CHINESE WHISPERS - What's in a server?

Bare metal intrigue

The recent Bloomberg Businessweek revelation, 'The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies', is an interesting (to say the least) new turn in the threat universe that IT calls home. A chip has been discovered in servers originally assembled by Supermicro "that wasn't part of the boards' original design'. The chip wasn't supposed to be there:

"...the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China".

Dominoes anyone?

The plausibility of a hardware hack, for which the seeds can be sewn ostensibly relatively easily via a tiny implant, is remarkably real. The subsequent threat and damage to our confidence in many of the day to day systems we rely on and, even more so to national security, is frightening. It brings into consideration issues around the public cloud and its security as well as the global supply chain and the multiple points of exposure across it, not least through third parties upon whom one may be dependant if one is not going through a trusted and experienced global IT systems aggregator.

While the validity of the chip story is being challenged, its value comes in drawing the tech community's attention to the possibility of a new front opening up in the ceaseless war against cyber-crime; bare metal bravado, about as Trojan as a horse can get (with apologies to the infamous malware).

I don’t subscribe to conspiracy theories, but Bloomberg is a credible source and numerous substantiating sources (no doubt well researched and credible) have confirmed the hack to be real. Bloomberg states that U.S. officials describe the event as…"the most significant supply chain attack known to have been carried out against American companies." By way of balance, Supermicro has denied that Chinese agents were able to smuggle hidden surveillance chips into Supermicro's servers.

Threats to the supply chain

Where does this emerging new threat possibility, leave us ? It’s not just Supermicro that manufactures U.S. designed tech in Asia, where the chips are said to have been inserted. Pretty much everyone does.

Today's supply chains are truly global, and not just in manufacturing. A secure supply chain is an issue for everyone. If you trade, buy, and sell globally, and have your IT systems dispersed around the world, not only is traditional cyber security an issue, but your exposure through your supply chain is potentially endless, definitely complex, and often not within your area of control. Accenture's Cyber Threatscape Report 2018 puts it like this:

"Third- and fourth-party environments provide adversaries with an entry point, even in verticals with mature cyber-security standards, frameworks, and regulations. Recent campaigns highlight the challenges of combating weaponized software updates, prepackaged devices, and supplier ecosystems as they fall outside the control of victim organizations".

We need to be able to trust the system

As the FANGs[1] expand around the globe in a land-grab, they're positioning themselves as the utility compute players for global and local business. We expect the security and systems in these environments to be the best, after all the tech behemoths at the forefront of the revolution invest more in their core business than any of us could ever hope to.

By 2019 it's estimated that nine out of ten companies "will have some part of their applications or infrastructure in the cloud" according to IDG. The problem is, if you are in the cloud, and the cloud gets targeted, you risk becoming a victim of cyber space collateral damage.

Securing the global supply chain

?Many Viadex gaming clients run all their own infrastructure. These companies operate on four continents, and have clients with latency-dependent apps all over the world, necessitating constant monitoring and support of the companies' environments.

They perceive the cloud, as it stands, as not sufficiently secure and simply can't risk any sort of data breach or loss, or any suspension of service, or degradation in performance. They invest huge sums in ensuring they are at the forefront of both the tech and human elements in the security space.

Secure supply chains are essential to such companies, as are consolidated procurement of products and services, through known and trusted partners. They could have a partner in each country or continent to do this for them. It would involve building trust across multiple partners, and assessing and monitoring those partners and their personnel on a regular basis, thereby effectively increasing their supply chain risk.

It’s a frightening thought to any business leader, or government , that the systems they invest in and run their business or country's security on may well be carrying in unknown components that can lie dormant until activated by malicious nation states. It's not just the security clusters, its airports, infrastructure and urban transportation, power plants, weapons systems, healthcare programmes and hospitals, and more; the list of at-risk functions we all depend on is endless. The more we centralise systems, the greater the systemic risks and the ability for individual bad acts to cause harm and disruption.

In our world. the more people and IT infrastructure is dispersed around the world, the greater the risks we face from competitors, bad actors, disgruntled employees, and out and out criminals. Now it seems we need to at least be aware of the potential of embedded risk.

I am not convinced by the denials in this chip insertion event. They don’t surprise me, but it is a worry, I will keep an eye on how this develops and post updates as soon as it does.

[1] Facebook, Amazon, Netflix, Google: FANG