Cybersecurity: Made in the USA

The People’s Liberation Army (PLA), China’s armed forces, embedded a tiny microchip in servers manufactured by SuperMicro, one of the largest manufacturers of server-class motherboards. Once installed in a server, the rogue chips, which resembled devices that maintain the quality of electrical signals as they traverse a computer’s circuits, modified the server’s operating systems to allow traffic to and from command-and-control centers established by the PLA, presumably for the purposes of spying and stealing data. After creating these holes in the operating system’s defenses, the tiny chips could then communicate directly with those centers, receiving commands and providing valuable reconnaissance.

These chips were implanted into SuperMicro’s motherboards at third-party Chinese manufacturing sites the company used during times of peak production. The company used these tertiary sites when they didn’t have the capacity to meet worldwide demand at their more closely monitored manufacturing plants. The militarized chips measured about the size of a pencil tip.

We usually think of cybersecurity as a battle waged in software. We patch our applications and operating systems regularly to fix all the bugs and cure all the vulnerabilities their manufacturers have found since the last patch we installed perhaps even just a few days ago. Patching software is a burdensome and boring responsibility, causing inconvenience and delay to individual users, and scheduling challenges, downtime, and significant added cost to organizations. Patches are a necessary plague.

But at least you can patch software. Hardware poses quite a different challenge. You can’t download new hardware that overwrites and replaces the current system. And almost all hardware components are so small that you can’t hire a repair person to come by with a soldering iron to fix the problem. Instead, you end up having to do what Amazon and Apple and presumably other deep-pocketed SuperMicro customers have done: you toss out the offending equipment.

That is not one way to solve the problem; it is the way. But it comes at tremendous expense, one that most companies not named Amazon or Apple simply can’t bear.

A mammoth, far-flung, and tremendously complicated supply chain supports the computer manufacturing industry. The scale of that chain, its complexity, and the critical need for it to run continuously and seamlessly make it incredibly difficult, if not impossible, to police. The end products produced through that chain consist of literally billions of devices crammed into highly portable products. One rogue chip the size of a grain of rice can compromise an entire server. Even if you can x-ray a machine and compare it with a manufacturer’s 3D models to detect anomalous components, hardware hackers have determined how to embed secret circuits between layers of other components, like cancer cells spread throughout an organ. Perhaps a computer MRI could detect such computerized contagions, but the technology for conducting such invasive explorations isn’t ready yet.

If any good is to come from the current nationalistic wave of tariffs and trade protectionism, let it be this: the global supply chain for computer component manufacturing must downsize into a national one. The unprecedented power and reach of computer technology to control or, at least, heavily influence virtually every aspect of modern life demands that we monitor closely, continuously, and with demonstrably extreme diligence the manufacturing of those components throughout the process. We lack the means to do this on a global scale. We cannot look everywhere at once. We have to pull the manufacturing of computer components into this country. Costs will surely increase, and delays will arise as manufacturers shift to new suppliers, build new plants, and employ new techniques. But the cost of continuing to entrust the production of such powerful and important equipment to plants that operate in potentially unfriendly environments, sometimes without our even knowing, would certainly be far more.

“Made in the USA” can serve as more than a nostalgic label or hollow rallying cry. It may very well hold the key to keeping cyberspace functional.

About Ray Klump

Professor and chair of Mathematics and Computer Science Director, Master of Science in Information Security Lewis University http://online.lewisu.edu/ms-information-security.asp, http://online.lewisu.edu/resource/engineering-technology/articles.asp, http://cs.lewisu.edu. You can find him on Google+.

Leave a Reply

Your email address will not be published. Required fields are marked *