Los Alamos replaces Chinese-made computer parts over security fears

http://www.guardian.co.uk/world/2013/jan/07/los-alamos-chinese-computer-parts

Version 0 of 1.

The US nuclear weapons laboratory that was the birthplace of the atomic bomb has replaced at least two Chinese-made components in its computer systems over fears they might pose a national security risk, according to a letter seen by the Reuters news agency.

The document, sent by the Los Alamos National Laboratory in New Mexico to the Department of Energy's security directorate, said the research facility discovered it had installed network switches made by H3C Technologies, based in Hangzhou, China.

H3C began as a joint venture between China's Huawei Technologies and 3Com, a US tech firm, and was once called Huawei-3Com. Hewlett Packard acquired the firm in 2010.

The discovery raises questions about procurement practices by US departments responsible for national security. The US government and Congress have raised concerns about Huawei and its alleged ties to the Chinese military and government. The company, the world's second-largest telecommunications equipment maker, denies its products pose any security risk or that the Chinese military influences its business.

Switches are used to manage data traffic on computer networks. The exact number of Chinese-made switches installed at Los Alamos, how or when they were acquired, and whether they were placed in sensitive systems or pose any security risks, remains unclear. The laboratory – where the first atomic bomb was designed – is responsible for maintaining America's arsenal of nuclear weapons.

A spokesman for Los Alamos referred enquiries to the Department of Energy's national nuclear security administration (NNSA), which declined to comment.

The letter, sent on 5 November 2012, was written by the acting chief information officer at Los Alamos and addressed to the NNSA's assistant manager for safeguards and security. It said that in October an unidentified network engineer at the lab alerted officials that H3C devices "were beginning to be installed" in its networks.

The letter says a working group of specialists, some from the lab's counter-intelligence unit, began investigating, "focusing on sensitive networks". The lab "determined that a small number of the devices installed in one network were H3C devices. Two devices used in isolated cases were promptly replaced," the letter states.

It went on to suggest that other H3C devices may still be installed and that Los Alamos was investigating "replacing any remaining H3C network switch devices as quickly as possible," including "older switches" in "both sensitive and unclassified networks as part of the normal life-cycle maintenance effort."

The letter adds that the lab was conducting a formal assessment to determine "any potential risk associated with any H3C devices that may remain in service until replacements can be obtained."

"We would like to emphasize that (Los Alamos) has taken this issue seriously, and implemented expeditious and proactive steps to address it," the letter states.

Corporate filings show Huawei sold its stake in H3C to 3Com in 2007, though H3C's website still describes Huawei as one of its "global strategic partners".

In October, the US House intelligence committee issued an investigative report that recommended government systems should not include components made by Huawei or ZTE, another Chinese manufacturer. The report said that based on classified and unclassified information, Huawei and ZTE "cannot be trusted to be free of foreign state influence" and pose "a security threat to the United States and to our systems."

William Plummer, Huawei's vice president of external affairs in Washington, said in an email to Reuters: "There has never been a shred of substantive proof that Huawei gear is any less secure than that of our competitors, all of which rely on common global standards, supply chains, coding and manufacturing.

"Blackballing legitimate multinationals based on country of origin is reckless, both in terms of fostering a dangerously false sense of cyber-security and in threatening the free and fair global trading system that the US has championed for the last 60-plus years."