Hidden Malicious Computer Chips
Discovering Malicious Chips
A best security practice for management staff, information technology (IT) and cybersecurity would be to devote human and technical resources into collecting intelligence and conducting forensic examinations on hardware infected by malicious chips, similarly to the ways in which each department would discover mitigation strategies for software-related vulnerabilities. Since developing effective security policies remains an ongoing process for the various departments, conducting research into hardware vulnerabilities can be one of the most significant components of developing security strategy. The Bloomberg article entitled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” highlights cyberattacks by Chinese hackers that infected hardware for around 30 U.S. companies with chips used for espionage purposes; the chips were found at large technology companies like Amazon and Apple by corrupting the supply chain in the United States.
Providers
Cybersecurity professionals should be cautious regarding the use of third-party organizations to supply their companies with new hardware. The article uses Amazon’s experiences with acquiring companies responsible for the hardware supply chain and how it resulted with receiving systems infected with Chinese microchips. Business acquisition and the supply chain process involve complex communications between multiple corporate entities, which accounts for approximately 90% of all hardware for a variety of technologies requiring business relationships with at least three parties, usually one of them having a connection with Huawei, Lenovo or ZTE. The inappropriate installation of chips by Chinese organizations has taken place for many years; however, Amazon began to notice the infected hardware as early as 2015, when the company decided to acquire Elemental Technologies in order to expand its streaming service, Amazon Prime Video. Amazon directed Elemental to implement software for compressing video files in order for them to be seen on mobile devices and also assisted in providing a secure cloud computing service for the CIA. Amazon applied the “trust but verify” approach to the acquisitions of Elemental by using a third-party to audit the company’s video service and use of highly priced servers for video compression.
Corporate and Government Networks
The investigation emphasized the business relationship between Elemental and Super Micro Computer Inc (Supermicro), as the latter supplied server motherboards that contained unethical chips manufactured and installed in China. Amazon used a third-party to audit the server’s motherboards and discovered a microchip that was not a part of the system’s original design, and pointed toward Chinese manufacturing as being the culprit for installing such technology. While Amazon sent the findings of the investigation to Federal authorities, Chinese microchips were already installed in hardware at the Department of Defense (DOD), CIA and U.S. Navy. It had been determined after a three-year investigation that the chips had the capability to create a backdoor vulnerability in which Chinese hackers could exploit for espionage purposes.
The chips present a level of complexity for cybersecurity professionals as the majority of staff are needed to conduct penetration testing, as well as vulnerability and risk assessments on company software and operating systems; discovering inappropriate chips within hardware causes organizations to use some of its available cyber resources to examine new hardware like servers and business PCs. The findings concluded that the installed chips could provide Chinese hackers with a long-term prospect of espionage and other cyberattacks while being unnoticed on computer networks. Even though the software and application-based vulnerabilities are far more common on networks for many U.S. businesses, it would be an effective cybersecurity strategy to ensure that security policies indicate the importance of using “trust but verify” in the process of researching, purchasing and installing any hardware device that has the potential to use malicious microchips. Examining hardware for chips is not an overstated concept, it is essential for assisting companies and governments in being within range of achieving the five-9’s (99.999% of operation without disruption) and preventing a state-actor from gaining unauthorized access to computer networks, communications and stored data.
Examination
Another best security strategy would be for each department to examine hardware prior to the purchase of servers and related technologies, during the installation of the hardware, and monitoring of hardware functionality when made available on company networks to ensure that each system remains free from being impacted by unauthorized chips; these actions are essential for organizations due to the lack of regulations on hardware manufacturing and distribution. The Bloomberg report indicates that a nation-state-level infrastructure that examines hardware before being shipped to corporations could be a potential security best practice; however, this has the prospect of being a divisive strategy due to the current political climate of the United States, as some members of Congress will show interest (if their jurisdictions contain successful technology companies) and others may not agree that implementing a system of regulation at the Federal level would be effective as they would prefer less regulations for entities in the private sector and would likely suggest alternative initiatives. However, while today there are no regulations or agencies responsible for ensuring the integrity of hardware components, China (the most significant threat to implementing malicious chips) currently produces 75% of smartphones globally and 90% of the world’s PCs. Since Chinese technology, manufacturing and distribution represents a wide section of the market, some critics support regulating its businesses to prevent American companies (and many others around the world) from experiencing the unethical use of technical products by organizations within a communist regime. On the other hand, many critics believe it would too expensive and restrictive to private enterprises.
Choosing a Hardware Supplier
A best security practice would be to refrain from the purchasing and installation of technologies from organizations with the reputation of being potential candidates for conducting espionage like services from Huawei, Lenovo and ZTE. Understanding how the chips were installed and whom were responsible for doing so can put ideas regarding security policy in place for cybersecurity professionals. The U.S. investigators determined that the chips were installed by operatives in the People’s Liberation Army during the manufacturing process; therefore, asserting that China’s offensive cybersecurity measures are used as a component of its military strategy. Featuring measures for hardware security may be most effective as a component of security policy as there are no other available options for corporations and governments. For larger technology companies (with billions in revenue), it may be a strong security strategy to avoid purchasing hardware from Supermicro and other companies that import their inventory from Chinese manufactures. In 2015, Apple was slated to purchase 30,000 servers (approximately $30 million in expenses) to expand its global network but decided to cancel the transaction due to the distributor’s connection with Chinese manufacturing.
Many large technology companies in the United States pledge to not install hardware by Chinese manufactures (with the reputation of attaching malicious chips), as well as those from Huawei, Lenovo and ZTE. Many cybersecurity professionals suggest that implementing any of the technologies created by these companies will likely give the Chinese Government and the People’s Liberation Army (PLA) direct access to company networks (Schuman & Shenzhen, 2013). Refraining from purchasing hardware from the Chinese manufacturers may lead to making the United States less vulnerable to cyberattacks conducted through hardware. This is a best security strategy due to the complex nature that computer networking systems have throughout the U.S. which manage information and communications for public and private sector entities. Many critics suggest that the U.S. is one of the most vulnerable territories due to its dependency on networks to manage businesses and protect critical infrastructures. Most companies use the bulk of their cybersecurity resources to handle offensive and defensive cyber-activity related to software impacted by malicious code; however, it would be a best security practice to ensure that companies have an adequate number of cybersecurity professionals available to handle vulnerabilities present within purchased hardware.
Although President Trump has yet to appoint a Cybersecurity Czar for the United States (like his predecessors dating back to President Clinton), he and the current administration received intelligence on the availability of Huawei manufactured devices being installed and managed by American corporations. President Trump interpreted the intelligence as a need to create and sign an executive order as a national security measure. As a result of the policy, Huawei has been banned by the U.S, and several large corporations needed to remove and replace some of their devices from Huawei: Google, Qualcomm, Broadcom and Intel. The executive order prohibits the acquisitions, importation, transfer, installation, dealing in, or use of any information and communications technology or service provided by Huawei or any other company outside the U.S. that the Administration deems to be engaged in manufacturing and distributing malicious chips. The Administration is currently in talks with Huawei regarding the ban, and the possibility of uplifting it should the Chinese telecommunications giant would agree to measures preventing them from distributing malicious chips to the United States. While it is possible that the ban could be uplifted in the near future, a problem between the United States and China will still be present, as there are no regulating entities to ensure that the Chinese hardware will not contain current or future versions of its microchips. Unfortunately, some experts suggest that the U.S. does not have the resources and political capital to create a Federal regulating body to address every hardware vulnerability.