Criminal Justice & the Rule of Law Cybersecurity & Tech Foreign Relations & International Law Intelligence

Bloomberg's Groundbreaking Report on a Chinese Supply-Chain Attack

Herb Lin
Thursday, October 4, 2018, 4:56 PM

As many readers know, supply chain security has been an increasing concern for those who use information technology for critical functions—that is, it affects everyone.

Published by The Lawfare Institute
in Cooperation With

As many readers know, supply chain security has been an increasing concern for those who use information technology for critical functions—that is, it affects everyone.

Over the past several years, many reports have been issued on this topic, notably by the Brookings Institution and the Defense Science Board. DARPA has also had a program to improve hardware integrity.

But to my knowledge, there has never been a publicly documented incident of hardware supply chain compromise at the fabrication level originating abroad—until now.

On Oct. 4, Bloomberg carried a story called “The Big Hack: How China Used a Tiny Chip to Infiltrate Amazon and Apple.” The story discusses how a San Jose-based company known as SuperMicro—a big supplier for the world of motherboards for servers—was apparently responsible for the addition of a chip to those motherboards that would enable back-door access to servers in which those boards were installed. These chips surreptitiously communicated with other systems that supplied additional code to be run on the motherboards. The back-door chips were apparently installed by SuperMicro subcontractors in China.

Bloomberg also asked Amazon, Apple, SuperMicro and the Chinese Ministry of Foreign Affairs for comment on the story, and reprinted their answers in full. The companies all denied the story.

Nevertheless, the reporting on this story appears to me to be quite credible and well done. I would also note in passing another set of stories dating to the mid-1990s on alleged intervention by the National Security Agency in certain encryption products made by the Swiss firm Crypto AG. These products were used around the world as well, although not nearly on the scale reported in the Bloomberg story. For those looking to read more on the subject, my colleague Nick Weaver’s analysis is penetrating and insightful.

Those of us who have been wanting a citable source on an actual foreign intervention in the hardware supply chain now have one.

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare