US vendors should take reports of China chip hacking as a strong wake-up call to evaluate security in their supply chain

IDC says full supply chain audits are likely in the future for hardware vendors to ensure their equipment and components aren’t bugged

Bloomberg BusinessWeek published a report last October that surveillance microchips were inserted into US servers during their China manufacturing process. US organizations erupted at the news. Surprisingly, most of the uproar was from a couple prominent companies - Apple and Amazon - pinpointed as having their servers compromised. They vehemently fought back against the claims that their equipment had been compromised during manufacturing.

Apple, Amazon servers compromised or not?

Bloomberg relied on 17 anonymous sources and a year of interviews to back their research and no one so far has proven that all of their claims are not accurate. But Apple and Amazon have also demonstrated some convincing evidence that their servers were in fact not compromised. We all want to believe that’s the case - though the purpose of this article isn’t to debate who’s claim is accurate.

The objective here is to point out the very real risks of compromise in the US-China supply chain, even if Apple and Amazon are, for now, in the clear. They were only 2 out of the 30 US companies Bloomberg claimed were affected with spying devices.

China a permanent fixture in US supply chain

The US relies nearly exclusively on China for its affordable and skilled labor, as well as accommodating infrastructure. It’s a near monopoly so deeply entrenched that there’s virtually no likelihood at this point for China to be removed from the chip manufacturing process. And that leaves the security of the assembly process a battleground of increasing concern.

Some have expressed China may not have the knowledge to carry out such a technological feat of hacking chips by insert spying devices the size of rice grains. And beyond even the technology and know-how, it would also take strokes of luck to pull off. But the reality is, it can be done thanks to vulnerabilities in the process. And with the advantages spies stand to gain, they are content to wait for opportune moments.

Super Micro Computer - largest vendor of server motherboards

The US vendor at the center of this issue is Super Micro Computer (Supermicro) based in San Jose, California. They are the world’s largest vendor of server motherboards and Bloomberg’s research claims circuit boards made by their Chinese subcontractors were implanted with microchips the size of rice grains. When the Bloomberg news broke, Super Micro’s stock dropped 40%. They denied involvement, including denying ever discovering any malicious chips on their hardware, and also said no government agency had contacted them to verify the story.

Despite the pushback from Super Micro and from Amazon and Apple that their circuit boards were not affected, the risks of this kind of cyberthreat are real. IDC reports that the ramifications of the story are just the beginning. American vendors rely heavily, nearly exclusively, on China, and IDC emphasizes that these companies need to re-evaluate the security of their manufacturing relationships. China’s Ministry of Foreign Affairs stated that they defend cybersecurity and are a victim as well.

Multiple sides have varying perspectives on this complex situation. The need for greater security is obvious. But what will that look like and who will define it? At the very least, IDC‘s report suggests hardware vendors conduct full supply chain audits to uncover existing bugs. That would be a good first step of a long and challenging road.