantial amount of reconnaissance" that would help the attackers to "map out" U.S. military telecommunications networks and "to understand who is talking to whom, and what means [we] are using to communicate."
However, this does not mean that the PLA is the only Chinese organization that is engaged in widespread cyberpenetrations of U.S. and global networks. General James E. Cartwright, commander of U.S. Strategic Command, testified before the USCC that "China is actively engaging in cyber reconnaissance by probing the computer networks of U.S. government agencies as well as private companies."
When you do that type of activity, the opportunity to start to understand where the intellectual capital of a nation is and what it has put together to give you the chance to potentially skip generations in your R&D efforts -- this is not just military -- this goes across the commercial sectors, et cetera is usually availed.
For us, we generally think about things in terms of -- and I'm talking about military -- as a threshold is the law of armed conflict. As long as you're willing to stay below that, you are probing around, you are looking for opportunity, you may stumble across opportunity, probably some of it [is] serendipity when you're talking information operations. In fact, probably a large part of it is, but the idea is to get an understanding of the neighborhood.
The better you understand it, the more likely you are to be able to use that to your advantage should there be a conflict between us.
General Cartwright's words are a reminder that the tools of cyberspace are both weapons of war and channels of intelligence gathering and industrial espionage.
Software Skeleton Keys
People's Liberation Army cyberwarfare units now have the source codes for America's ubiquitous office software, which Microsoft provided to the Chinese government as a condition of doing business in China. This means that they essentially have a skeleton key to almost every networked government, military, business, and private computer in America. But Chinese government hackers do not restrict their operations to U.S. targets.
United Kingdom. Throughout December 2005, British Parliament offices were surreptitiously penetrated, also from computers using the Guangdong network. Britain's National infrastructure Security Coordination Center investigators told reporters, "These were not normal hackers.... The degree of sophistication was extremely high. They were very clever programmers." Some of the attacks targeted files in British government offices that deal with human rights issues -- "a very odd target," noted one U.K. security official, unless the hackers had been tasked by the Chinese government.
The hackers used highly sophisticated software and had authorization to develop Web sites in China. The hackers sent Trojan horse e-mails directing the recipients to the Web sites, which then corrupted the recipients' browsers. As one British network security expert observed, "Whoever is doing this is well-funded.... [I]t costs money to be able to mount an operation of this complexity."
The Trojan e-mail attacks targeted specific victims. "One email was targeted at one company in aviation. It was a Word document that had a Math/ cad component. If you did not have math/cad on your computer it would not open," said one expert. "The point was to find documents that had been written in that particular program and then send them back." PLA cyberpenetrations of Japanese organizations used Microsoft "zero-day" vulnerabilities.
The PLA cyberwarfare units undoubtedly discovered many of these vulnerabilities in key global operating systems and business programs after they reportedly gained full access to Microsoft source codes via the Chinese State Planning Commission. The commission had alleged that Microsoft's Windows operating systems were a "secret tool of the U.S. government" and obliged Microsoft to instruct Chinese software engineers on inserting their own software into Window's applications.
Taiwan. According to an official of Taiwan's Ministry of National Defense, in 2006, Taiwan detected 13 PLA zero-day attacks launched within Microsoft applications and experienced a total of 178 days of vulnerability between notifying Microsoft of the attacks and receiving the appropriate patches. One PowerPoint-based attack was so sophisticated that it took Microsoft engineers over two months to construct a patch. In spring 2006, a certain foreign "coast guard agency" discovered a covert program imbedded in its network that systematically searched for shipping schedules and then forwarded them to an e-mail address in China.
United States. After the Titan Rain attacks, the Pentagon shored up its cyberdefenses somewhat, but other U.S. government agencies remained lackadaisical. In 2006, Chinese intelligence agencies covertly attacked at least four separate U.S. government computer networks.
Sometime in the spring of 2006, State Department computers were shut down after software "backdoors" were discovered in the department's unclassified networks. Chinese hackers were using the backdoors to siphon off sensitive data dealing with China and North Korea. It was later reported that hackers had penetrated the State Department by exploiting a zero-day flaw in Microsoft software. In connection with this discovery, congressional pressure obliged the State Department to discontinue purchasing computers from Lenovo, the Chinese firm that acquired IBM's personal computer division in 2005.
In July 2006, overseas hackers operating from Chinese Internet servers penetrated computers in the Department of Commerce's Bureau of Industry and Security (BIS), which manages export licensing of military-use products and information. "Through established security procedures, BIS discovered a targeted effort to gain access to BIS user accounts," according to a Commerce Department spokesman, and Commerce officials admitted privately that Chinese hackers had implanted covert "rootkit" programs to mask their presence and enable them to gain privileged access to the computer system. When the damage was assessed, said one unnamed official, the agency's information security officers determined that the workstations could not be salvaged and instead spent several million dollars to build an entirely new system with "clean hardware and clean software."
In mid-November, computer security officials determined that Chinese military hackers had penetrated the unclassified computer network at the Naval War College in Rhode Island. Retired Air Force Major General Richard Goetze, a Naval War College professor, said the Chinese "took down" the entire Naval War College computer network -- an operation that prompted the U.S. Strategic Command to raise the security alert level for the Pentagon's 12,000 computer networks and 5 million computers.
At about the same time, in November-December 2006, computers at the National Defense University (NDU) in Washington, D.C., were also attacked. The NDU attack was unpublicized, although it was common knowledge in academic circles that NDU e-mail accounts had been shut down for weeks while the penetrated systems were replaced.
2007: A Banner Year for Chinese Cyber-Espionage
In 2007, a new spate of media reports of very sophisticated cyberattacks against U.S. and European government targets sparked renewed interest in China's military cyberwarfare capacity. In June, 150 computers in the $1.75 billion computer network at the Department of Homeland Security (DHS) -- guardian of the nation's critical cyberinfrastructure -- were quietly penetrated with programs that sent an unknown quantity of information to a Chinese-language Web site. Unisys Corporation, the manager of theDHS computers, allegedly covered up the penetration for three months.
In June 2007, Chinese military hackers circumvented the Defense Department's Titan Rain patches, again hitting a Pentagon network in the "most successful cyber attack against the US Defense department," according to the Financial Times. The newspaper cited a source who said that there was a "very high level of confidence...trending towards total certainty" that the Chinese Army was behind the attack.
The Financial Times also noted that "the White House had created a team of experts to consider whether the administration needed to restrict the use of Blackberrys because of concerns about cyber espionage." The vulnerability of networked PDAs is not theoretical. In October 2007, Dr. Brenner commented to a group of intelligence professionals, "This week I learned of another smart guy who, after taking his PDA to a foreign country well known for cyber intrusions, synched it up to his agency's networks." Brenner calculated flatly that "the risk that he has infected his agency's servers with a 'phone home' vulnerability approaches 100%."
In May 2007, Canada's intelligence chief told the Canadian Senate that "China is at the top of our list of counter-intelligence targets and accounts for close to 50 percent of our counter-intelligence program."
In August 2007, Der Spiegel reported that German security agencies had discovered that computers in Chancellor Angela Merkel's Bundeskanzleramt and three ministries had been infected with Trojans, which had been inserted by hackers associated with the Chinese espionage programs. Two days later, a poker-faced Chinese Premier Wen Jiabao promised to help track down the perpetrators when Chancellor Merkel confronted him with the matter.
A few days later, Chinese cyberattacks hit computers at Britain's Parliament and Foreign Office. On September 8, 2007, French Secretary-General for National Defense Francis Delon confirmed that "our information systems were the object of attacks, like in the other countries." Delon wryly noted, "We have proof there is involvement with China" but declined to say who in China was actually involved. Government offices in Australia and New Zealand were also reportedly hit by Chinese hackers in September. Chinese cyberspies apparently leave very few countries untouched.
Beware Chinese Bearing Gifts
No one should be comforted by the fact that some Chinese cyberattacks have been identified. While PLA cyberwarfare units devoutly wish to avoid detection, they also seek to give a false sense of security that all network penetrations can be detected.
One expert told a conference of federal information managers last year that "the Chinese are in half of your agencies' systems." U.S. Defense Department sources say privately that the level of Chinese cyberattacks obliges them to avoid Chinese-origin hardware and software in all classified systems and as many unclassified systems as fiscally possible. The high threat of Chinese cyberpenetrations into U.S. Defense networks will be magnified as the Pentagon increasingly loses domestic sources of "trusted and classified" microchips.
In a February 2005 report, the Defense Science Board warned that "a significant migration of critical microelectronics manufacturing from the United States to other foreign countries has [occurred] and will continue to occur." The strategic significance of this phenomenon cannot be overstated, because this technology is the foundation of America's ability to maintain its technological advantages in the military, government, commercial, and industrial sectors. Indeed, microelectronics supplies for Defense, national infrastructure, and intelligence applications are now in peril.
This is a critical national security issue because America's defense-critical electronics demand "trusted and classified" microchips. The "confidence that classified or mission critical information contained in chip designs is not compromised, reliability is not degraded, or untended design elements inserted in chips as a result of design or fabrication in conditions open to adversary agents" simply does not exist in commercial off-the-shelf (COTS) microchips from overseas foundries. Furthermore, as the February 2005 report explained, "Trust cannot be added to integrated circuits after fabrication; electrical testing and reverse engineering cannot be relied upon to detect undesired alterations in military integrated circuits."
Increasingly, China is the source of COTS microchips, and Chinese foundries and design shops have had direct network access to foundries in other countries, particularly Taiwan -- a fact that has become a source of alarm to Taiwan's intelligence agencies. Chinese microchip output increased an average of 37 percent annually between 2000 and 2007, giving China a 6 percent share of the world semiconductor market, and China's semiconductor production capacity grew about 45 percent annually for 2006 and 2007, which suggests that China will surpass the United States in output in five years.
Intel Corporation is reportedly building a $2.5 billion semiconductor wafer fabrication plant in Dalian, China. At the same time, however:
Manufacturing costs in China are [only] 10 percent lower than in the United States while manufacturing cost in Taiwan are 7 percent lower.
Almost all of the manufacturing cost difference...is accounted for by labor costs....
The composite cost data...does not support the hypothesis that...the current migration to China is due to lower construction and operating costs. Other factors, primarily the [Chinese] government policies...are driving this.
The United States simply "no longer [has] a diverse base of U.S. integrated circuit fabricators capable of meeting trusted and classified chip needs." The Defense Department's Trusted Foundry Program is a good start toward addressing near-term needs, but it does not address the long-term threat posed by a diminishing domestic capacity to supply critical systems for classified needs.
The 3Com-Huawei-H3C Nexus
Huawei Shenzhen technology Company -- China's top networking services, equipment, and supply corporation -- is a prototypical PLA protégé firm. It was founded in 1988 by Ren Zhengfei, a former director of the PLA General Staff Department's Information Engineering Academy, which is responsible for telecommunications research in the Chinese military. According to a RAND Corporation study, "Huawei maintains deep ties with the Chinese military, which serves as a multi-faceted role as an important customer, as well as Huawei's political patron and research and development partner."
Huawei's Dubious Reputation. The extremely close links between Huawei and the PLA mean that the People's Liberation Army has direct access to Huawei's training and technology infrastructure. The cyberwar units trained in this environment are now among the world's experts in the military applications of network communications and coding.
In 2003, Huawei was charged with stealing corporate secrets from U.S. counterpart Cisco Systems and wholesale pirating of Cisco's software -- "even the software 'bugs,' or glitches, and misspellings matched." With such a dubious reputation, one might think that Huawei would be persona non grata among American telecommunications firms, yet a few months later, 3Com established a joint venture with Huawei to manufacture and distribute routers in Asia.
The Problem. If a PLA protégé firm acquired an American firm that provided computer network equipment, software, and services to the U.S. government, the possibilities for cyber-espionage would be virtually unlimited. On September 28, 2007, Huawei technology announced its intention to participate in a Bain Capital Partners' corporate buyout of 3Com, one of Huawei's top U.S. counterparts.
This is a problem. 3Com is an important vendor of computer security software, routers, and servers to the U.S. government, and several U.S. Senators say that the company is apparently a vendor to the U.S. Department of Defense. How 3Com got into this predicament is complicated.
3Com, like many other U.S. high-tech firms, suffered losses during the U.S. stock market technology slump that began in 2001, and it looked for export opportunities in China. In 2003, in an attempt to penetrate the China market, 3Com sought out a top Chinese information technology firm with close ties to the government to help it break through government restrictions on telecoms and IT investments. Fatefully, 3Com partnered with Huawei technology, a company that was being sued by Cisco Systems, one of 3Com's major competitors in the United States.
In May 2003, faced with a ban on doing business in the United States because of vast intellectual property theft from Cisco, Huawei voluntarily withdrew from the U.S. market. 3Com would have been well aware of highly publicized charges against its new Chinese partner because Huawei was being sued at the time for stealing corporate secrets. However, 3Com formed H3C, a Chinese joint venture with Huawei, paying $160 million to Huawei to capitalize the joint venture in return for a 49 percent share. 3Com later paid Huawei $28 million for 2 percent of H3C's shares, giving 3Com controlling interest in H3C. "Controlling," however, is an imprecise term. Aside from two non-Chinese executives in H3C, the joint venture remained a Chinese entity staffed entirely by Huawei employees.
On November 29, 2006, 3Com reportedly bought out Huawei's 49 percent interest in H3C for $882 million, making H3C a wholly owned 3Com subsidiary. Altogether, 3Com paid Huawei $1.26 billion for H3C.
Yet details of the Huawei-3Com joint venture posted on China Computer World, a Chinese computer news Web site, indicate that every one of H3C's Chinese employees remains on Huawei's personnel rolls, even though Huawei no longer owns any H3C shares. "They retain Huawei personnel employment numbers, Huawei stock ownership, and their internal corporate contacts, job descriptions (zhiwei) and ranks." Therefore, Huawei likely continues to maintain all security dossiers and to control "work certificates" (gongzuo zheng) for all of H3C's Chinese citizen employees.
The 3Com-Huawei joint venture naturally raised suspicions because the Chinese military regularly penetrates U.S. national security agencies' computer systems. Huawei is now moving to buy a significant share of 3Com, initially paying $363 million for a 16.5 percent share via a major U.S. mergers and acquisitions firm. It is reasonable to speculate that Huawei intends eventually to take full control of 3Com, primarily as a vehicle for introducing Huawei's products into the U.S. market and incidentally giving China's telecoms access to American communications networks.
The irony is that 3Com paid Huawei $1.26 billion over the past four years for the privilege of having Huawei as partner in China. Now Huawei hopes to buy a slice of 3Com for $363 million.
India and Huawei. Unlike the United States, other countries are more leery of cooperation with China in the area of telecommunications. India has kept Huawei at arm's length despite Chinese President Hu Jintao's personal intercession with Indian Prime Minister Manmohan Singh to permit the Chinese telecoms firm to expand its marketing in India.
intelligence agency concerns about Chinese cyber-espionage prompted India to shelve a planned $60 million Huawei investment in its telecom in 2005. Although using Chinese equipment would be substantially less expensive than using domestic systems, India's Defense Ministry has warned that inadequate safeguards would also make strategic networks vulnerable to Chinese infiltration and manipulation. The choice was "between cheap Chinese equipment and national security." India's intelligence services also noted that Huawei "has been responsible for sweeping and debugging operations in the Chinese embassy. In view of China's focus on cyber warfare there is a risk of exposing our strategic telecom network to the Chinese."
Lessons Not Yet Learned
While the U.S. government is very reticent about the vulnerabilities of its databases to Chinese penetration, the known penetrations in 2007 alone show how widespread Chinese cyberattacks have become. Chinese PLA cyberwarfare units have already penetrated the Pentagon's unclassified NIPRNet (Unclassified but Sensitive Internet Protocol Router Network) and have designed software to disable it in time of conflict or confrontation. Indeed, Major General William Lord, Director of Information, Services and Integration in the Air Force's Office of Warfighting Integration admitted that "China has downloaded 10 to 20 terabytes of data from the NIPRNet already" and added, "There is a nation-state threat by the Chinese."
Richard Lawless, then Deputy Under Secretary of Defense for Asia-Pacific affairs, told a congressional committee on June 13, 2007, that the Chinese are "leveraging information technology expertise available in China's booming economy to make significant strides in cyber-warfare." Lawless noted that the Chinese military's "determination to familiarize themselves with and dominate to some degree the Internet capabilities -- not only of China and that region of the world -- provide them with a growing and very impressive capability that we are very mindful of and are spending a lot of time watching."
Lawless further testified that:
[The Chinese] have developed a very sophisticated, broadly-based capability to degrade and -- attack and degrade our computer systems and our Internet systems. I mean, the fact that computer access, warfare and the...disruptive things that that allows you to do to an opponent are well appreciated by the Chinese and they spend a lot of time figuring out how to disrupt our networks -- how to both penetrate networks, in terms of gleaning or gaining information that is protected, as well as computer network attack programs which would allow them to shut down critical systems at times of contingency. So first of all, the capability is there. They're growing it; they see it as a major component of their asymmetric warfare capability.
PLA cyberwarfare units' access to source codes for America's ubiquitous office software means that the PLA essentially has a skeleton key to every government, military, business, and private computer in America that is accessible through the Internet. General Cartwright has warned, "I think that we should start to consider that 'regret factors' associated with a cyber attack could, in fact, be in the magnitude of a weapon of mass destruction."
A well-planned and well-executed Chinese cyberattack could do significant damage to the U.S. economy, telecommunications, electric power transmission, financial data, and other vital infrastructure -- damage equal to or exceeding the effects of the 9/11 terrorist attacks, conceivably even causing significant loss of life. After such a cyberattack, even if no one was killed, "regret" would be an understatement.
What the Administration and Congress Should Do
Recent cyberattacks on the United States and its allies combined with warnings from the Defense Science Board and the U.S.-China Economic and Security Review Commission emphasize the seriousness of this growing threat to U.S. national security. To address this threat, the Administration and Congress should:
- Identify China as an intelligence risk. The Administration has been too timid in highlighting the espionage challenge from China. This failure to say that "China is our biggest intelligence problem" leads U.S. businesses and academies to assume incorrectly that they face no greater risk from Chinese penetrations than they face from any other country. The Office of the National Counterintelligence Executive, the Department of Justice, and the FBI should follow the USCC's lead and identify China as the top spy threat. Congress should hold public hearings on the problem primarily to educate the public, but also to gather important data for legislation.
- Address the legal impediments to criminal prosecution of cyberspies. Current U.S. criminal laws are vague about assisting unknown foreign actors to penetrate secure networks for information-gathering purposes. They are insufficient to prosecute other penetrations in which the purposes behind embedded Trojan horse programs are unclear.
- Closely examine Chinese commercial investments in cyber companies. The Treasury Department's Committee on Foreign Investment in the United States should closely examine any attempt by Chinese military or intelligence agencies to gain access to U.S. cybertechnology operations via commercial investments.
- Require software companies to patch vulnerabilities quickly. Software companies frequently seem to consider cyberpenetrations that involve no disruption of service as tolerable nuisances, not as immediate crises. Software firms should be required to give first priority to the most critical vulnerabilities and should coordinate with U.S. government cybersecurity offices in identifying, assessing the risks from, and patching and/ or mitigating vulnerabilities.
- Require "trustworthiness" in critical IT systems. Components for defense-critical IT systems -- from chips to storage devices -- must come only from trusted and certified firms. Congress must address the disappearance of an industrial capacity to manufacture trusted IT equipment for Defense needs over the long term, both by mandating "trustworthiness" for U.S. information systems -- i.e., that defense-critical microcircuits be 100 percent designed, fabricated, packaged, and tested in the United States under secure conditions -- and by providing adequate funding, personnel, and resources for compliance and oversight.
- Strengthen America's engineering and scientific competitiveness. In February 2005, the Defense Science Board made a number of recommendations to address this crisis, including the expansion of America's electrical engineering and scientific talent pool. At a minimum, Congress should offer "national service" incentives, including scholarships and internships, to students in the information science and technology fields and should require an ROTC-type commitment to national service in the IT industry as a condition of the academic grants.
Congress should also urge the Defense and intelligence agencies to leverage competition among the U.S. national laboratories as an ideal way to sustain peak innovation in IT research and development on highly classified systems. Just as the national laboratories competed with each other on scientific and engineering breakthroughs in developing nuclear weapons and tested each other's weapon designs, their competitive culture should be equally successful in designing and fabricating secure and trustworthy microchips.
America's vulnerability to cyberattacks is a critical threat to national security. If the Administration and Congress do not address these problems and implement the 2005 recommendations of the Defense Science Board, the fix will become prohibitively expensive and/or America's national security will be irreversibly compromised.
John J. Tkacik, Jr., is Senior Research Fellow in China, Taiwan, and Mongolia Policy in the Asian Studies Center at The Heritage Foundation.