Regardless of whether Chinese hackers really did infiltrate more than two dozen U.S. companies and multiple government agencies through a supply-chain hardware hack, the bombshell report by Bloomberg Businessweek throws light on an ongoing problem facing the Department of Defense, among others. The supply-chain threat to information technology and military products is real, it’s getting worse, and DoD (among others) still appears to be racing to counter it.
Bloomberg reported October 4 that a unit within China’s People’s Liberation Army had inserted the tiny microchips—each about the size of a grain of uncooked rice—into motherboards being assembled by Super Micro Computers for Elemental Technologies, which makes software for video compression. The company also makes high-end servers that are used by DoD, the Intelligence Community (IC), and the Navy’s warship networks, as well as some of the world’s largest and most powerful companies.
But two major players among the nearly 30 companies Bloomberg said had been compromised—Apple and Amazon—pushed back, with Apple saying it has never found any compromising hardware planted in its servers, and Amazon saying it has had no issues with malicious chips in any of its systems and has not taken part in a government investigation. And over the weekend, both the Department of Homeland Security and its U.K. counterpart, the National Cyber Security Centre, said they had “no reason to doubt” the statements from Apple, Amazon, or Super Micro (which, despite its official name, is usually referred to by the single word Supermicro). Bloomberg, meanwhile, said it is standing by its story.
However the facts shake out, a hack of the supply chain is plausible, potentially catastrophic, and is something the DoD, the Government Accountability Office (GAO), and others have warned about for years. DoD supply chain management has a seemingly permanent spot near the top of GAO’s biennial High Risk List. A report by the Office of the Director of National Intelligence says the U.S. supply chain is under “systemic assault by foreign intelligence entities” who exploit the country’s collaborative culture “to steal information to advance their military capabilities, modernize their economies, and weaken U.S. global influence.”
MITRE, a Federally funded research and development organization with a long history in DoD matters, in August released a report urging the agency to take wide-ranging measures to shore up acquisition and the supply chain. Citing serious risks and a somewhat lackadaisical awareness of them, MITRE recommended 15 changes overall. These included making security a primary metric in acquisition and establishing a whole-of-government national supply chain intelligence center that involves the DoD, the IC, DHS, and other civilian agencies and contractors. “Cyber and supply chain vulnerability extends well beyond DoD, across government, and into the private sector,” the report said. “Nonetheless, DoD has potentially decisive influence in this space.”
The Pentagon and Congress are moving toward tightening up supply chain security. DoD is already taking one page from MITRE’s report with a new initiative called “Deliver Uncompromised,” under which it wants to make security a “fourth pillar” of acquisition, making security guarantees a condition of getting a contract. At the moment, Deliver Uncompromised is a pilot program.
The 2019 National Defense Authorization Act (NDAA) gives the Secretary of Defense and the secretaries of the Army, Navy and Air Force some discretion in which contractors they deal with, allowing them to exclude contractors from certain procurements in the interest of national security while limiting the disclosure of their reasons. The NDAA includes several other provisions for strengthening cybersecurity, among them reforms on cybersecurity assessments and cooperation with the civilian sector. It also specifically authorizes retaliatory actions for cyber activities by Russia, China, North Korea, and Iran, which have been the United States’ biggest cyber adversaries.
In July, DoD said it was developing a “do not buy” list for software with code originating in Russia or China. And the agency is at least looking into the possibility of using blockchain’s decentralized approach to security as a way of ensuring that products aren’t meddled with during their trips through the supply chain.
Considering the size of DoD’s procurement and supply chain apparatus, wholesale changes will take some time, both for the department and for industry. Ellen Lord, DoD’s under secretary for Acquisition and Sustainment, told reporters in July that a new insistence on security up-front presented “a huge education process” for industry. The report about China’s suspected microchip hack–whether or not it bears out–only adds urgency to the issue.