Please read the blockbuster Bloomberg Businessweek report about US investigations into a digital attack that involved planting snooping devices in essential parts for powerful computers used by Amazon, Apple, the US government and other important organisations. The reporting highlights the grave risk of a bedrock element of technology: the sprawling, interconnected and global nature of computing.
Just about all computerised devices on the planet, from wrist-worn step-tracking gadgets to supercomputers that crunch US intelligence data, participate in a complex supply chain honed over decades. Tiny circuits, pieces of glass, wiring, computer chips and many more parts are designed, built, combined, recombined and retrofitted in multiple steps by multiple companies, contractors and subcontractors in multiple countries.
It takes a global village to make computers and gadgets. Bloomberg data count 50 different suppliers just for Hewlett Packard Enterprise Co, the company that makes computer servers, digital-data storage machines and other essential gear used by corporations and governments. That figure likely undercounts all the hands involved in making computer gear. A corporate computing data center might have equipment sold by dozens of manufacturers, which all have similarly complex networks of parts and software suppliers, manufacturers, assemblers, testers and contractors.
Every technologist and spy knows this global supply chain is necessary but also potentially vulnerable. Somewhere along the chain, malicious actors can find ways to infiltrate the system to insert bugs or de facto spying devices. And according to Bloomberg Businessweek, that’s exactly what operatives of China’s military did to some clusters of computer parts that made their way into the digital networks of entities including Amazon, Apple and the US Department of Defense.
The supply chain attack could have siphoned corporate secrets and government information while leaving few fingerprints. It’s the most insidious kind of digital spying imaginable, and some of the savviest tech minds in the world haven’t yet found a reliable way to sniff out the hardware-infiltration attacks, according to the Bloomberg Businessweek reporting. And worse, I’m not sure what, if anything, could be done to prevent this kind of snooping.
Perhaps the only surefire prevention is for Google, Apple, the US government and others to build every circuit and computer chip by hand and make sure the parts and equipment never leave the sight of people they trust. This seems impossible. It would cost a fortune, of course, and it may not be practically possible at all. Over the decades, companies in China, Taiwan, the US, Vietnam and elsewhere in the world have developed specialisation at discrete steps in manufacturing or assembly for computing equipment. It would takes years and support from the US government to replicate that specialisation entirely in the US or other countries that American companies and the government trust.
It will be interesting to see how, if it all, major US companies and government organisations change how they handle computer equipment now that these hardware hacking revelations are out in the open. Will they put in place more audits to test their computer gear for possible infiltration devices before they plug them into computer networks? Will companies, in fact, try to shift the supply chain to countries they think will make their computing gear less vulnerable to attacks?
If so, this dovetails with the White House, which wants to wean the country off reliance on Chinese factories and suppliers. That desire is at the heart of the US’s continuing trade fight with China. Now, technologists and US trade hawks have a common but perhaps impossible mission: Reverse decades of globalisation in computing to try to prevent damaging attacks. – Bloomberg