Chinese Supply Chain Hardware Attack
Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China.
I’ve written about (alternate link) this threat more generally. Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product. No one wants to even think about a US-only anything; prices would multiply many times over.
We cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.
EDITED TO ADD: Apple, Amazon, and others are denying that this attack is real. Stay tuned for more information.
EDITED TO ADD (9/6): TheGrugq comments. Bottom line is that we still don’t know. I think that precisely exemplifies the greater problem.
EDITED TO ADD (10/7): Both the US Department of Homeland Security and the UK National Cyber Security Centre claim to believe the tech companies. Bloomberg is standing by its story. Nicholas Weaver writes that the story is plausible.
Sean Nienaber • October 4, 2018 11:51 AM
Bruce, while I agree we can’t trust anyone, we can reduce the risk my deploying servers which aren’t manufactured in China, or at least servers which have less components manufactured in China.
For example, Fujitsu server main boards are fully manufactured by Fujitsu in Germany and then distributed internationally.
If we can’t solve the problem, the least we can do is look to reduce the risks.
It’s not perfect but it’s a start.