China claimed Sunday that it had found security issues in semiconductor firm Micron products that “pose a major security risk to the country’s key information infrastructure supply chain and affect its national security” – saying that critical infrastructure providers in the country should cease using products from the US company.
China’s Cyberspace Administration (CAC) did not provide further information on the nature of the purported vulnerabilities, nor suggest any widespread public intervention to remediate or remove them of the kind that many Western telcos have been requested by policy makers to do with Huawei products in their infrastructure.
This stands in stark contrast to the extensive public disclosure of security issues in Huawei’s products by US and UK authorities or the breakdown of the tools, tactics and procedures used by Chinese advanced persistent threats (APTs) when attacking western telecommunications infrastructure for example
Micron, alongside South Korea’s Samsung and SK Hynix, is one of the three dominant players in the global Dram memory chip market (as well as a significant producer of NAND memory). Mainland China and Hong Kong generated $3.3 billion in sales for Micron in 2022, some 10% of its $30.8 billion in 2022 revenue.
Whilst much of those sales are chips for smartphones, Micron also ships advanced systems for global data centers, high-performance computing and flash memory used in advanced military and other systems.
Follow The Stack on LinkedIn
Micron may be the victim of geopolitical armwrestling.
The decision comes as Chinese press had speculated that the US memory chip firm was behind efforts to push the US government to impose sanctions against peers in China: In 2022, the US government added China’s leading memory chip producers Yangtze Memory Technologies Corp and ChangXin Memory Technologies to the Entity List (a trade restrictions list), denying them access to high-end chip manufacturing hardware and software to remain competitive. Micron announced the closing of its Shanghai chip design centre at the end of 2022 and according to SCMP offered 150 Chinese engineers relocation packages to the US or India.
(Micron, with US Chip Act backing,4 intends to invest up to $100 billion in the US over the next 20 years, $20 billion planned by the end of this decade, to build a leading-edge memory megafab in Clay, New York.)
The brief statement on May 21 by CAC followed a March 31, 2023 cybersecurity review of Micron’s products sold in China conducted under its National Security Law (2015), Cybersecurity Law (2016), and Cybersecurity Review Measures (2021) to “ensure the security of the supply chain of critical information infrastructure (“CII”), guard against cybersecurity risks caused by hidden product problems, and safeguard national security.”
The Micron investigation is the first cybersecurity review proactively conducted by the CAC under the April 2020 “Measures” which were revised in December 2021 jointly by thirteen central government departments.
In response to the investigation in March, Micron had said that it was participating fully and stood by the integrity and security of its products. The company told The Stack today: ““We have received the CAC’s notice of conclusion of its review of Micron products sold in China. We are evaluating the conclusion and assessing our next steps. We look forward to continuing to engage in discussions with Chinese authorities.”
