Slashdot Mirror
The Messy Truth About Infiltrating Computer Supply Chains (theintercept.com)
In October last year, Bloomberg Businessweek published an alarming story: Operatives working for China's People's Liberation Army had secretly implanted microchips into motherboards made in China and sold by U.S.-based Supermicro.
While Bloomberg's story -- which has been challenged by numerous players -- may well be completely (or partly) wrong, the danger of China compromising hardware supply chains is very real, judging from classified intelligence documents, reports The Intercept.
From the report: U.S. spy agencies were warned about the threat in stark terms nearly a decade ago and even assessed that China was adept at corrupting the software bundled closest to a computer's hardware at the factory, threatening some of the U.S. government's most sensitive machines, according to documents provided by National Security Agency whistleblower Edward Snowden. The documents also detail how the U.S. and its allies have themselves systematically targeted and subverted tech supply chains, with the NSA conducting its own such operations, including in China, in partnership with the CIA and other intelligence agencies. The documents also disclose supply chain operations by German and French intelligence.
What's clear is that supply chain attacks are a well-established, if underappreciated, method of surveillance -- and much work remains to be done to secure computing devices from this type of compromise. "An increasing number of actors are seeking the capability to target ... supply chains and other components of the U.S. information infrastructure," the intelligence community stated in a secret 2009 report. "Intelligence reporting provides only limited information on efforts to compromise supply chains, in large part because we do not have the access or technology in place necessary for reliable detection of such operations."
What's clear is that supply chain attacks are a well-established, if underappreciated, method of surveillance -- and much work remains to be done to secure computing devices from this type of compromise. "An increasing number of actors are seeking the capability to target ... supply chains and other components of the U.S. information infrastructure," the intelligence community stated in a secret 2009 report. "Intelligence reporting provides only limited information on efforts to compromise supply chains, in large part because we do not have the access or technology in place necessary for reliable detection of such operations."
The NSA admits doing exactly this to target high-value individuals. Order a computer, they intercept the package, in a few hours it's opened and modified and packed back up with OEM stickers like new. You would never know.
China is just much more broad and bold with their attempts to catch up using 3rd party companies that are actually 1st party ChiCom Party owned entities.
Supermicro may or may not have been a real story - however, if it WAS REAL, the NSA and SECINT have no obligation to inform the public of that, only to mitigate it as they mitigate dozens of things we know nothing of.
The problem isn't that there's no evidence, the problem is that we have no legal authority to demand evidence if it exists to know either way. Journalism has to catch them red-handed by itself for us to find things out.
Hence Edward Snowden's revelations.