Keyboard rarrarorro/iStock

Has True Security Moved Beyond Reach?

Major China hardware hacking allegations have placed the electronics supply chain in a quandary.

The electronics supply chain has been rocked by revelations published in a Bloomberg Businessweek report that server boards manufactured in China were infected by a tiny component—one that created a backdoor for the Chinese government to spy on U.S. companies, in addition to  government agencies such as the CIA and the Department of Defense. According to the report, a unit of China’s People’s Liberation Army (PLA) was behind the effort to hack into the operations of these entities and compromise the global supply chain.

According to the report the servers were assembled by Super Micro Computer Inc., also known as Supermicro, using motherboards supplied by three subcontractors in China: Universal Scientific Industrial (a unit of ASE Industrial Holding, the world’s biggest chip-packaging company), Wistron, and Orient Semiconductor Electronics. They are all Taiwanese but have extensive manufacturing sites in mainland China. 

SuperMicro is one of the world’s biggest suppliers of server motherboards and dominates the $1 billion market for boards used in special-purpose computers.  The report found that 30 companies have been impacted by the infected servers, including Amazon and Apple. Amazon Web Services (AWS) was one of the early companies to identify anomalies that pointed to the compromised hardware.

Both Apple and Amazon have categorically denied the claims they were hacked in the strongest terms.  Certainly, the sensitivity associated with this type of report has the potential to undermine confidence in the security of these companies. Unfortunately, U.S. companies have not engendered trust with their pattern of covering up security breaches and only belatedly disclosing massive compromises of consumer data. As a result, even the strongest denials by Apple and Amazon have not succeeded in completely countering the claims in the report.

On the other hand, the report authors note that six current and former U.S. senior national security officials described the discovery of the chips and the government’s investigation. Those officials and two people inside AWS provided detailed information on the attack at Amazon and three Apple insiders said that Apple had been impacted.

Between a Rock and a Hard Place

The report of sophisticated Chinese hardware hacking with such a widespread impact adds fuel to the fire of demands that companies diversify their electronics production out of China. Many manufacturers are already initiating contingency plans due to the punishing tariffs imposed by the U.S. Networking equipment, servers, and motherboards have been hit by President Donald Trump’s 10% tariffs on $200 billion worth of Chinese goods that took effect on Sept. 24. Trump has called for a return of manufacturing to the U.S.; many analysts, in turn, have already highlighted the prohibitively high costs of shifting production stateside.

One recognized security expert, Bruce Schneier, calls supply-chain security “an insurmountably hard problem.”  In an Oct. 4 blog entry he put forth a sobering truth: “Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product. No one wants to even think about a U.S.-only anything; prices would multiply many times over. We cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.”

The reality is that China dominates global electronics production. The country has established both the production facilities and the massive support infrastructure needed to establish a virtual stranglehold on electronics production. The world now sits on the brink of Internet of Things (IoT) devices, the cloud, and 5G technology blanketing businesses, homes, and governments.

Thus, the question now confronting all participants in the supply chain is this: Have we reached the point where it is no longer possible to win the war against threats to personal and corporate privacy and security?

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.