From TikTok to Huawei routers to DJI drones, rising tensions between China and the US have made Americans – and the US government – increasingly wary of China-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips sold by the subsidiary of a company specifically flagged in U.S. Department of Commerce warnings for its ties to the Chinese military have found their way into military and military storage hardware. intelligence networks. across the West.
In July 2021, the Ministry of Commerce’s Bureau of Industry and Security added Hangzhou, China-based encryption chip maker Hualan Microelectronics, also known as Sage Microelectronics, to its so-called “Entity List,” a vaguely named list of trade restrictions that emphasizes corporations “acting contrary to United States foreign policy interests.” Specifically, the agency noted that Hualan was added to the list for “acquiring and … attempting to acquire items of U.S. origin in support of military modernization for [China’s] People’s Liberation Army.”
But nearly two years later, Hualan — and specifically its subsidiary Initio, a company originally headquartered in Taiwan that it acquired in 2016 — is still supplying encryption microcontroller chips to Western manufacturers of encrypted hard drives, including some that are customers on their list. Western government aerospace, military, and intelligence websites: NASA, NATO, and the US and UK militaries. Federal procurement data shows that U.S. government agencies, from the Federal Aviation Administration to the Drug Enforcement Administration to the U.S. Navy, have purchased encrypted hard drives that also use the chips.
The gap between the Commerce Department’s warnings and Western government customers means chips sold by Hualan’s subsidiary have gone deep into sensitive Western information networks, perhaps due to the ambiguity of their Initio branding and Taiwanese origins before 2016. The Chinese ownership of the chip vendor has sparked fears among security researchers and China-focused national security analysts that they could have a hidden backdoor through which the Chinese government could covertly decipher the secrets held by Western agencies. And while no such backdoor has been found, security researchers warn that if one did exist, it would be virtually impossible to detect.
“If a company is on the Entity List with a specific warning like this, it’s because the U.S. government is saying that this company is actively supporting another country’s military development,” said Dakota Cary, a China-focused research fellow at the Atlantic. Council, a Washington, DC-based think tank. “It says you shouldn’t buy from them, not just because the money you spend will go to a company that will use that proceeds to further another country’s military goals, but because you can’t trust the product.”
Technically, the Entity List is an “export control list,” said Emily Weinstein, a researcher at Georgetown University’s Center for Security and Emerging Technology. This means that American organizations are not allowed to export parts Unpleasant companies on the list, instead of importing components by them. But Cary, Weinstein and the Department of Commerce note that it’s often used as a de facto warning to US customers not to buy from a publicly traded foreign company as well. For example, both network company Huawei and drone maker DJI have been added to the list because of their alleged ties to the Chinese military. “It’s kind of used as a blacklist,” says Weinstein. “The Entity List should be a red or maybe a yellow alert for anyone in the US government who is working with this company to take a second look at this.”
When WIRED contacted the Department of Commerce’s Bureau of Industry and Security, a spokesperson responded that the BIS is legally restricted from commenting to the press about specific companies and that a company’s privately held subsidiary, such as Initio , is not technically affected by the Legal Restrictions List entity. But the spokesperson added that “generally affiliation with an entity-listed party should be considered a ‘red flag’.”