That Bloomberg story about Chinese spy chips in the server supply chain highlights an issue even Huawei is worried about – international supply chains are so complex it’s getting harder to secure them. And vendor bans won’t work.
Last week, Bloomberg Business Week posted an epic investigative report spanning over three years that claimed Chinese agents slipped tiny chipsets into the server motherboards of Supermicro that created back doors allowing the agents to access both the server and whatever network it was connected to.
Apple and Amazon say the story is not true – or at least the part about their own servers containing any spy chips. Either way, the story has gained a lot of attention and raised a lot of fears – which is unsurprising, given the current policies of the US and Australia forbidding the domestic use of ICT gear from Huawei and ZTE because said gear will (they say) do exactly what the altered Supermicro motherboards allegedly do.
The Bloomberg story doesn’t necessarily prove that the US/Australia governments have been right all along. But it does shine a light on a security issue that’s been floating around for some time – as ICT supply chains become more global and complex, it becomes harder to ensure security by design across that vast ecosystem.
Ironically, Huawei itself has been busy pointing this out to the US and Australian governments – and indeed anyone who will listen. Last week, Disruptive.Asia reported that Huawei submitted a filing to the FCC protesting its exclusion from 5G projects and giving a list of reasons why this is both wrong and bad for America’s 5G ambitions. In one section of the filing [PDF], Huawei challenged the FCC’s claims that its equipment presents a security risk to the US:
… a blacklist on certain equipment vendors does not address the reality that cybersecurity risks arise from various points of vulnerabilities in an international supply chain. In response to a staff question as to the FCC’s role in securing U.S. telecommunications equipment, Huawei emphasized that the global and complex nature of the telecommunications supply chain necessitates a comprehensive security framework to protect against threats.
To be clear, this line of reasoning doesn’t counter – or even address – the security issues raised by the FCC. It’s not worried about 5G and its supply chains being less secure – it’s worried that Huawei and ZTE are insidious secret agents of a foreign government.
What Huawei is arguing (I think) is that the complexity of international supply chains is a much bigger security problem – for everyone, including Huawei – than whether a specific vendor might intentionally try to sell malware-infested boxes to its government’s rivals. Which is a valid point.
It’s not just the hardware
Some may point out that the ‘seeding’ technique described in the Bloomberg report – while technically possible (which researchers at the University of Michigan demonstrated two years ago) – is incredibly difficult to pull off and a strikingly inexact way of trying to infiltrate a network, so how big a threat can it really be? The Bloomberg story does raise this point as well:
… to actually accomplish a seeding attack would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location—a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle.
On the other hand, there’s more than one way to infiltrate hardware. One technique that is comparatively easier – and more likely to ensure your spy chip ends up in a network you want to spy on – is to intercept devices as they’re in transit from vendor to customer (which, for example, the NSA allegedly did with Cisco routers, according to one of the documents released by Edward Snowden).
Also, supply chain security isn’t just a hardware issue – it’s also a software issue, as security expert Bruce Schneier illustrated clearly in a blog post in May. The upshot, he says, is that supply chain security is a very real and complex problem that requires a complex solution that in turn will require international cooperation of some sort from both the public and private sectors. And even then, it won’t be fool-proof, though it could get the situation under control.
What won’t solve the problem, he wrote, is banning a particular company the government don’t trust ( whether it’s Huawei, Supermicro, Kapersky or someone else), or adopting an America-First (or equivalent) policy of doing everything in house, which is unrealistic in any case. It’s also very expensive, as Brian Krebs points out in this response to the Bloomberg story.
Which is why the political posturing over Huawei, ZTE and national security is not only paranoid populist pandering, it’s also a distraction from a much larger problem that it doesn’t come anywhere close to solving. With the hyperconnected digitalized internet-of-whatever currently under construction, such distractions are not just stupid and short-sighted – they’re irresponsible.