• It turns out a recent bombshell report detailing how rogue microchips infected an unknown number of computer servers may not be true.
• The event illustrates that supply chain risk is legitimate, and enterprises must plan for the risk and implement methods to detect such compromises.
Cybersecurity’s biggest mystery is centered on a microchip so small, it might not even exist.
It all started on 4 October, when U.S. news agency Bloomberg reported that many of the motherboards manufactured by Super Micro Computer had been compromised before they ever left the factory.
Super Micro is based in California, but conducts its manufacturing operations through subcontractors based in China. That’s where, Bloomberg alleges, a China military cyberintelligence unit was able to install rogue microchips on an unknown number of computer server motherboards.
Bloomberg claims the rogue microchips could enable attackers to remotely compromise a device’s operating system, potentially granting full control over the target machine and its data.
Those manipulated motherboards, according to the report, found their way into servers purchased by nearly 30 organizations, including Amazon Web Services, Apple, and the U.S. Department of Defense. <BR>
Or maybe not – soon after the story was published, cybersecurity experts expressed skepticism. Quickly Super Micro, Apple, and AWS all strongly denied the discovery of any rogue microchips on their systems, and urged Bloomberg to retract its story; the U.S. Department of Homeland Security and UK National Cyber Security Centre issued statements supporting the vendors.
Bloomberg however has not wavered. The news organization says its reporting was confirmed by 17 sources, including government officials and insiders at the affected companies. Yet all its sources spoke anonymously, making it impossible for anyone but Bloomberg to assess their credibility.
This has left observers unsure who is telling the truth, and confused as to whether computing equipment made by Super Micro – or all across China – may come pre-hacked, a fear that is especially disconcerting given that at least three-quarters of the world’s personal computers and smartphones are manufactured in China.
Regardless of where the truth lies, the Bloomberg story and its aftermath highlight two realities that organizations must confront.
First, supply chain compromises are a real risk. Technology can be tampered with at any point during its lifecycle, from production and assembly through delivery and installation, as well as during its useful life. A true hardware compromise is rare; software and firmware hacks are believed to be more common, and software development source code repositories are expected to become the next attractive supply chain target.
Second, organizations must plan for supply chain risk alongside other cybersecurity risks. This means developing and maintaining a strategy to detect, correct, and protect against compromises that would risk exposing sensitive data or interrupting critical business processes.
To prevent being victimized by a hardware-level compromise like the one described in Bloomberg’s story, a long-term commitment to network security is essential, specifically outbound network monitoring to identify command-and-control traffic and other anomalies.
While advanced endpoint security solutions have been a popular panacea in enterprises for several years, those offerings typically are unable to detect compromises on the hardware level. Enterprises must develop an understanding of normal traffic in their networks, data centers and cloud environments, and keep logs to enable investigations once compromises are discovered.
Ironically, Bloomberg reported this week that numerous companies may move their supply chains out of China, though not because of cybersecurity. Rather, due to the threat of tariffs increasing the cost of Chinese imports. As supply chains change, so does the risk, but that risk is not going away.
It may never be clear if Super Micro or any of its customers were affected by this alleged supply chain compromise, but it is a strong warning to all organizations to be on guard. After all, the difference between a secure supply chain and one that isn’t may be as small as the tip of a pencil.