TAIPEI -- U.S. technology companies, concerned that server power cords and plugs could be used by China to access sensitive data, have asked Taiwanese suppliers to shift production of these components out of the mainland.
Lite-On Technology, whose customers include Dell EMC, HP and IBM, is building a new factory in Taiwan to manufacture power components for servers at the request of American clients that cited cyberespionage risks from Beijing, according to one executive.
Quanta Computer, which supplies servers and data centers to U.S. tech companies including Google and Facebook, has shifted production to Taiwan and elsewhere, citing security as one of the reasons, an executive told the Nikkei Asian Review.
"Cybersecurity, tariffs and geopolitical risks are the three main factors" propelling the decision by Quanta and its clients to move production, the executive said.
The drive by U.S. information technology companies to eradicate security threats is reaching even the most mundane of components. Some face pressure to source these components outside of China, despite the higher production cost.
"Unlike many other Taiwanese tech manufacturers diversifying their production away from China to avoid Washington's tariffs on Chinese goods, the top priority [for Lite-On's new plant] is addressing U.S. clients' security concerns," said the Lite-On executive who has direct knowledge of the company's plan. The executive declined to name these clients.
Cybersecurity experts confirmed that such a risk is legitimate, though no known hacking incidents have involved the power components of servers as the main point of entry.
"It is totally reasonable for U.S. companies to have such concerns because, technically, it is doable and not difficult for hackers to use the power supply system or power cords to retrieve data stored in servers," Tien Chin-wei, deputy director at the Taipei-based Cybersecurity Technology Institute, told the Nikkei Asian Review.
In servers, the data warehouses of the digital economy, the structure of the power supply system is more complicated than in ordinary consumer electronic devices like smartphones or notebooks. This makes it difficult to detect whether unwanted chips have been implanted in the power supply during production, cybersecurity experts said.
"If the server is compromised and the chip implanted in the power supply system is activated, the power lines could serve as a covert channel to transmit data," Philippe Lin, senior threat researcher at cybersecurity company Trend Micro, told Nikkei.
Besides common targets such as servers, data centers or large telecommunications infrastructure, these attacks also could occur against personal electronic devices, the experts said. Lin noted incidents in which free charging cable provided by public spaces in China accessed smartphone data if individuals plugged in the fast-charging cable.
Lite-On supplies power components and power supply systems used in various electronics from smartphones and notebooks to servers and data centers. The company's power supply systems and parts often are shipped to manufacturers like Quanta, Wistron, or Inventec for final assembly into servers.
Lite-On's American customers had been alarmed by reports from Bloomberg Businessweek last year alleging that Beijing implanted tiny chips into the data center supply chains of U.S. tech companies, the executive with the Taiwanese manufacturer said.
Beijing denied the spying allegations. Tech companies like Amazon.com and Apple also challenged the report.
"Regardless of the authenticity of the report, the American clients want to elevate their security measures, and they also do not want to upset the Trump administration," the Lite-On executive said.
The company is investing about 10 billion New Taiwan dollars ($324 million) to construct the new facility and research center in the southern Taiwanese city of Kaohsiung, which was previously planned to make electronic components for automobiles. Lite-On confirmed that the focus of the facility now is to produce server power parts to address American clients' need for higher security standards. The facility is scheduled to begin pilot operations in June.
Major server and data center manufacturers such as Quanta, Inventec and Wistron began shifting production to Taiwan and overseas sites last year, mainly to cope with Washington's additional tariff on networking-related components and devices. But now some are moving off the mainland as a result of these security concerns.
However, cybersecurity experts said that simply moving production out of China will not remove all risks, as there always will be ways to manipulate the production process regardless of the location.
"Every interface between components, or between motherboards and power supply systems could be a loophole for malicious implants," the Cybersecurity Technology Institute's Tien said. "You can only reduce or manage the risks, but it is not possible to entirely eliminate the threats."