In November 2013, Andrew Plato, CEO of security research firm Anitian, penned a blog post noting that his researchers found the technology manufacturing supply chain — much of which is in China — to be woefully insecure.
In fact, it was ripe for bad actors to inject malicious code or components even before products shipped.
So, news this morning in Bloomberg Businessweek that a possible state-sponsored supply chain attack — possibly hitting big names like AWS Elemental and Apple Inc. — isn’t a surprise to Plato.
“I’m surprised it took four years to come around,” he said.
Both AWS Elemental and Apple refute the claims made in the story. However, it launches a broader discussion to the vulnerability of all the connected devices around us and the servers running the applications and services that power modern life.
“There is a level of this where we don’t have control,” Plato said, of the inability to police the actions of manufacturers in other countries or other governments. “What it comes down to is anytime you are using a third-party component you have to test and evaluate and ensure that the component is not only operating as you specified but not operating outside of the specs.”
Rigorous testing will be key moving forward, Plato said, as he expects this type of attack will happen.
Semiconductor industry analyst Patrick Moorhead noted on Twitter that the Bloomberg story, “real or not,” will start intense discussions about U.S. manufacturing and secure supply chains.
“Assuming the article is accurate, this was a supply chain attack,” Moorhead wrote on Twitter, noting that strict evaluations could be implemented. “Every (printed circuit assembly) and (printed circuit board) could be x-rayed and compared to the original design using (machine learning)."
Plato sees no limitation on such technology as machine learning and artificial intelligence in helping suss out possible manufacturing attacks. Instead. the limitation will be the people needed to look at the analytics and determine what it means.
The cybersecurity industry already has a shortage of workers. Nationally, there are more than 301,000 open cybersecurity jobs, according to a national project called cyberseek.org and supported by the National Institute of Standards and Technology.
AI security platforms “can produce data and say something bad is happening,” Plato said. “they can’t connect to the bigger problem and don’t have the creativity to say why (something) is happening. That is still a very human function.”
At Twistlock, a Portland-based company that builds security tools designed to work in cloud IT infrastructure, the issues raised by the Bloomberg story need to be addressed at the government level.
“There's no practical way for the great majority of organizations to protect themselves from a hardware attack embedded in the equipment they're buying from a seemingly reputable supplier,” said Twistlock Chief Technology Officer John Morello, in an email. “No Fortune 1000 organization can practically protect itself against a nation state and that's what this attack illustrates.”
For Morello, the solution is building a stronger supply chain domestically or with close allies.