U.S. Response to Chinese Hacking
A rule slipped into a recent spending bill prevents U.S. government agencies from buying computers built by Chinese companies. The move is aimed at preventing further hacking by the Chinese government.
The new legislation is limited to purchases made by the Departments of Commerce and Justice, the National Science Foundation and NASA. These agencies are now prohibited from purchasing any computer equipment manufactured or assembled by any business "owned, operated or subsidized" by China. The law is set to expire at the end of the fiscal year.
The move is in response to a 74 page report (pdf) published by private cyber security experts Mandiant in February. Mandiant had responded to over 150 cases of hacking and, working backwards, had pieced together a profile of the so-called "Advanced Persistent Threat" behind the attacks. Mandiant concluded "We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support."
But Mandiant did far more than identify the funding behind the cyber attacks, they traced the attacks to their physical source "a 130,663 square foot facility that is 12 stories high and was built in early 2007" in Shanghai. Based on the size of the facility, Mandiant estimates that the hacking center "is staffed by hundreds, and perhaps thousands of people."
Additional information gathered after Mandiant's report was published suggests the military unit carrying out the attacks had been in operation since at least 2004.