Bloomberg has a new story out about China’s alleged tampering with the global hardware supply chain, revealing that an unnamed, major US telecom company discovered a malicious implant in a Supermicro server back in August. The source of the story seems credible (Bloomberg’s previous story on the Supermicro hacking did not name sources.)
If true, the scale of the potential damage from this hardware hacking is almost incomprehensible.
In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.
National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.
Brian Krebs has an insightful post about the issue on his security blog. Of particular interest:
The U.S. Government isn’t eager to admit it, but there has long been an unofficial inventory of tech components and vendors that are forbidden to buy from if you’re in charge of procuring products or services on behalf of the U.S. Government. Call it the “brown list, “black list,” “entity list” or what have you, but it’s basically an indelible index of companies that are on the permanent Shit List of Uncle Sam for having been caught pulling some kind of supply chain shenanigans.
More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.
And he identifies the crux of the issue:
Like it or not, the vast majority of electronics are made in China, and this is unlikely to change anytime soon. The central issue is that we don’t have any other choice right now. The reason is that by nearly all accounts it would be punishingly expensive to replicate that manufacturing process here in the United States. […]
Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”
The original Bloomberg piece, as he points out, also addresses what he calls “this elephant in the room.” Quote from that piece:
The problem under discussion wasn’t just technological. It spoke to decisions made decades ago to send advanced production work to Southeast Asia. In the intervening years, low-cost Chinese manufacturing had come to underpin the business models of many of America’s largest technology companies. Early on, Apple, for instance, made many of its most sophisticated electronics domestically. Then in 1992, it closed a state-of-the-art plant for motherboard and computer assembly in Fremont, Calif., and sent much of that work overseas.
Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories.
As time goes on, the evidence mounts that offshoring advanced manufacturing to low-cost countries in Asia was an epochal blunder by the US. Now the US is abjectly dependent on a hardware supply chain that may be deeply compromised and there is no obvious way to fix or even detect its vulnerabilities. However, to call this “an insurmountably hard problem” is an exaggeration; it is merely staggeringly hard.
The solution would almost certainly have to involve moving a large amount of high-tech production back to the US. This would be terrifyingly expensive, but the US may not have a choice, and the economic benefits of creating all those new jobs and factories could be enormous.
Anything that has been offshored can be reshored. Anything that was invented in the US can be made in the US. If I’m wrong, please explain how.