Preview: China Tech Threat Report Urges Banks to Avoid Chinese Government IT to Defend Against State-Sponsored Cyber-Attacks

Cyber-attacks against financial organizations are growing in frequency and severity and U.S. banks are the most targeted, an upcoming White Paper by Dr. Roslyn Layton finds.

A complex thicket of government agencies and regulation has been largely ineffective in curbing cyber threats. In 2015, U.S. financial services were targeted about four times more than other industries. By 2019, financial firms experienced about 300 times more cyber-attacks than other companies.

“U.S. banks and financial service providers cannot rely solely on the government to combat state-sponsored cyber-security threats,” the report notes. “Policy analyses must face the stark reality that cyber-attacks are growing faster and larger than the execution of government actions to address them.”

Instead, financial services companies should proactively work to secure their networks, by conducting regular cyber resilience audits, removing vulnerable hardware (particularly items produced by Chinese government owned firms) and sourcing technology from democratic nations, where supply chains are less prone to manipulation.

“The United States can expect that the People’s Republic of China will leverage its citizens and technologies anywhere at any time to conduct a war that its adversaries may not recognize is going on,” Dr. Layton cautions.

China’s growing control of tech manufacturing and the collusion between the Chinese government and state-operated entities creates a risk of backdoors being built into hardware that could enable attacks. The report cites the case of server-maker SuperMicro Inc, in which agents of the People’s Liberation Army installed tiny chips on the motherboards of servers purchased by U.S. companies, including Apple and Amazon Web Services. The chips allowed remote operators to direct the systems to exfiltrate data undetected.

“Hardware represents a gaping and exploitable hole in the current approach to cyber security,” John Villasenor, a former Nonresident Fellow at the Brookings Institution’s Center for Technology Innovation, cautioned. “Hardware-level vulnerabilities can be exploited to completely sidestep software-based security countermeasures.”

An important defense against such hardware vulnerabilities, the report notes, is for U.S. financial services firms to identify and remove products made by known Chinese government-owned and affiliated companies, like Huawei and Hikivision and Lenovo, and to source technology from democratic nations. “There is no silver bullet,” the China Tech Threat paper notes, “but following best practices and continually auditing their systems and equipment will help financial organizations stay ahead of attackers—and better protect U.S. financial organizations assets, reputation, and shareholder value.”

Data Source: Carnegie Endowment for International Peace and BAE Systems. Timeline of Cyber Incidents Involving Financial Institutions. FinCyber Initiative, Carnegie Endowment for International Peace. Accessed February 17, 2021