Bench & Bar of Minnesota is the official publication of the Minnesota State Bar Association.

The Chinese spy chip scandal and supply chain security

Last month, the security world was abuzz over allegations that Chinese spy chips had affected American motherboards on a staggering scale and had compromised sensitive data. Through these spy chips, according to an October 4 investigative report in Bloomberg Businessweek, Chinese perpetrators had successfully enacted a surveillance campaign. Bloomberg’s initial reporting was met with harsh criticism, particularly by Amazon, Apple, and especially Super Micro; each organization denied the claims outright. 

Without wading too deeply into the technical aspects of what was alleged, and without speculating as to whether the allegation was correct, the fact that this controversy arose at all demonstrates a very real network of vulnerabilities in how our supply chains are managed and how the U.S. approaches critical infrastructure technologies. In my last article, I discussed “the insider threat”—the types of threats that require lots of internal diligence to counteract. From the all-too-familiar disgruntled employee to the negligent click of an email link containing malware, insider threats account for the majority of the security issues we face today. This article, conversely, will take a look at the sorts of external, often political, security threats that affect our technology supply chains. I will also mention security advice recommended by the SANS Institute in combatting the types of cyberthreats that may result from supply chain vulnerabilities within organizations.

Reckoning with supply chain threats

The Chinese spy chip scandal points to an overarching need to assess supply chain security both within our organizations and in relation to our critical infrastructure. Our increasingly interconnected technology products—from hardware to software, and everything in between—typically have a long journey from manufacturing to distribution and no one piece of technology is ever completely produced in one place. From an economic perspective, supply chain security is complicated by the need to outsource the cost and labor required to keep up with our growing use of the devices comprising the Internet of Things. Without any sort of centralized origin for digital devices, managing vulnerabilities is incredibly difficult and any effort on behalf of the U.S. government to restrict or control technology can only make a dent in the overall problems posed by sprawling supply chains. The Chinese spy chip incident brought to light issues with managing who comes into contact with pieces of hardware, and how it would be handled if tampering became evident. Supply chain issues force us to consider the role of physical security in managing assets, along with the importance of supervising third-party vendors on a smaller organizational scale.

While insider threats remain the number one source of risk to an organization, third-party vendors are often neglected in security assessments and strategies. Apart from the global supply chain networks that characterize the way we operate more broadly, organizations ranging in size from Fortune 500 companies to small family-owned businesses typically will use some sort of third-party vendor that has been granted access to their networks to provide some sort of service. Just as large-scale supply chain vulnerabilities are often ignored until something like the Chinese spy chip scandal confronts us directly, organizations are often slow to acknowledge their responsibility for assessing the security postures of their third-party vendors. Even if an organization has a solid, proactive security strategy, third-party vendors can be the weak link and cause data breaches or instances of hacking. 

For example, a hack that compromises the networks of a vendor may also be able to compromise the networks to which that vendor has access. Similarly, login credentials to an organization that the vendor uses to access networks could be retrieved and utilized by a cybercriminal. In these instances, the network intrusions stem from supply chain vulnerabilities and may result in substantial reputational, financial, operational, and legal costs. In 2013, Target was the victim of a huge data breach that compromised the data of up to seven million individuals. This was due to a data breach involving one of Target’s third-party vendors that subsequently impacted Target’s networks. In this instance, the consequences of having a third-party data breach hit Target just as hard as if it had been the first “target.”

Mitigating the risk

Though it is commonly accepted within the security community that the sorts of vulnerabilities present within the technology supply chain are somewhat unavoidable given its pervasive and global nature, and the fact that inspecting each and every piece of hardware for physical exploits is impossible, there are methods of combatting the sorts of cybersecurity risks associated with these threats. A few strong methods—recommended by the SANS Institute and written about by William Hugh Murray—include the use of encryption for every application, carefully monitoring of traffic for any evidence of data exfiltration (maybe we can’t monitor everything coming in, but we can try to secure data from going out), and securing networks to the best of our ability. Reviewing third-party vendors on a regular basis, and assessing which have been granted access to your organization’s networks, is especially important; considering physical access controls is also advisable. Large-scale supply chain security issues may be unavoidable, but staying apprised of potential risks and being mindful of the government’s response to global technology imports can assist in mitigating damage.


MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 trials. He is a member of the MN Lawyers Professional Responsibility Board.  

Leave a Reply

Articles by Issue

Articles by Subject