A breathtaking investigative story about a hack published two weeks ago revealed some very old news: Worldwide, China actively spies on industry and government--and it targets the United States in particular.
According to Bloomberg Businessweek, which broke the story, the number of companies affected was "almost thirty," including Apple and Amazon, which both claim nothing happened. The purportedly non-existent chips discovered, however, possess certain features including memory, processing capacity and connectivity--all things one doesn't usually associate with non-existent hardware.
This latest revelation provided more concrete, alarming news from the never-ending Sino America version of "Spy versus Spy." It was such big news that even after the traditional "Keep it moving; nothing to see here" statements made by Apple and Amazon, there were those who still believed there was something to see.
What happened, if it happened (and it certainly does seem to have happened) is the stuff of crime movies. You know the story line: A truck or a container or a package is diverted on the way to its destination, and spyware (or a bomb or a very small contortionist) is secreted inside the item in transit. In this case, hardware was implanted--a microchip the size of a pencil tip--but rather than diverting product in transit, the prevailing story is that these marvels of spy craft were actually built into motherboards used for often highly specialized, custom enterprise systems worldwide that were manufactured in China.
According to reports, the chip in question is like a physical Trojan horse. It can change the code entering a computer's central processing unit thereby opening the door to outside attack.
"With more than 900 customers in 100 countries by 2015," Jordan Robertson and Michael Riley wrote in Bloomberg Businessweek, "Supermicro offered inroads to a bountiful collection of sensitive targets. 'Think of Supermicro as the Microsoft of the hardware world', says a former U.S. intelligence official who's studied Supermicro and its business model. 'Attacking Supermicro motherboards is like attacking Windows. It's like attacking the whole world'."
In a pithier statement from the same article: "Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow."
If the Supermicro story turns out to be true, China pulled off a supply chain attack of epic proportions, but while your spine finishes with that shudder running down it, I would like suggest that there are worse things in the realm of cyber-insecurity. A GAO report issued around the same time as the Bloomberg Businessweek article found that "nearly all" new Pentagon weapons are vulnerable to cyberattack.
Based on tests conducted between 2012 and 2017, the GAO discovered that with "relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected" because of basic security vulnerabilities.
While the micro-chip supply chain angle has plenty of intrigue, given the general and pervasive state of cyber vulnerability out there, it is the equivalent of tunneling into a bank when the doors are wide open, there's no alarm and it's 10pm.
New Approach, Old Tactic
When Anthem disclosed that it had been hacked in early 2015, it was the second largest healthcare insurer in the United States. Hackers had broken into their system in 2014, and accessed unencrypted databases containing the sensitive personal information of around 80 million then-current and former policyholders and employees. The popular theory of that attack is that the Chinese government was behind it, and they weren't looking for personally identifiable information, but rather trade secrets to help set up a similar health insurance program for its citizens.
In the Fall of 2015, not too long after the Anthem breach was disclosed, President Barack Obama and Chinese president Xi Jinping announced a deal that would put a diplomatic end to what many believed was widespread China-backed hacking against the U.S. government and big companies with knowledge valuable to China. The supposition at the time was that China only conceded to Obama's demands that the hacking come to a halt because it had a better option.
Around this time, according to the Bloomberg Businessweek article citing Pentagon sources, the Obama administration asked players in the cybersecurity space to figure out a way to detect hardware hacks. To date, this ability has not been developed. The request for this particular cyber solution coincides with the discovery of the chip.
One could point to the two Chinese telecommunications giants, Huawei and ZTE Corp, both reportedly used by the Chinese government for the purposes of spying. Huawei has been declared a national security threat by the U.S. government and is under investigation for potentially breaking American trade controls with Cuba, Iran, Sudan, and Syria. The Pentagon has banned the use of Huawei-manufactured devices by members of the military.
It was during Amazon's due diligence on a company called Elemental Technologies, which it hoped to use for its Amazon Prime Video service, that the spy chip was discovered. Elemental worked with American spy agencies, including In-Q-Tel Inc., the CIA's investment entity. This put Elemental equipment (including those little chips imbedded in the Supermicro circuitry) in servers inside Department of Defense data centers that receive drone and surveillance-camera footage, Navy warships feeds of airborne missions, secure videoconferencing for government agencies, NASA, Congress, and the Department of Homeland Security.
The alarm that so much could have been infiltrated by dint of equipment upgrade and old-fashioned planned obsolescence is indeed terrifying, but this chip--real or imagined--is only the tip of an unimaginably large iceberg.
While we strive for cyber perfection, there is no such thing as cyber invulnerability. Cybersecurity is a daily practice--and an imperfect one at that. The Supermicro story is a classic case of an upgrade (which is often the introduction of new equipment) creating a vulnerability, which is why organizations must stay vigilant.