China reportedly is weaponizing the technology supply chain

China allegedly has weaponized the electronics supply chain and America is vulnerable. A stunning Bloomberg report outlines how China’s People’s Liberation Army (PLA) may have compromised the computer chip supply chain, snaring major US corporations, including Apple and Amazon. The report asserts that the PLA imbedded minute microchips on motherboards manufactured by Supermicro Computer. These chips theoretically provide Beijing clandestine access to the compromised servers, an ability to bypass software security, and an open a backdoor to those networks for Chinese operatives.

If we assume the Bloomberg report is accurate – which I do – this security breach could be the most significant and calamitous on record. The consequences would be colossal, not only from a global information security perspective but also with international relations and markets – as we saw play out during Secretary of State Pompeo’s recent visit to China.

The “rogue chip” has sent the industrial security complex scrambling. This reported breach is not software based, the result of human error, or an errant click. This is the holy grail of cyber fissure: Access via compromised hardware.

An intrusion of this complexity and breadth could only be state sponsored, state initiated, and state executed. Initial reporting indicates U.S. Government departments along with dozens of U.S. corporations could be vulnerable.{mosads} 

As anticipated, the largest of these – Amazon and Apple – have strenuously denied the compromise. Both companies issued statements contradicting key claims in the Businessweek report. Apple stated they have never unearthed “malicious chips” or susceptibilities in “any server.” They denied any interaction with the “FBI or any other agency about such an incident.” Amazon also set about “setting the record straight,” issuing a staunch denial. The Department of Homeland Security (DHS) and the UK’s Government Communications Headquarters (GCHQ), both indirectly supported Amazon and Apple. GCHQ and DHS issued almost identical statements: “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple.”

In his novel, “Ghost Fleet,” noted national security analyst, P.W. Singer, contends that China will initiate World War Three with a supply chain compromise, not a spat over Taiwan. Singer’s book is built around existing, known technology.

In the book, published in 2015, Chinese microchips containing a secret “cyber kill-switch” are embedded in American satellites, aircraft carriers, communications systems, fighter jets, and everyday home appliances. As a result, F-35s fall out of the sky, our fleet is immobilized and we are isolated (spoiler alert – the good guys win).

That’s fiction.

Alarmingly, the Bloomberg expose purports to be fact. 

According to Bloomberg, the technology supply chain has been weaponized and deployed by Beijing. If so, America – and likely other countries – have been gravely compromised. 

The glockenspiels of warning have been tolling for years; regrettably, corporations have opted for profit over security, while Western governments have chosen expediency over national well-being.

America’s addiction to cheap Chinese manufacturing is a potentially terminal national security flaw.

If China has indeed compromised the integrity of the supply chain, it may result in a global shift of power.

The alleged Trojan Horse is the California based computing goliath Supermicro, with operations across the world, including China, where it manufactures – you guessed it – motherboards. Those motherboards are all over the globe, in vehicles, super computers, weapons systems and, Apple’s iCloud and Amazon’s Web Services cloud (AWS).

Supermicro has denied the breach.

If the reported compromise is factual, it is a tire-fire for the cybersecurity industry and technology consumers writ large. A hardware “hack” of this nature effectively places a question mark over every, assumed-secure, technology supply chain. The corollaries, if proven, would ripple well beyond the two dozen or so companies purportedly affected.

American industry, while cognizant of the latent threat of hardware supply chain attacks, seems wholly ill-equipped to combat them.

Congress – surprisingly – had addressed the issue. Citing security concerns, lawmakers mandated a blanket ban on government use or purchase of devices made by Chinese companies ZTE and Huawei. Australia, Britain, Japan and most recently India, all prohibit Huawei and ZTE from development of mobile infrastructure and other operations, deeming the two Chinese firms as national security risks.  An Australian government report determined that the Chinese companies provide intelligence to Beijing.

Make no mistake, China steals technology and filches intellectual property on an industrial scale. The vice president, Mike Pence told the Hudson Institute that Chinese spy agencies have engineered “the wholesale theft of American technology.”

Beijing has long sought imbedded, unfettered supply chain access designed to pilfer valuable corporate secrets and breach complex government networks. If the Bloomberg report is proved accurate, they have scored a touchdown. 

Fear of state-sponsored and commercial espionage is universal, yet the mechanisms are not in place to counter an effective hardware supply chain compromise. The Bloomberg revelations, factual or not, should have an immediate impact on supply chain security and management, for both security practitioners and governments. Given this stunning report, the technology industry is duty-bound to radically volte-face on sourcing Chinese components.

Greg Keeley is Managing Partner of Dreadnaught and a retired Information Operations Officer in both the U.S. and Australian Navies.  LCDR Keeley served as Senior Advisor to the Vice Chairman of the House Armed Service Committee & Chairman of the House Foreign Relations Committee in the US Congress. LCDR Keeley was the National Cybersecurity Institute’s inaugural Visiting Fellow.