This week there was a blockbuster Bloomberg Businessweek report about U.S. investigations into a digital attack that involved planting snooping devices in the kinds of circuit boards used by Amazon, Apple, the U.S. government and other important organizations. The reporting highlights the grave risk of a bedrock element of technology: the sprawling, interconnected and global nature of computing.
Just about all computerized devices on the planet, from wrist-worn step-tracking gadgets to supercomputers that crunch U.S. intelligence data, participate in a complex supply chain honed over decades. Tiny circuits, pieces of glass, wiring, computer chips and many more parts are designed, built, combined, recombined and retrofitted in multiple steps by multiple companies, contractors and subcontractors in multiple countries.
It takes a global village to make computers and gadgets. Bloomberg data count 50 different suppliers just for Hewlett Packard Enterprise Co., the company that makes computer servers, digital-data storage machines and other essential gear used by corporations and governments. That figure likely undercounts all the hands involved in making computer gear. A corporate computing data center might have equipment sold by dozens of manufacturers, which all have similarly complex networks of parts and software suppliers, manufacturers, assemblers, testers and contractors.
Every technologist and spy knows this global supply chain is necessary but also potentially vulnerable. Somewhere along the chain, malicious actors can find ways to infiltrate the system to insert bugs or de facto spying devices. And according to Bloomberg Businessweek, that’s exactly what operatives of China’s military did to the kinds of circuit boards that made their way into the digital networks of entities including Amazon, Apple and the U.S. Department of Defense. (The companies mentioned in the Bloomberg Businessweek article disputed summaries of the reporting. Their full comments, and those from a Chinese foreign ministry spokesperson, are published here.)
The supply chain attack could have siphoned corporate secrets and government information while leaving few fingerprints. It’s the most insidious kind of digital spying imaginable, and some of the savviest tech minds in the world haven’t yet found a reliable way to sniff out the hardware-infiltration attacks, according to the Bloomberg Businessweek reporting. And worse, I’m not sure what, if anything, could be done to prevent this kind of snooping.
Perhaps the only surefire prevention is for Google, Apple, the U.S. government and others to build every circuit and computer chip by hand and make sure the parts and equipment never leave the sight of people they trust. This seems impossible. It would cost a fortune, of course, and it may not be practically possible at all. Over the decades, companies in China, Taiwan, the U.S., Vietnam and elsewhere in the world have developed specialization at discrete steps in manufacturing or assembly for computing equipment. It would takes years and support from the U.S. government to replicate that specialization entirely in the U.S. or other countries that American companies and the government trust.
It will be interesting to see how, if it all, major U.S. companies and government organizations change how they handle computer equipment now that these hardware hacking revelations are out in the open. Will they put in place more audits to test their computer gear for possible infiltration devices before they plug them into computer networks? Will companies, in fact, try to shift the supply chain to countries they think will make their computing gear less vulnerable to attacks?
If so, this dovetails with the White House, which wants to wean the country off reliance on Chinese factories and suppliers. That desire is at the heart of the U.S.’s continuing trade fight with China. Now, technologists and U.S. trade hawks have a common but perhaps impossible mission: reverse decades of globalization in computing to try to prevent damaging attacks.
By Shira Ovide