After an explosive Bloomberg report revealed that China was surreptitiously inserting small microchips into servers that later ended up being used by the Department of Defense, CIA, and many large American companies, an ex-NSA scientist warned there was “no way of addressing this risk” from a strategic standpoint.
“We can find a couple of them, but we're not gonna find the next generation version,” said Dave Aitel, a former computer scientist for the National Security Agency now working as the Chief Security Technical Officer for Cyxtera. “That makes it very hard to trust computers in general.”
U.S. government investigators found that servers assembled by American companies contained motherboards — made by Chinese subcontractors — with tiny microchips that could allow hackers to “create a stealth doorway into any network that included the altered machines,” according to Bloomberg.
“They are literally in between the layers of the board,” Aitel said, adding that in order to see it, “you would have to take a board, strip it down, and X-ray it” to find the suspect chip.
“That's just not a thing we should expect corporations to be able to do, even the biggest organizations.”
The machines are found inside DoD data centers, on Navy warships, and at the CIA, the site reported.
The Pentagon declined to comment on whether the suspect chips were found on DoD networks, citing operational security reasons. Still, Department spokeswoman Heather Babb told Task & Purpose, the U.S. military “has policies in place to address software assurance and supply chain risk management, as well as established security standards to ensure all procured commercial products and services are rigorously inspected for security vulnerabilities. As threats within the cyberspace domain change, DOD looks for solutions that provide more capability.”
“The protection of the National Security Innovation Base is a priority for the Department. Working closely with Congress and private industry, DOD is already advancing to elevate security within the supply chain,” she added.
China isn't the only nation-state working to infiltrate hardware as a means to hack its enemies. The U.S. does much the same thing — intercepting network hardware and secretly installing beacons that call back to NSA — except it doesn't seem to get or can legally force the cooperation of the factory making the product.
China doesn't seem to have that problem.
“The question becomes can we move to a trusted supply chain or not?” Aitel asked. He added that “tin foil” hat thinking that foreign-made hardware should be treated as suspect isn't so conspiratorial after all.
Still, he did offer some more positive news: “The good news is we caught it, and we're on it,” Aitel said. “That's actually phenomenally good news. That does send a message of deterrence. That does send a message that you can't get away with it.”
President Barack Obama and Chinese President Xi Jinping agreed in 2015 that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property” and said they would work together on other cybersecurity issues.
This latest disclosure of cyber-espionage adds fuel to the fire that China has clearly violated the agreement, which the Trump administration accused Beijing of doing earlier this year.
Aitel said it was more than likely that DoD and other governmental organizations were pulling the suspect servers if they haven't done so already. Still, the risk will likely remain as long as the hardware is not manufactured in the U.S.
This article has been updated with a statement from DoD.