Congress’ Worst Fears Confirmed with Latest Supply Chain Security Breach

IT Security

Early on in my time writing this column, I wrote what I still consider to be the most boring piece I’ve done, on how Congress was telling the Department of Defense that it needed to do a better job at supply chain risk management. At the time, the House of Representatives wanted to put the DoD’s chief information officer in charge of this function as it applied to information technology.

The final National Defense Authorization Act for Fiscal Year 2018 directed the DOD to place someone in charge of the function, but left it up to the secretary of defense to decide who that should be. Based on information reported by Bloomberg’s Businessweek last week, there was good reason for Congress to be concerned.

China’s People’s Liberation Army Sneaks Chips into DoD servers

According to the story, China’s People’s Liberation Army (PLA) was able to insert a tiny chip on the motherboards of powerful servers that made their way into Department of Defense data centers, and those of large American corporations, including Apple and Amazon – who discovered the chip when considering buying the server’s manufacturer.

That manufacturer, Elemental Technologies, builds powerful specialized servers for processing video files. They power Amazon’s Prime Video streaming service (and ironically Netflix, which partly runs on Amazon Web Services), as well as “Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.”

The motherboards for those computers, as well as those for many other companies, came from Super Micro Computer, Inc. of San Jose, Calif. Super Micro subcontracts for its manufacturing to factories in China.

At those factories, workers installed a chip, no larger than a grain of rice, supplied by the PLA. This chip allowed outside entities to control who the computer talked to. This potentially gave Chinese intelligence the keys to almost any data it wanted. The possibility of this kind of hardware hack was considered so remote, that few bothered to worry about it. “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” one leading hardware hacking expert told Businessweek.

The unicorn seems to be real, and according to Businessweek’s sources, jumped over the rainbow a few times.

APPLE, AMAZON, DOD ALL Keeping THEIR CARDS CLOSE TO THEIR CHEST

For their part, Apple, Amazon (which bought Elemental in 2015), and Supermicro all flatly denied the allegations, which would be expected if the investigation into this hack is as classified as it most likely is. But Businessweek cites at least “six current and former senior national security officials,” two employees of Amazon Web Services, and three at Apple. These sources are anonymous, as would also be expected, but the fact that 17 people in government and industry spoke to Businessweek about the issue makes it much more believable than not.

Businessweek reports that U.S. intelligence first learned of the plan in 2014, while Amazon allegedly discovered the chip in 2015. It seems to me that Congress has had some indication that this was going on, too.

is a ban on chinese-made motherboards in our future?

As I wrote in June of last year, “Rep. Adam Smith (D-Wash.), the HASC ranking member, noted in an August 2016 hearing on military cyber operations, ‘the least little device can be an entry point to a cyber attack,” and, “Rep. Mike Rogers (R-Ala.) noted at the August 2016 hearing that the DoD lacked a comprehensive list of ‘Chinese firms that [the department is] concerned about.’”

Whatever the status of such a list now, you can be sure that the manufacturing subcontractor for Super Micro Computer is on it.

In June of this year, Missouri Democratic Sen. Claire McCaskill introduced the Federal Acquisition Supply Chain Security Act of 2018. This bill, which now includes language proposed by the White House in July, would establish a Federal acquisition security council comprising experts from several Federal agencies that would be responsible for assessing threats and vulnerabilities and sharing that information across the government an where appropriate, with industry.

The true test, however, will be in how the Trump administration addresses this issue with China. Motherboards were added to a recent round of proposed new tariffs. If this hardware hack proves one widespread, could a ban of Chinese-made computer motherboards for federal systems be far behind?

Tom McCuin is a strategic communication consultant and retired Army Reserve Civil Affairs and Public Affairs officer whose career includes serving with the Malaysian Battle Group in Bosnia, two tours in Afghanistan, and three years in the Office of the Chief of Public Affairs in the Pentagon. When he’s not devouring political news, he enjoys sailboat racing and umpiring Little League games (except the ones his son plays in) in Alexandria, Va. Follow him on Twitter at @tommccuin

More in IT Security