A bevy of Congressional members are starting to dig deeper into the Bloomberg Businessweek report that the Chinese People’s Liberation Army actually committed a supply chain attack by placing malicious processors in computers used by top U.S. companies and the federal government.
Sens. Marco Rubio, R-Fla., and Richard Blumenthal, D-Conn., John Thune R-S.D., House Oversight Committee Chairman Trey Gowdy, R-S.C., and Intelligence Committee Chairman Devin Nunes, R-Calif. have all fired off letters to the companies involved asking for additional information. However, even before these inquiries were sent Super Micro, Amazon and Apple all denied any technology that could possibly compromise their systems had been surreptitiously planted in computers they either built or purchased.
At the same time some lawmakers are asking for additional data other interested parties, both on The Hill and in the private sector, are questioning the validity of the Bloomberg report itself.
Rob Joyce, an NSA cybersecurity advisor, cast speculation on the incident at a U.S. Chamber of Commerce cybersecurity event earlier this week saying he is afraid we are “chasing shadows right now,” according to the Washington Post.
Whether false or true, the very possibility that China might have pulled off such an operation is indicative of how concerned the industry is over supply-chain attacks.
“The raw nerve this struck lends credence to real threats in global supply chains and may cause people to more closely evaluate their suppliers,” David Ginsburg, Cavirin’s VP of Marketing told SC Media.
Adam McNeil, senior malware intelligence analyst at Malwarebytes, said the primary issue with the Bloomberg report and the allegedly planted microchips is it’s impossible to prove either way.
“One problem with verifying this story is that this type of attack isn’t detectable by any security solution. Right now, no one can detect hardware-level modifications using custom hardware solutions that have been systematically installed at the manufacturer level. That kind of detection protocol just doesn’t exist yet,” he said in a blog post.
McNeil went to on to note that even physically checking the computers is impossible as most cybersecurity researchers simply don’t have access to them, and even if they did, obtaining permission to essentially dismantle an expensive piece of needed equipment would not likely be forthcoming.
Ali Golshan, StackRox CTO and co-founder, said the news story should serve as a reminder to organizations of the importance of fully understanding their supply chain.
“ It makes sense for companies to consider how many elements of their supply chain come from China, and more importantly, what other entities will copy this blueprint as a way of securing a foothold to gather data and potentially steal IP,” he said to SC Media.
Others are looking at this latest blow-up involving China from a historical perspective. Nathan Wenzler, chief security strategist at AsTech, looked back to when Lenovo bought IBM’s PC unit. At the time many rightfully worried that having these popular desktop, laptop and servers produced in China would give that country a direct gateway into the U.S.
“And researchers reported backdoors were found in many of the networking components subsequently used in Lenovo-branded servers and desktops,” he said, adding, “Having been involved in some incidents where Chinese actors stole intellectual property and other proprietary information for financial gain, I absolutely believe this sort of thing is plausible and even likely.”