Instructor: Aleksi Aaltonen, Section 002

Supply Chain Threats to Cyber Security

Earlier today, Bloomberg came forward with a report alleging that organizations with major data breaches (including Apple, Amazon, and even U.S. government agencies) were targeted well before their machines were up and running. In the report, Bloomberg asserts that data breaches in recent history were executed using tiny chips “no bigger than a pencil point” which were installed into circuit boards during the manufacturing process. These supposed chips, which are designed to “siphon off” sensitive information, are made by U.S. based Super Micro Computer – a company who produces hardware for many U.S. entities and who has subcontractors in China. The report has since been vehemently refuted by Apple, Amazon, Super Micro Computer, and the Chinese government – all of which suggest that Bloomberg’s investigation is unfounded and without merit. However, according to Bloomberg, their report has been corroborated by “testimony from ‘six current and former national security officials’ as well as insiders at Apple and Amazon”.

Regardless of the immediate merit of the report, the allegations raise huge concerns about the state of our cyber security as consumers, professionals, and ultimately as a nation. A former NSA analyst explains the severity of supply-chain hacking, saying that detecting anomalies on networks is feasible but that “most organizations simply can’t find a malicious chip on a motherboard” and that it “undermines every security control we have in place”. Detection of hardware manipulation is extremely difficult and is “an expense that’s hard for companies to justify”. Fixing the issue after the fact, if legitimate, would cost an exorbitant amount on remediation of equipment and/or finding reliable, secure replacements; this is only after organizations “look at their whole value chain”, make appropriate changes, and “carefully monitor every step”. Such changes may adversely affect a large organization’s overall enterprise architecture, necessitating major (and unanticipated) structural changes to manufacturing locations, when/where items are shipped, how business units interact, and even how products are designed. Moving forward, it is still excruciatingly time-consuming to check for these types of breaches ahead of time and incredibly expensive to adjust system architectures to satisfy such security protocols.

The question is then raised: how does one tackle this very distinct possibility of supply chain hacking in the future (especially considering that most of the world’s computers are produced in China)? Already, the U.S. has banned the use of Chinese mobile phone brands ZTE and Huawei in government work. Should there be mandates directing large U.S. corporations to take similar steps? Should regulations be put in place that direct these corporations to routinely audit their hardware? Should specific manufacturing companies be vetted and approved by a government entity for eligibility to import into the United States? There are many potential answers to this issue, yet none of them appear to be easy or cheap to any participant in the industry.

3 Responses to Supply Chain Threats to Cyber Security

  • You point to very important topic in digital technology, which shows how business, technological and political interests can be intertwined in an incredibly complex manner. Whether the report is true or not it raises serious questions – if something is possible, somebody will likely try it. At the same time, the report can been handy political tool to encourage domestic production of electronics. One thing is for sure (as many other post also suggest) – information security will be a growth business!

  • It’s definitely scary to think about what the future may hold for data breaching. The length that companies must go today to secure their systems is not only incredibly expensive, not also very time-consuming. The time it takes businesses to secure their enterprise architecture is valuable lost time in daily business operations. In regards to your question, I believe it is a smart first step to ban Chinese manufactured technology, especially in government work. In the future I could see a continual increase in the unwillingness of importing Chinese equipment, not just in the government but in the country as a whole.

  • One could make the case that many products come from external entities and could, therefore, be purposely corrupted in one way or another. Should we perform 100% quality assurance checks on every import into the U.S.? It does not sound possible, and yet the fact is computer components have to be held to a higher standard than other products. Here, quality assurance is especially critical because damage to these components can have implications well beyond the entry point, as you make clear by referencing potential data breaches within large corporations who hold large amounts of consumer data.

    You make an excellent point about the difficulty of monitoring every piece of technology that comes through the value chain. Nike had a hard time monitoring worker conditions in entire factories within their value chain (if we believe they tried), so how will companies monitor every component that enters their enterprise IT system?

    Rather than storing and trying to protect data on the back-end, I think companies will begin to rely on blockchain technology to validate data on the front-end. We’re moving toward an age when data breaches have made most of our information available. Once its out, you can’t get it back. The strategy then becomes validating that when the data is used, it’s used with the permission of the data owner. Blockchain can use approvals within a distributed ledger to validate not only the data but the permission to use it.

    Here’s one article highlighting an optimistic future using blockchain:

Leave a Reply

Your email address will not be published. Required fields are marked *