What to Tell Your Boss About Supermicro
Everyone I know believes Supermicro is guilty. The story, which you know by now, is that during the assembly process at this $2B company, oft-called the Microsoft of hardware, a rice-sized Trojan chip was placed onto their motherboards, which are manufactured in San Jose. Despite the US venue, if you wanted to find a more guilty-looking crime scene, then you’d have trouble: Supermicro is teeming with Chinese staff, speaking Mandarin, and munching on Chinese pastry.
Now, kudos to the Amazon team for discovering this issue. By most accounts, they were the first to find the malicious insertion, and I can promise that this is easier said than done. And kudos also to Amazon and Apple for canceling their business relationships with Supermicro – although Apple swears this had nothing to do with the bug (ahem). My suspicion is that the US intelligence community also knew about this security problem, but that’s just my hunch.
Anyway, none of this matters much to the average Joe like you and me – and here’s why: I believe, based on what is now approaching for me a total of four decades staring at this damn issue of cyber security, that the following five countries, and their close allies, can use a wide range of cyber offensive measures to break into your system at any time, at any place, and for any reason: Russia, China, America, UK, and Israel. They can get you: Whenever. They. Want.
The way they do this involves all sorts of clever technical, operational, and even human means. Go back and read Ken Thomson’s Turing Lecture. It gives the who-what-and-where of how you dissolve malicious code into software in a way that code inspection cannot find. And that paper is from four decades ago. Since then, foreign and domestic intelligence groups have gotten so much better at this, that it should send shivers up the spine of any supply chain team.
What this means is that the Supermicro situation was not some close call, as the popular media seems to represent. My belief, in fact, is that this was uncharacteristically sloppy work. If I was a cyber commander in China, I’d never have approved such a thing. I mean, you’re leaving visual evidence on a motherboard! I understand the power of hardware, but I’d have pounded my fist and demanded in my broken Mandarin that they find an invisible means for insertion.
And now here is the really bad news: My belief is that the Chinese have, in fact, created invisible means. And I believe these are present and active. I’d bet anything on this. But rather than blame the Chinese, I’d extend the claim to all countries mentioned above. Lest we forget that engineers discovered _NSAKEY in Windows NT 4 Service Pack 5. I know there are explanations for this weirdly-named key, and it’s all been hotly debated ever since. But I’m just saying . . .
Bottom line: If you are being asked what to tell your senior management about this situation, and my guess is that 95% of you reading this article are thus motivated, then below are the brief answers that I recommend you provide your bosses to the most common questions you will get about the problem. I’d recommend you keep things brief and simple. Trying to explain signal conditioning couplers will get you nowhere:
Did Supermicro do this? Yes, Supermicro did it. But we do not know if leadership was involved, or if this was done by insiders planted by the Chinese government.
Is the problem fixed? No, because other more effective means exist for nation-states to break into our stuff. And these are likely hidden in ways we could not possibly conceive.
Should we cancel our AWS and Apple contracts? No, we should not stop using Amazon or Apple. In fact, it’s impressive that their engineers found this subtle Trojan.
How do we protect ourselves? By distributing, virtualizing, and improving our security design. We must assume, in all our work, that malicious nation-states are after us.
Should we stop buying from the Chinese? Well, uh, it depends. But we need to be aggressive in searching for bugs in our equipment and software. Especially software.
Can the government help? Yes. But they haven’t done a great job to date. We must lobby our leaders to negotiate for realistic norms and policies in international cyber security.
IT Executive | Speaker - Authentic Leader, Data & Decision Velocity Driven, Customer Obsessed, Thinking Like an Entrepreneur
6 年We should not be surprised that state driven ambitions and corporate profits are inter connected. So much for globalization!
Sr InfoSec Analyst @ HEB | GNFA | GCIH | GCED | GSEC | AWS Certified Cloud Practitioner
6 年Edward Amoroso, very well written, thank you for the article.
Venture Partner | Cybersecurity Expert | Startup Mentor
6 年Your comments reminded me of a meeting I had about 20 years ago in the capitol of a European country with two people who were their government’s cybersecurity point people. At that time, I was CTO of an Israeli cybersecurity startup. Midway into the three-hour meeting, I was asked: “How do we know that the Mossad [Israel’s national intelligence agency] hasn’t embedded code into your company’s product?” To put this in context, my meeting took place several months after some publicized Mossad SNAFUs. Not being sure exactly how to respond to such a question, I told them that for a $15,000 up-charge, we would remove the embedded code. They did not laugh. Their question, however, has lingered in my mind since but one thing I realized is that no software development group can ever state definitively that its product has not been tampered with by some nation-state or external third-party. This is because we don’t really know the programmers and devsecops people who are part of the team: we don’t know what motivates them and we don’t know what pressures they face outside the workplace. People are and will remain the biggest challenge vis-à-vis the supply-chain problem and, more broadly, the risk landscape.? We must develop better inspection capability and, in reference to an earlier blog you posted, frameworks for autonomous machines that may soon develop and publish their own program code.