Vehicles crossing border X-rayed by Chinese state-owned company devices
The tax and customs and airport are screening baggage and vehicles at the border with Chinese state-owned company equipment, which Lithuania considers a security threat. The equipment may not be a concern right now, but a cyber security expert recommends replacing it in the future.
China's technology poses an increasing threat, according to the Estonian Foreign Intelligence Service (Välisluureamet) yearbook, which was released on Tuesday.
However, the Tax and Customs Board (MTA) and Tallinn Airport continue to use X-ray equipment produced by the Chinese state-owned business Nuctech. These equipment are used at the border to check vehicles for illicit goods and at Tallinn Airport to X-ray hold baggage.
The U.S. has blacklisted Nuctech for security reasons and the Lithuanian government has also blocked the Chinese state-owned company from installing X-ray machines for security reasons.
Ursula Riimaa, the MTA's deputy director general in charge of customs, said the agency purchased a total of five Nuctech machines in 2017 and is using a total of seven machines purchased from a Chinese state-owned company.
Riimaa said the devices are local, meaning they are not connected to the network in any way. They do not communicate with the Tax and Customs Board or other databases, she said.
She said that all maintenance and repair of the equipment is done in Estonia and even then it is impossible for the equipment to be connected to the network.
Since the equipment procured in 2017 has a life span of 12 years, the agency is preparing to replace it soon. However, Riimaa did not rule out that the new equipment could also come from China.
"We are aware of China's threats, and we certainly take security risks into account," she said. "When these Chinese devices come in, there will be an assessment of the security risks, whether it is realistic that data will somehow be sent to China or not."
The chief of the Estonian Aviation Security Department, Tarvi Pihlakas, said that the airport was equipped with two Nuctech units in 2020. These units were acquired via a public tender.
"The equipment is on a local network, and no one can access people's personal data," he said.
Tax and Customs wanted to buy more equipment last spring
Just last spring, the tax and customs authorities wanted to buy more scanning equipment. In September, Eesti Päevaleht wrote about how the tender received two bids, a €2.88 million bid from Nuctech and a €4.5 million bid from Hansab OÜ. However, Hansab OÜ challenged the outcome of the tender on August 15.
The tender has ended without a contract, according to Karin Ulvik, a spokeswoman for the Tax and Customs Agency.
"Competitors say it is impossible to compete with Nuctech in a public procurement because the Chinese company can offer its product at an absurd price. International experts and critics believe that the Chinese government imposes a price on Nuctech so that it can offer a product below its production price," according to the daily.
"This is how a monopoly is achieved in the Western world and local players are driven out of the market."
Cybersecurity expert: In the long run, the whole system should be replaced
Rain Ottis, an associate professor at TalTech and director of the Center for Cyber Forensics and Cyber Security, said that in the short term, equipment from a Chinese state-owned company may not necessarily pose a security threat.
"A number of measures have been taken to mitigate security risks, including isolating equipment from the Internet and maintaining it in Estonia. While cybersecurity cannot be 100 percent guaranteed, well-chosen measures can reduce the risks associated with a cyber attack or data leakage to an acceptable level," he said.
But sanctions could cause the manufacturer to stop supplying new equipment, replacement parts, and software upgrades, resulting in technological dependency, which is a real risk, he explained.
"This does not imply that the technology at our borders will stop working immediately, but in the long run, the entire system should be replaced. This is the dilemma currently faced by the Russian aviation sector. For example, spare parts for the maintenance of Western aircraft are not available, and Russia lacks technological competence to manufacture them itself," he said.
Ottis emphasized that the situation appears to be distinct from the 5G argument a few years ago, which was about a manufacturer's capacity to take over devices with a network command or software update.
"X-ray devices that aren't connected to the network and are in a physically secured location are significantly more protected against collecting data and leakage than smart gadgets such as phones, health monitors, vacuum cleaners, or cars that are acquired on a 'lowest offer wins' basis," said Ottis.
Martin Paas, head of information security at the Estonian Information System Authority, said in a written statement that the agency had no legal basis to approve or deny certification of the devices.
"However, we can help agencies and businesses assess the risks associated with the use of equipment, as we did last year for the Tax and Customs Board's scanning equipment. The agency believes that the Tax and Customs Board has adequately assessed the risks of the equipment and taken appropriate steps to mitigate them," Paas wrote.
--
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Mait Ots, Kristina Kersa