Computer systems utilized by Amazon Web Services, Apple, and dozens of other companies may have been infiltrated by China through the use of tiny spy-technology-equipped microchips inserted during manufacturing processes into equipment destined for the two tech giants, according to a report by Bloomberg BusinessWeek. The same report noted, however, that both technology giants strongly dispute the allegations.
If this is a topic that interests you, I suggest reading the highly-informative, original Bloomberg article.
That said, there are three important points that you should keep in mind:
1. Poisoned Supply Chains Is a Serious and Growing Problem
Regardless of the specifics of this particular episode, and regardless of which parties are most accurately conveying the truth, the problem of poisoned technology-supply-chains is extremely serious and growing rapidly.
The information revolution and the trend towards globalization have together transformed information systems from computers assembled in the USA from components made primarily here and in a few other countries to an orders-of-magnitude larger smorgasbord of “smart things” housing parts from all over the world — with the source of individual components changing frequently due to fluctuations in availability, pricing, and geopolitical risks.
Today, many more people are buying many more computerized devices than ever before – and few folks have any idea what is physically in their devices, never mind from where those elements originated.
In the past, I discussed hardware devices that could compromise a computer simply by being attached to it; malware-infested device drivers easily exploit operating system vulnerabilities to wreck all sorts of havoc. As a result of such a risk, I recommended – and, I still recommend – that anyone worried about data security and privacy avoid buying inexpensive “no-name” computer components directly from Chinese distributors via ebay or other websites, and, instead, stick with known manufacturers and retailers. Sticking with large firms does not guarantee that there will not be problems – as evidenced by the Bloomberg article published yesterday – but, doing so does significantly reduce the relevant risk, as well as increase the odds that anything that may be amiss will be discovered, investigated, and corrected.
2. The poisoning of supply chains is not a new problem; governments and large enterprises have been addressing it for years.
I am aware, for example, of a situation that arose during the fulfillment of a government contract when it was discovered that “a component of a component” planned for use within a computer system originated from a factory in Malaysia where various parties hostile to the West were believed to have had gained a foothold. Yes – when it comes to sensitive projects the source of every component of every circuit board and every line of code in every program must be scrutinized. Of course, the United States is not a bystander in this matter: I have also reported on the alleged insertion of malware into computers by the NSA, whose preferred modus operandi appears to be poisoning devices in transit rather than during the manufacturing process.
Sadly, one could reasonably argue that the only thing surprising about the current Bloomberg story is that anyone is surprised…
3. Panic and isolationism are not the solution
The fact that Chinese companies ultimately report to the Chinese government (as US Companies report to ours) does not mean that all Americans need to avoid all Chinese products. Understand the sensitivity of the systems and data that you are handling, and act accordingly. Also, consider that China is unlikely to risk the tremendous damage that would occur to its major businesses should it be caught routinely installing spy-chips – which it would almost certainly be caught doing if it did so en masse. As such, for example, utilizing Chinese drones may be a terrible idea if your are working on a classified government project, but may pose little risk if you are using them for non-sensitive purposes such as shooting video at outdoor weddings. And, yes, I wrote this article on a device that includes Chinese components.