Supply Chain Threats to Cyber Security
Earlier today, Bloomberg came forward with a report alleging that organizations with major data breaches (including Apple, Amazon, and even U.S. government agencies) were targeted well before their machines were up and running. In the report, Bloomberg asserts that data breaches in recent history were executed using tiny chips “no bigger than a pencil point” which were installed into circuit boards during the manufacturing process. These supposed chips, which are designed to “siphon off” sensitive information, are made by U.S. based Super Micro Computer – a company who produces hardware for many U.S. entities and who has subcontractors in China. The report has since been vehemently refuted by Apple, Amazon, Super Micro Computer, and the Chinese government – all of which suggest that Bloomberg’s investigation is unfounded and without merit. However, according to Bloomberg, their report has been corroborated by “testimony from ‘six current and former national security officials’ as well as insiders at Apple and Amazon”.
Regardless of the immediate merit of the report, the allegations raise huge concerns about the state of our cyber security as consumers, professionals, and ultimately as a nation. A former NSA analyst explains the severity of supply-chain hacking, saying that detecting anomalies on networks is feasible but that “most organizations simply can’t find a malicious chip on a motherboard” and that it “undermines every security control we have in place”. Detection of hardware manipulation is extremely difficult and is “an expense that’s hard for companies to justify”. Fixing the issue after the fact, if legitimate, would cost an exorbitant amount on remediation of equipment and/or finding reliable, secure replacements; this is only after organizations “look at their whole value chain”, make appropriate changes, and “carefully monitor every step”. Such changes may adversely affect a large organization’s overall enterprise architecture, necessitating major (and unanticipated) structural changes to manufacturing locations, when/where items are shipped, how business units interact, and even how products are designed. Moving forward, it is still excruciatingly time-consuming to check for these types of breaches ahead of time and incredibly expensive to adjust system architectures to satisfy such security protocols.
The question is then raised: how does one tackle this very distinct possibility of supply chain hacking in the future (especially considering that most of the world’s computers are produced in China)? Already, the U.S. has banned the use of Chinese mobile phone brands ZTE and Huawei in government work. Should there be mandates directing large U.S. corporations to take similar steps? Should regulations be put in place that direct these corporations to routinely audit their hardware? Should specific manufacturing companies be vetted and approved by a government entity for eligibility to import into the United States? There are many potential answers to this issue, yet none of them appear to be easy or cheap to any participant in the industry.