by Derek Scissors
The concerns include computer network exploitation and computer network attacks, but also tampering with the physical infrastructure of communications and computer networks. Vulnerabilities could be introduced in the course of manufacturing equipment or created through purchase of malignant or counterfeit goods. Recent experience highlights these problems.
Such possibilities have brought calls for trade barriers, ranging from random entry-point inspections of various types of goods and equipment (e.g., chips and routers) to prohibition of some imports (e.g., communications hardware), especially from a major manufacturer, the People's Republic of China (PRC).
The trade proposals tend to be vague because the cyber threat itself, while real, is vaguely presented. While an ill-defined threat certainly bears watching, it does not justify protectionism. Cybersecurity is largely classified, but trade is not, and trade policy cannot be held hostage to cybersecurity unless specific dangers are put forward.
What Is the Threat?
A longstanding fear has been that cyber attacks against the U.S. might result in disruptions to power, banking, and communications systems at a critical moment. The cyber attacks on Estonia and Georgia, which disrupted commerce and communications, raise the specter that the U.S. might undergo the equivalent of a cyber Pearl Harbor. Efforts by the Defense Advanced Research Projects Agency (DARPA) to improve verification capabilities highlight the limitations of current computer engineering skills in, for example, diagnosing cyber intrusions. Initial studies on the Trusted Integrated Circuit program, seeking to create a secure supply chain, were requested in 2007. As of late 2010, DARPA was still seeking new research proposals for determining whether a given chip was reliable, and whether it had been maliciously modified, as part of the Integrity and Reliability of Integrated Circuits (IRIS) program.