In early October, US news agency Bloomberg published a bombshell story that claimed that an attack by Chinese spies infiltrated 30 US companies (including Amazon and Apple) and compromised the country’s technology supply chain.
The story cited 17 unidentified sources to support claims that a unit of the Chinese People’s Liberation Army infiltrated the supply chain of computer hardware maker Super Micro Computer Inc to plant malicious chips that could be used to steal corporate and government secrets.
The chips (some as small as a sharpened pencil tip) purportedly allowed attackers to create “a stealth doorway” into any network that included the altered machines.
As could be expected, the Bloomberg story sent seismic shock waves throughout the global cyber security industry, with tech giants Amazon and Apple flatly denying that their security had been compromised in any way. Yet while companies and government agencies continue to dispute the facts, security experts are warning that even if the attack didn’t happen as reported, it is now highly plausible that hardware is being infiltrated and compromised within global supply chains.
“Extended, complex, global supply chains create a risk for malicious cyber activity that companies must take into account,” noted Michael Daniel, chief executive of the non-profit Cyber Threat Alliance, in an interview with Reuters.
Who’s at risk?
Governments, businesses and consumers are all at risk, particularly given that this is a strategy of attack for which current cyber security tools and systems are ill-prepared. Even with some of the top security professionals at work, experts haven’t been able to verify the Bloomberg story – simply because this type of attack isn’t detectable by mainstream security solution.
As it stands, very few security experts can detect hardware-level modifications or tampering using custom hardware solutions that have been methodically installed at the manufacturer level.
Sadly, that kind of detection protocol or practice is almost non-existent.
The Bloomberg article underscored this point, stating: “This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution.”
A complex challenge
For SA businesses and indeed organisations worldwide, the supply chain threat must now be taken into account when assessing cyber security risks and responses. Today, although local suppliers and service providers may be working with trusted global brands to deliver products and devices to SA customers, even those trusted brands have a complex supply chain that has risks and vulnerabilities of their own. And the further away we are from the primary source of hardware components, the higher the risk of hardware manipulation by ill-intentioned third parties.
In most instances, supply chains will become compromised and there will be no knowledge of it amongst suppliers until months or even years down the line. It must be emphasised that this form of attack is both highly sophisticated and very patient – hardware hackers have a long term play, which probably means that the ensuing damage will be deep, chaotic and widespread.
Information is key
While there is no easy solution or patch right now, awareness and education are critical. Simply by becoming aware and informed of the cyber threats and vulnerabilities that may exist in the supply chain, business leaders can mitigate many of the potential risks.
Additionally, however, some practical steps can be taken. To begin with, business leaders should communicate with vendors and suppliers and ask them tough questions. Are they aware of the risks, for example, and what precautionary steps are they taking? Arguably, supply chain security is every company’s responsibility.
As experts point out, the supply chain as a whole is only truly secure when all players throughout the supply chain implement effective, coordinated and proactive security measures.
To this end, local companies should begin to consider initiating procedures such as annual vendor risk assessments, random spot checks on physical devices, hardware security audits on newly-acquired equipment, and the creation of comprehensive incident response plans.
Besides, businesses need to strive for transparency and improved communication with vendors and third-party suppliers, as this increases the chances of uncovering hardware manipulations and responding accordingly.
Adapt your security strategy
Looking ahead, the cyber threat within global supply chains requires every business to shift its existing IT security strategy and approach. Today, few within the security sphere (if any) possess the skills and expertise required to detect – let alone reverse engineer – corrupted hardware components that are calculatingly designed to look like legitimate hardware components. This means that the security industry has work to do – for the most part, existing tools and systems are only designed to combat threats at the application level.
In the interim, however, while cyber experts look to mitigate threats to hardware security, business owners and leaders must begin asking the tough questions to their suppliers about how they are protecting their supply chain.
By Brian Timperley, co-founder & MD of Turrito Networks