According to a report in Bloomberg BusinessWeek, spies from China forced Chinese manufacturers to insert tiny microchips into US-designed servers that were used by almost 30 US companies, including Apple and Amazon. The publication claims the tiny chips could be used to siphon off data from, or introduce malware to, the hardware they were installed on. According to the article, Apple and Amazon discovered the security issue after conducting internal investigations and informed the US government, which is still investigating the affair. They then quietly removed compromised servers. The attack reportedly targeted hardware made for Super Micro Computer, a US company that’s one of the world’s largest suppliers of server motherboards, which uses subcontractors in China and elsewhere.
Apple and Amazon have issued rebuttals to the story, as has Super Micro Computer. Apple says it never found malicious chips in its servers and never had any contact with the FBI or any other agency about such an incident. Amazon said it had uncovered some security holes in a software application provided by Super Micro, but these had been addressed before hardware was deployed.
In addition to the companies’ rebuttals, the Department of Homeland Security said that it has “no reason to doubt the statements from the companies named in the story”, while the UK’s top national cybersecurity agency GCHQ said that it didn’t see any reason to question the validity of Apple and Amazon’s denials and it requested that anyone with information about the alleged attack reach out.
The story highlights the supply-chain risks that are inherent in a world in which the lion’s share of electronic components used in computers and servers are manufactured in China. This has driven down costs and delivered huge benefits to consumers and businesses. But it’s also made it harder than ever to be sure that equipment can be trusted.
Indeed, according to a new Pentagon-led report that seeks to mend weaknesses in core US industries of importance to national security, China represents a “significant and growing risk” to the supply of materials vital to the US military. The 150-page report concluded there are around 300 vulnerabilities that could affect critical materials and components essential to its military. Pentagon officials have stated the national risks of Beijing’s growing military and economic might on the defense industry and wants to ensure China is unable to interfere with America’s military by cutting off supplies of materials or by sabotaging the technology it exports.
Security experts have warned for years that the hardware supply chain is at risk, especially considering that China has a monopoly on parts and manufacturing. Up until now, though, we haven’t seen a widespread attack on US companies, as Bloomberg claims to have found. There’s no real way to prevent a hardware attack like this, unless the tech industry wants to drastically rethink how it gets its components and brings products to market.
In the context of computer and Internet security, supply chain security refers to the challenge of validating that a given piece of electronics — and by extension the software that powers those computing parts — does not include any extraneous or fraudulent components beyond what was specified by the company that paid for the production of said item. The U.S. Congress has held multiple hearings about supply chain security challenges, and the U.S. government has taken steps on several occasions to block Chinese tech companies from doing business with the federal government and/or U.S.-based firms. Most recently, the Pentagon banned the sale of Chinese-made ZTE and Huawei phones on military bases, according to a Defense Department directive that cites security risks posed by the devices. The U.S. Department of Commerce also has instituted a seven-year export restriction for ZTE, resulting in a ban on U.S. component makers selling to ZTE.
The real issue here isn’t that we can’t trust technology products made in China. Indeed there are numerous examples of other countries — including the United States and its allies — slipping their own “backdoors” into hardware and software products. The vast majority of electronics are made in China, and this is unlikely to change anytime soon. The central issue is that we don’t have any other choice right now.
Security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.” Schneier wrote in The Washington Post that “Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product.” He added that “No one wants to even think about a US-only anything; prices would multiply many times over. We cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.”
The supply-chain challenge seems like a puzzle hard to solve. So for the time being, there are some things worth thinking about that can help mitigate the threat from stealthy supply chain hacks. As William Hugh Murray wrote for SANS Institute newsletter, these could be the following:
The aforementioned cannot be achieved without machine identities and the vigorous protection of those identities which can be implemented through automation platforms such as Venafi Platform. Only continuous intelligence about the machine identities that provide access to every machine across your extended enterprise can protect you. The secure exchange of information between machines such as devices, applications, cloud workloads, virtual machines and containers is critical to every successful business. Protecting machine identities is the best way to ensure that all machine communications are secure, legitimate and authorized.