[1]The fix for IT supply chain attacks:

    As [2]I've written previously, I'm very skeptical of [3]Bloomberg's
    report about the Chinese placing hardware spy chips on server
    motherboards used by U.S. companies. China is actively spying on
    U.S. businesses all the time, I believe, and has already stolen most
    of the intellectual property secrets they are interested in. The
    Chinese are on their way to becoming the world's leading economic
    power, and manufacturing computer chips is a big part of that
    equation. I don't think they would jeopardize that business so
    blatantly.

    If any good is to come out of the Bloomberg article, it is bringing
    the problem of the supply chain to the forefront. If nearly every
    computer device and chip is made by potential adversaries, how can
    you ever be assured that what you are buying doesn't have
    intentional bugs or even spying chips?

    The supply chain is the aggregation of all entities that provide the
    products and services needed for other entities to provide their
    products and services to their customers. Theoretically, any entity
    can knowingly or unknowingly introduce insecurity that impacts the
    final product. This is the exact issue that the Bloomberg authors
    and their anonymous sources allude to: that a spy chip can be placed
    on motherboards that eventually get placed into servers used by
    foreign companies.

IT supply chain risk has always existed

    This is not a new issue. …

Keeping the supply chain status quo is not an option

    So, one solution is no solution: Keep things as-is. As far as we
    know, incidents of nations using supply-chain malicious inducements
    are rare. If a nation-state compromised the supply chain too
    routinely, none of the other nations would buy its chips. It would
    be a self-solving solution. We've made it so far, so good, using
    this "strategy."

When do you use a detect-and-regulate supply chain strategy?

    … Well, for one, the military already has programs to prevent supply
    chain issues for its most critical infrastructure. Many levels of
    the U.S. government have programs that look for malicious supply
    chain issues. That's precisely why I don't believe that we have a
    widespread issue of Chinese spying chips all over the U.S.

    The question is at what level of the supply chain do we start
    requiring stricter oversight and monitoring? …

    The opposite school of thought to the "keep the status quo" argument
    is that we need to check all computer devices for spying hardware,
    software and firmware. This can be done by government or industry
    groups (like the Underwriter's Laboratories [UL] or Consumer
    Reports). The problem is that all governments want to spy on people
    - its own people, and those in other countries. Asking the
    government to make sure everything is secure and not spying is
    asking for the fox to guard the henhouse. At the same time, I'm not
    sure we can do what needs to be done without governmental
    involvement.

The supply chain security solution needs to be global

    … Every nation needs a nationally created and funded regulatory
    group that can look for supply chain issues but isn't directly
    governed by the government. It's not perfect. It's like asking the
    foxes to pay for the shepherds who protect the henhouse, but I don't
    see any other realistic way for a supply chain security solution to
    actually work. Or we can keep the status quo and hope for the best.

  (Via [4]CSO Online)

  I agree with the article in large part. I disagree that government
  action and international agreements are the way to address supply chain
  risks. It is vulnerable in a multitude of ways independent of hardware
  hacking like the Bloomberg report claims. Compromising hardware not
  only requires physical access but its own reliance on a supply chain.

  I tend toward industry and market forces addressing all aspects of
  supply chain insecurity. Redundancy, resiliency, supplier diversity,
  quality assurance, and monitoring are best done by those with the most
  at risk. Governments are too mercurial, international agreements and
  treaties often are not worth the paper they are printed on, and special
  interests can introduce new risks into the equation through self
  interest and a lack of vision.
  Also on:

  [5]Twitter
    __________________________________________________________________

  My original entry is here: [6]The fix for IT supply chain attacks. It
  posted Wed, 17 Oct 2018 13:18:36 +0000.
  Filed under: business,

References

  1. https://www.csoonline.com/article/3313665/techology-business/the-fix-for-it-supply-chain-attacks.html#tk.rss_all
  2. https://www.csoonline.com/article/3311836/security/why-i-don-t-believe-bloomberg-s-chinese-spy-chip-report.html
  3. https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
  4. http://www.csoonline.com/index.rss
  5. https://twitter.com/prjorgensen/status/1052550504243494920
  6. https://www.prjorgensen.com/?p=2204

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.