Cyber attack compromises trusted computing, and raises questions about industry's secure supply chain

HUNTSVILLE, Ala. – Earlier this month, it was reported that four intelligence agents representing a foreign power had been expelled from the Netherlands, having been caught outside the Organization for the Prohibition of Chemical Weapons (OPCW) in The Hague. The agents were accused of attempting a cyber attack as the organization investigated the death of Sergei Skripal in the United Kingdom in March. It was only the latest example of foreign powers attempting to use cyber warfare to disrupt the West.

By Christopher G. Cummins
By Christopher G. Cummins

HUNTSVILLE, Ala. – Earlier this month, it was reported that four intelligence agents representing a foreign power had been expelled from the Netherlands, having been caught outside the Organization for the Prohibition of Chemical Weapons (OPCW) in The Hague. The agents were accused of attempting a cyber attack as the organization investigated the death of Sergei Skripal in the United Kingdom in March. It was only the latest example of foreign powers attempting to use cyber warfare to disrupt the West.

The potential -- not only for organizations, but also for entire countries -- to be fatally undermined, should not be underestimated. In the United Kingdom there is widespread concern that the country's government has allowed significant overseas investment in critical infrastructure such as power generation and distribution. It even has given those foreign companies contracts for the construction of that infrastructure. The concern is that such power and influence over the country could easily be misused in the future to compromise trusted computing.

The West is now either under, or under threat of, cyber attack on a daily basis. The traditional view of cyber attack is of darkened rooms with teams of agents sitting at screens attempting to intercept communications or access databases. Less typical is the case noted earlier, in which the four agents allegedly sat in an automobile outside the OPCW and attempted to intercept the organization's Wi-Fi.

Related: The big hack: how China used a tiny chip to infiltrate U.S. companies and computer servers

With this in mind, a recent report by Bloomberg makes chilling reading. It says almost 30 U.S. companies -- including Amazon and Apple (both of whom have challenged the accuracy of the report) -- were compromised, not by the more notorious forms of cyber attack, but rather through failures in America's technology supply chain.

Bloomberg then describes how a routine security investigation revealed the presence of a tiny piece of silicon -- not much bigger than a grain of rice -- on server motherboards. According to the board's design, the silicon should not have been there. Investigators "determined that the chips allowed attackers to create a stealth doorway into any network that included the altered machines," Bloomberg reports. They found that the chips had been inserted at factories run by offshore manufacturing subcontractors.

"This attack was something graver than the software-based incidents the world has grown accustomed to seeing," Bloomberg reports. "Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get."

Related: Decomposing system security to prevent cyber attacks in trusted computing architectures

Even if what Bloomberg alleges is not entirely accurate, the report's revelation has hugely disturbing potential implications for the defense industry. Simply: we are under constant threat of attack -- and this would be a new, and potentially even more dangerous method of attack than we have seen previously. If manufacturers supplying the industry have boards or subsystems manufactured abroad, then could they be susceptible to, and compromised by, the same problem? Thinking about the consequences is difficult to bear.

As an industry, our need for diligence in this area is paramount. Abaco Systems doesn't buy in commercial products and then make them rugged after the fact; we design and build rugged into our products from the ground-up. We manufacture everything ourselves: we don't subcontract offshore.

Now may be a good time to ask your supplier: do you have 100-percent confidence that you maintain total vigilance over your supply chain, and that you take every possible step to verify and confirm the identity and integrity of every piece of silicon on every board you ship?

Christopher G. Cummins is chief operating officer of Abaco Systems in Huntsville, Ala., a designer of real-time embedded computing systems. Contact Abaco Systems online at www.abaco.com.

Ready to make a purchase? Search the Military & Aerospace Electronics Buyer's Guide for companies, new products, press releases, and videos

More in Computers