20 October 2018

If China isn’t exploiting our electronics supply chain, it will

BY MORGAN WRIGHT

Bloomberg Businessweek just published a report that has made some very astonishing claims about how China used a very small chip to accomplish a very big goal. The primary claim is “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.” Invariably, this information discovered in 2015 by Amazon was passed onto the United States intelligence community. Bloomberg’s report said the discovery sent a shudder through halls of our national security agencies. You would expect a statement to be issued that talks about the impact this could have. Maybe one from the Defense Advanced Research Projects Agency—DARPA—that underscores the threat to modern computing.


“Trustworthy computing (with software) cannot exist until we have trustworthy hardware to build it on.”

The statement is spot on and absolutely identifies the core issue of trust. Except this statement wasn’t released in response to Bloomberg’s article. It was released on March 7, 2007, eight years before Bloomberg’s report. It was based on a report from 2005 entitled “Defense Science Board Task Force on High Performance Microchip Supply.”

Not only was the Department of Defense (DOD) worried about access to the microelectronics components, they were further worried about the trustworthiness of each component. From the 2005 report: “The conclusion is a call for the U.S. government in general, and the DOD and its suppliers specifically, to establish a series of activities to ensure that the United States maintains reliable access to the full spectrum of microelectronics components…These activities must provide assurance that each component’s trustworthiness (confidentiality, integrity, availability) is consistent with that component’s military application.”

This was just the beginning of issues with trust in hardware and software. Operation Cisco Raider was a multiyear investigation by DOJ and DHS to stem the tide of counterfeit Cisco hardware. (I worked at Cisco from 2004 to 2010.) In early 2008, an update described the current status of the investigation, and concluded with “…offering an update on parallel multiyear efforts to curb the flow of counterfeit network hardware into the United States and Canada, much of it from China.”

China has always been at the center of attention with national security concerns. When President Trump announced sanctions against China, I argued back in May they did not go far enough. I laid out the case for why ZTE deserved the economic death penalty. In April, I opined on the need for a people warfare strategy against China and how it bullies U.S. firms that want to do business in China.

When the Bloomberg article hit, Apple and Amazon hit back. Bigly. Reuters reported: “There is no truth” to claims in the story that Apple found malicious chips in its servers in 2015, the [company] said in a statement. “This is untrue,” Amazon said in a blog post.

The controversy even crossed the Atlantic. The UK’s GCHQ (their version of our NSA) said “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple.”

Bloomberg claimed they had substantial proof of their claims. “In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks.”

So, who are we to believe? Everyone. And no one. The denials by Amazon and Apple weren’t of the traditional corporate, word salad, milquetoast variety. They were emphatic, direct, and indirectly backed by the GCHQ. But does the story pass the sniff test of plausibility?

According to Bloomberg, “One country in particular has an advantage executing this kind of attack: China, which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs.”

When one country controls the significant majority of the means of production, it’s a business risk. When one country also has a very powerful government that requires private sector companies to ‘share’ their intellectual property in an approach called civil-military fusion, it’s a national security risk. And when one country combines the two, it’s called China.

Not only is it plausible that China could engineer an attack of this type, the mere fact of how many of our electronics come from China make it very possible as well. The problem with government, and yet another wake-up call, is that it tends to keep hitting the snooze button. Whether the story is completely accurate, or only partially, the threat should make the US reassess the weakness in our supply chain.

The argument goes that China wouldn’t do something like this because it would endanger their status as a hub for manufacturing. If they were caught with their fingers in the digital cookie jar, there would be a chorus of nationalism and manufacturing would be headed back to our shores. Price be damned.

The flaw in that analysis is looking at their problem through our eyes. China’s view of the future is based in decades. Our political structure ensures every two years leadership is up for grabs. Something fundamentally has to change, and that might mean building plants here in the United States. But there’s a big number problem with that.

The cost of building new plants can exceed $3 billion. And that was back in 2007 according to the DARPA report. The global economic pressures “are driving (integrated circuit) design and manufacturing to foreign soil and out of US control to ensure trust and availability.”

What price is our national security worth? It might be the right time to find out.

Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He previously worked as a senior advisor in the U.S. State Department Antiterrorism Assistance Program and as senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.

No comments: