The Supermicro chip Source: Bloomberg
Should you be worried about the Chinese Supermicro spy chip revelations? In a nutshell, yes.
If you're among the organizations using Supermicro server boards: Run, do not walk, to your server rooms and examine the boards in minute detail.
And regardless of what server hardware you use, it's time to rethink your global supply chain strategy, third party risk, and the move to zero trust.
If you've been hiding under a rock for the past few days, here's the gist of the story: Bloomberg claims that back in 2015, several large US firms (including Amazon and Apple) discovered tiny unauthorized chips on serverboards from Super Micro Computer Inc (Supermicro), a U.S company founded by Taiwanese immigrants. The chips appeared to have been placed there by unauthorized third parties--believed to be Chinese hackers--for the purposes of injecting malware into the servers.
According to Bloomberg, the companies investigated, and ultimately opted not to use the servers. But that's not the whole story.
Amazon allegedly discovered the hardware hacks in the context of purchasing Elemental, a video-compression software startup that had contracts with major U.S defense intelligence agencies. Elemental used the Supermicro servers for its software--and Amazon wasn't the only customer.
As Bloomberg puts it: "Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers."
Amazon allegedly announced the findings to the DoD, and (according to Bloomberg) a top-secret investigation ensued, which is still going on. One outcome: the investigation exposed vulnerabilities in the manufacturing process through which the hardware hacking could have occurred. (Again, this is according to Bloomberg).
Amazon and Apple have both denied Bloomberg's report, although their denials are oddly specific. They don't say it didn't happen the way Bloomberg claims, but rather, they deny things that Bloomberg doesn't claim. Amazon, for example, denies knowing about the hack or the supply chain compromise "at the time of the Elemental acquisition". That leaves open the possibility that Amazon discovered it later on, which is in fact the scenario Bloomberg claims.
And so on. Check out this Register article for specifics.
The current discussion seems to focus on the he-said-she-said between Bloomberg, Amazon, and Apple: Who do you believe?
The markets, clearly, think there's something to the story: Supermicro's stock has tanked, dropping by almost 50% from the time the news was released.
But the real question here is not, "Who do you believe?" or even "Did it happen?" but "Could it happen?"
The answer turns out to be unequivocally yes. Researchers at the University of Cambridge in the UK investigated the story, and concluded that it "passed the sniff test". Specifically, the type of microchip shown in the article could indeed connect with the serial-peripheral interface (SPI) and mess with the baseboard management controller (BMC) in a number of creative ways. These include replacing the BMC's firmware (including via downloads over the Internet) and overwriting memory.
I encourage readers to check out the University of Cambridge piece. It's readable, highly accessible, and yet technically detailed. And it highlights the main technical points while sidestepping the he-said she-said sideshow.
And that, frankly, is the issue. As the old saw has it, the Chinese had means, motive, and opportunity. We know that nation-states, including China and Russia, are engaged in cyberwarfare. We know that a hardware hack is the ultimate in cyberattacks, because hardware overrides software.
We just didn't know that such a hack was actually possible. How would it work? What would it do? The Bloomberg piece, and the University of Cambridge analysis, shines a spotlight on the answer to those questions.
As the Bloomberg article makes clear, there's at least the potential for such hardware hacks to be injected during the global manufacturing process. So as crazy as it sounds, the question of whether it did happen is secondary to the question of whether it could have happened.
And as the University of Cambridge researchers make clear, it absolutely could have.
Implication #1: Global Supply Chain Risks
That means the notion of compromised global supply chains for computing hardware has moved from the hypothetical to the definitely possible.
This isn't news to some folks, but it's a big deal for everyone.
At Nemertes, we work with many highly sophisticated clients who have been aware of the dangers of global supply chains for decades.
Department of Defense suppliers, for example, are prohibited from purchasing products from companies with foreign ownership, or with foreign supply chains.
This limitation creates significant procurement challenges for them, given how few computing devices are manufactured end-to-end within the U.S. But it's not a constraint that's up for discussion--these companies have believed for a long time that security depends on secure supply chains.
It's time for other enterprises to wake up to this concern, and recognize that global supply chains pose a security threat. An army wouldn't route its food supply through enemy hands, where poisoning is a real threat. Neither should an enterprise.
Maybe your company considers the Russians and Chinese to be "customers", not "enemies". And that's fine. But if your other customers are concerned about attacks from nation-states, your company could be serving as a conduit to attacks on them. It's safe to say, for instance, that Amazon was likely not the intended target of the Elemental hack; more likely, it was Elemental's other customers (the DoD agencies).
So if you take nothing else away from this exercise: recognize the risk from global supply chains.
Implication #2: Third-Party Risk Assessments Must Grow Up
Hopefully, though, that's not the only thing you'll take away. Your company probably has a group responsible for "third-party risk assessments" that, in theory, is responsible for detecting vulnerabilities like the Supermicro bug.
In many companies, this is a small, overworked group (sometimes just a single individual) who is responsible for conducting on-paper checks of third-party providers. This means droning through a rote checklist of questions on where products and services are developed, and under what controls.
That has to stop.
Third-party risk assessments need to become aggressive, dynamic, and practical. No longer should it suffice for a provider to simply check a box indicating their manufacturing processes "have no known compromises". Third party risk assessors need to take the stance, "If someone was seeking to attack my organization and our customers through our third-party suppliers, how would they do it?"
Then assume the attack has occurred, and seek proactively to ensure that it hasn't.
That means physical inspections of devices manufactured outside the U.S. (A third party assessor conducting a physical inspection of Elemental's servers was the source of the original discovery of the Supermicro bug.)
It means on-premise inspections of outsourcing provider sites. And yes, I know how difficult it is to get Amazon or Google to open the gates. So maybe it's time for Oracle and IBM to use third-party transparency as a competitive advantage!
It means investing in automated tools and analytics, not just relying on manual checklists.
And it means above all, prioritizing third-party risk assessments and conducting them with the same energy and passion that many organizations apply to defensive cybersecurity measures.
Implication #3: The Time for Zero Trust Was Yesterday
If nothing else, the lesson of the Supermicro bug is that nothing, and no one, should be trusted absolutely. As the University of Cambridge article notes, many system designers have begun increasing defenses, such as protecting against malicious code being inserted at boot time. But it hasn't gone far enough. Cybersecurity architectures must assume no component can be fully trusted--and should embed the analytics and automation to uncover suspicious behavior. I've published at length about the need for moving to a zero trust model, including here and here.
It's long past time for enterprises to begin moving energetically towards zero trust.
Bottom line: It doesn't matter who's right. The reality is, if the Supermicro bug didn't happen exactly the way Bloomberg claims, it's still the canary in the coal mine--and enterprise cybersecurity specialists should take note.