The fix for IT supply chain attacks

The fix for IT supply chain attacks:

As I’ve written previously, I’m very skeptical of Bloomberg’s report about the Chinese placing hardware spy chips on server motherboards used by U.S. companies. China is actively spying on U.S. businesses all the time, I believe, and has already stolen most of the intellectual property secrets they are interested in. The Chinese are on their way to becoming the world’s leading economic power, and manufacturing computer chips is a big part of that equation. I don’t think they would jeopardize that business so blatantly.

If any good is to come out of the Bloomberg article, it is bringing the problem of the supply chain to the forefront. If nearly every computer device and chip is made by potential adversaries, how can you ever be assured that what you are buying doesn’t have intentional bugs or even spying chips?

The supply chain is the aggregation of all entities that provide the products and services needed for other entities to provide their products and services to their customers. Theoretically, any entity can knowingly or unknowingly introduce insecurity that impacts the final product. This is the exact issue that the Bloomberg authors and their anonymous sources allude to: that a spy chip can be placed on motherboards that eventually get placed into servers used by foreign companies.

IT supply chain risk has always existed

This is not a new issue. …

Keeping the supply chain status quo is not an option

So, one solution is no solution: Keep things as-is. As far as we know, incidents of nations using supply-chain malicious inducements are rare. If a nation-state compromised the supply chain too routinely, none of the other nations would buy its chips. It would be a self-solving solution. We’ve made it so far, so good, using this “strategy.”

When do you use a detect-and-regulate supply chain strategy?

… Well, for one, the military already has programs to prevent supply chain issues for its most critical infrastructure. Many levels of the U.S. government have programs that look for malicious supply chain issues. That’s precisely why I don’t believe that we have a widespread issue of Chinese spying chips all over the U.S.

The question is at what level of the supply chain do we start requiring stricter oversight and monitoring? …

The opposite school of thought to the “keep the status quo” argument is that we need to check all computer devices for spying hardware, software and firmware. This can be done by government or industry groups (like the Underwriter’s Laboratories [UL] or Consumer Reports). The problem is that all governments want to spy on people — its own people, and those in other countries. Asking the government to make sure everything is secure and not spying is asking for the fox to guard the henhouse. At the same time, I’m not sure we can do what needs to be done without governmental involvement.

The supply chain security solution needs to be global

… Every nation needs a nationally created and funded regulatory group that can look for supply chain issues but isn’t directly governed by the government. It’s not perfect. It’s like asking the foxes to pay for the shepherds who protect the henhouse, but I don’t see any other realistic way for a supply chain security solution to actually work. Or we can keep the status quo and hope for the best.

(Via CSO Online)

I agree with the article in large part. I disagree that government action and international agreements are the way to address supply chain risks. It is vulnerable in a multitude of ways independent of hardware hacking like the Bloomberg report claims. Compromising hardware not only requires physical access but its own reliance on a supply chain.

I tend toward industry and market forces addressing all aspects of supply chain insecurity. Redundancy, resiliency, supplier diversity, quality assurance, and monitoring are best done by those with the most at risk. Governments are too mercurial, international agreements and treaties often are not worth the paper they are printed on, and special interests can introduce new risks into the equation through self interest and a lack of vision.

Also on: