There's an old movie from the 1970s called "The China Syndrome," about a reporter and cameraman who uncover massive safety cover-ups at a nuclear power plant. In the 21st Century, the China syndrome has become something else -- anxiety that runs deep in national defense circles whenever someone from China takes an interest in American IT security technology.
It usually involves hackers in China trying to steal sensitive data from government networks—most notably the Titan Rain attacks discovered three years ago. More recently, the concerns stem from the $2.2 billion merger agreement between 3Com, private equity firm Bain Capital and a Chinese company called Huawei Technologies
Under the deal, Bain Capital and Huawei Technologies were to team up to acquire 3Com, whose product line includes security offerings it gained with the acquisition of security vendor TippingPoint in 2004. 3Com also makes Internet router and networking gear used by the U.S. military, and since Huawei Technologies has business connections with the Chinese military, the deal was a source of heartburn within the Bush Administration.
The federal Committee on Foreign Investment in the United States (CFIUS) investigated the national security implications of the deal and expressed its misgivings. 3Com tried to quell the concern by offering to divest itself of TippingPoint, but that failed to soothe the feds. And so the three companies released a statement Wednesday announcing that they've withdrawn their joint filing to CFIUS.
The question many in the information security are asking is if CFIUS' concerns were overblown. After all, China is a major trading partner with the U.S. and this isn't the first time a Chinese entity has tried to acquire technology used in U.S. agencies.
Ken Pfeil, head of information security for a financial services organization in New York, is among those who believe it made no sense for the feds to block the deal.
"If my systems had over-reaching national security implications, things might look a little differently from my perspective, but as it stands this is no different than the Lenovo deal that was allowed to go through," he said, referring to the Lenovo Group's acquisition of the IBM Personal Computing Division in 2005. CFIUS gave its blessing to that deal after looking into concerns that Lenovo's deep roots in China would present national security risks for the U.S.
But many security professionals say concern over the 3Com deal was warranted, including Keith Gosselin, IT officer for Biddeford Savings Bank in Maine. His personal view is that acquisitions coming from China are worth worrying about, but that the feds probably can't keep playing the national security card to stop them.
"Let's face it, most of our equipment is manufactured in China or an Asian nation now, so how can we stop service companies from utilizing China's money and resources?" he asked. "How do you discern the difference between India and China or other countries for that matter?"
For his part, Gosselin said he'd have second thoughts about using a company based in China to handle managed security services.
Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, said the 3Com deal was of valid concern on the national stage. It's always a risk when critical infrastructure is influenced by another nation state and it's common knowledge that China likes to spy on the U.S, and vice versa. But the risks to private companies using technology under foreign influence is less certain at this point.
"Does this affect the day-to-day life of the average IT guy? I don't think so," he said. "But there is a historical record of espionage between competing companies and even among allies."
The bigger concern for enterprise IT shops using TippingPoint products is whether the technology will remain stable given all the uncertainty about its future in recent months. Before its offer to divest itself of TippingPoint, 3Com last year suggested that it might spin off TippingPoint via an initial public offering (IPO).
"When you have the uncertainties as we have seen with 3Com, it's time to think about switching to another product," Mogull said. "Uncertainty from the supplier is a cause for concern because you don't know what'll happen in terms of quality and support."
His advice to TippingPoint users is to stick with the technology, but for prospective customers to ask tough questions and get assurances in writing from the vendor that the product will be properly maintained.
Eric Maiwald, vice president and service director of security and risk management strategies at Midvale, Utah-based Burton Group, noted that rumors of TippingPoint being cut loose go back years and that in an ever-shrinking security market it's difficult for a single security company to survive on its own.
"It might be better to sell it off to someone else," he said of TippingPoint.