This post originally appeared on RUSI.org on 29 January 2019
Western governments are shedding their inhibitions about naming and shaming states suspected of infiltrating their critical national infrastructure. This is a good step, but should be just the beginning.
Recently, 150 US individuals and entities joined in launching a federal class-action lawsuit in response to the accusation that China was behind the 2014 hack of the Marriott hotel chain which led to a data breach affecting up to 500 million customers. The US government also readied itself for action, but has yet to act. But even if the US federal government does swing into action, the reality remains that what may be sufficient proof for a case before domestic courts is not enough for subsequent international action.
The revelations of the Marriott case come after a report from the Bloomberg news agency in early October 2018 that claimed that an arm of the Chinese People’s Liberation Army (PLA) has specialised in hardware attacks, manufacturing computer chips no bigger than the tip of a pencil that were illegally attached to Chinese-made servers shipped all over the world.
Hardware attacks are much harder to detect than software attacks. Unlike software attacks, which come with anomalous behaviour, a hardware attack means that the malicious chips will have to be physically found. The lifecycle of a hardware attack is therefore significantly longer, and the attacks can be devastating, with the hardware opening up a backdoor for further software attacks.
This does not appear to be a one-off attack; judging by the publicly available sources, the alarm was first raised back in 2014, when US intelligence officials briefed the White House that the Chinese military were ‘beginning to insert the chips into SuperMicro motherboards’. Over the past four years, chips of different sizes have been found, indicating that China has continuously been refining its process of hardware attacks.
The motherboards of SuperMicro, a hardware manufacturer from Silicon Valley, have found their way into all commercial activities; Bloomberg alleges that household names like Apple and Amazon Web Services (AWS) were both affected. US Government agencies like NASA, as well as Congress and the Department of Homeland Security all use them. More spectacularly still, it is alleged that military equipment, from missiles to drones, also use the chips. The Bloomberg report makes no reference to whether British or other European entities are also using SuperMicro hardware, but given their prevalence, they may well have been affected too.
Nor is there any indication that the PLA has stopped its alleged attacks on SuperMicro motherboards, or that SuperMicro was the only manufacturer whose products have been attacked. Aside from the US, it is unclear which governments had knowledge of such an attack prior to the information becoming publicly available.
The story from Bloomberg came under fire, mostly because as many of its sources remained anonymous and none of the allegations are easy to verify.
Denial from Apple came first. In mid-October 2018, Tim Cook, the CEO of Apple, sat down for an interview with Buzzfeed two weeks after the Bloomberg report was published, and called for a retraction from the news agency, saying that ‘[t]here is no truth in their story about Apple’. This followed a denial Apple put out on the day the story broke and, in a letter to the US Congress Apple sent days after that, the company called the story ‘simply wrong’.
Amazon’s denial was not that a hardware hack was not plausible, but that Amazon had done its due diligence during the procurement phase of the hardware, and that Bloomberg was not providing enough evidence to convince it otherwise.
Britain’s GCHQ also weighed in, apparently siding with the tech companies, stating that ‘we are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple’.
Still, the story had garnered enough attention to become a political problem. Chris Stewart, a Republican of the US House of Representatives’ Intelligence Committee, called on SuperMicro to appear before legislators, and US Senators called on both the FBI and Department of Homeland Security to investigate.
The only part of this story that is clear is that outside of Bloomberg there is enough concern mixed with confusion for a serious investigation to try to unearth what has happened. What is not in doubt now is that a hardware attack of this scale is possible.
To a typical consumer the story may sound similar to one of the many other cybersecurity stories about their iCloud or Amazon Prime password being under attack, as is the case in some articles about software hacks.
Controversy over data breaches of that kind is now familiar. Yet the deeper concern about a hardware hack is not about being as wide as an ocean but as deep as a puddle, it is about the specialised military hardware it has potentially compromised.
In the old days of spy craft before the age of computers, attacks like these used to consist of planting a bug in an office – exposing its perpetrators to some risk – and involved a physical intrusion that was largely detectable. Now, such activity is done over a distance and the cost-benefit calculation has changed: no physical intrusion, detection is difficult and the opportunities for plausible deniability are extensive. Understandably, there is more of a willingness to engage in such activities.
What may be the impact of such revelations? Suppliers that are trusted by the pedigree of their brands would be under scrutiny to exclude China from their supply chains, and if they did not, governments might look at moving skilled manufacturing jobs to more protected jurisdictions. As ‘a former US official noted’ to Bloomberg, ‘You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition’.
Countries which cannot meet this requirement would also be under added scrutiny; being seen to have made the cost-saving choice could affect their security. And suppliers and products may end up being on a ‘blacklist’.
If the cost of perpetrating a hardware hack is only reputational then attacks will continue and could become more ambitious in scope. Attributions that fail to be detailed enough can easily be denied, but if the evidence becomes too complex it can weaken what should be a simple political message. Naming and shaming is a good first step at raising the perceived costs, but blacklists that are adhered to internationally could raise the costs further.
We are heading in this direction. In 2014 the US Department of Justice charged five Chinese military hackers, making public their names and unit. Of course, the alleged hackers will never stand trial. But the fact that they were named indicates a willingness on the part of the US to reveal its capabilities to identify potential culprits, and Washington’s readiness to do so publicly.
This time it looks like China may once again evade any serious consequence for its alleged activities. But not for long, as attention on Huawei, another Chinese manufacturer, commands the headlines.