Last October, after a long investigation by various government agencies, it was reported that a “rogue chip” was found on SuperMicro motherboards, used by hundreds of vendors, whose main goal was to intercept information at the processor level. It would allow an outsider to gain access to communications and data that would pass through these server chips.
This excerpt from a Bloomberg investigative story written on Oct 4, 2018 lays out the basic issues and potential threat-
“Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of the hundreds of Supermicro customers.
During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”
The discovery of this hack started in early 2015 and appeared to be caught very early on by Amazon, who was about to buy Elemental, a company that would help them expand their streaming video service architecture and used SuperMicro to manufacture their motherboards. It was also caught by Apple, who had planned to use Super Micro motherboards in their servers.
Even today, there is some controversy surrounding this rogue chip, but the idea that China could somehow find a way to gain access to our servers via planted spy chip is very plausible, and Congress has created the first draft of a new piece of legislation aimed at keeping this from happening in the future.
Here is the outline of the Microchips Act summary that was just filed for Congressional comments:
The U.S. is involved in asymmetric warfare and what amounts to a technological space race with China, which is seeking to dominate an over $1.5 trillion electronics industry through state investment, subsidies and intellectual property (I.P.) theft. China has capabilities to undermine U.S. national security in four major non-kinetic areas with implications across the government: supply chain exploitation(e.g. supplying software and hardware with backdoor access or faulty component parts), cyber-physical attacks on systems with real-time operating deadlines (e.g. missiles, aircraft, electrical grids, etc.), cyber-IT (e.g. hacking of computer systems), and human actors (e.g. using insiders to gain sensitive information). China can and has used these types of attacks together as part of a blended national strategy to undermine the U.S.
While these threats have been largely acknowledged by the government, the U.S. still lacks a coordinated, whole-of-government strategy to address them, particularly supply chain exploitation. The lack of comprehensive detection and apprehension of potentially compromised technology and component parts has practical and serious implications. U.S. companies continue to lose billions of dollars of I.P. to theft by China.
Additionally, counterfeit and compromised electronics installed in the U.S. military, government, and critical civilian platforms give China potential backdoors to interfere with and compromise these systems. Implications of an insecure U.S. supply chain extend beyond the government—any industry that relies on electronics for secure communication, data transfer, or operations is susceptible to attack through a compromised supply chain.
The Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property, and Supply “MICROCHIPS” Act would address this pressing challenge by leveraging government and private sector expertise to develop a national strategy and establishing a central clearinghouse for assessing risks to critical technologies, fortifying the industrial base against these threats, and preventing compromised materials from entering the U.S. supply chain.
In the proposal, Sec. 3 Directs the Director of National Intelligence, Department of Defense, and other relevant agencies to develop a plan to increase supply chain security and develop interagency sharing within 180 days.
Section 3 is the most important one that will directly impact ODM’s and OEM if passed. This particular line in Section 3 deals with the execution of this Act: “to develop a plan to increase supply chain security.”
I have been speaking with some of my contacts in Washington to get a read on this particular line in the Act, and as they point out, the way this would be executed in the future is still in very active discussion.
However, apparently, one of the things they are kicking around is putting the burden on the ODM or OEM of making sure no rogue chip or code is ever put on any system manufactured in China. This could mean two things:
The ODM and OEM would need to have in place the skill set and potential equipment on hand to do this screening process themselves. I spoke with one ODM over the weekend, and they said that as of today, they are not equipped with either the skill set or the type of equipment that could do this type of screening. And it would be a moving target as tactics by Chinese hackers who would like to use this way to infiltrate these devices could change methods and strategies consistently in their quest to succeed. This would add additional processes to their mfg programs and could also be costly.
As for OEMs like Dell, HP, Lenovo, Amazon, etc., this too could mean they may have to have new processes and programs in place to screen components they use in their computers, servers, etc. to make sure their devices are secure from rogue processors or code. While they do these types of tests now, under the Microchip Act, it would put a heavier burden on them to guarantee their devices are free from the eyes of Chinese hackers.
The Microchip Act could also mean that the U.S. Government could make these companies directly liable if there is some type of breach on this specific security issue. What type of liability is the big question, but given the possible way the U.S. government could execute this plan, it needs to be factored into people’s thinking these days.
This Microchip Act is something that our industry needs to watch very closely. It has good intentions, but the final law and how it will be executed could have major implications for the supply chain and our PC hardware vendors in the future.