Supply Chain Security in 2021

When the Supermicro story broke a year ago, the electronics world was split into two – people who believed the story was true and those who deemed it too fantastical to be reasonable. A second story appeared a month ago and promptly got lost in the shuffle with a global pandemic, GameStop, Bitcoin, NFT mania, an electronics parts shortage, and a massive SolarWinds hack, which kept the news reporters occupied.

A good portion of people who participated in the Supermicro debate initially dismissed the claims, but whether the Supermicro story is real doesn’t matter. Not really. Even though some of the technical feasibility analysis was exceptional, it misses the point.

The real impact of the Supermicro story isn’t whether the attack was real or plausible, it’s that the story exists in the first place. This isn’t a government employee who got drunk at a conference and told tall tales. There are multiple government sources, and the story ran twice now in Bloomberg. Someone wants us to pay attention.

Here’s what most people are missing about the way intelligence and counter-espionage world works – sometimes the government wants to tell us something to change our behavior, but can’t risk blowing sources and methods, which would expose ongoing operations. This means that the Supermicro story may be true or may be a plant in the media. The real question is – why spend so much time and effort planting the story to begin with?

The answer is – because these attacks against our supply chain are already happening. When this many government sources tell a coordinated story, the intended outcome is that we collectively start paying attention to how we go about our day-to-day business. Because by the time the real stories hit the newswire, it will be too late.

Some examples to illustrate. In 2016 we became aware of an extremely complex attack, which compromised the microcode on a hard drive in a way that would have been entirely undetectable. It was perfect and the most stunning thing about it was – it actually happened in 2008. By the time we read about it, the intelligence officers who ran the operation had long received their promotions and moved on to other projects. Same with one of the most audacious cybersecurity attacks where Iranian nuclear refining facilities were disrupted for many months by destroying the centrifuges. The level of planning to stage highly specialized Siemens equipment in a lab must have been staggering, but the attack was real. And the list goes on. When Snowden revelations came to light, we collectively got to see in 2014 the attacks which were executed 10 years prior, including the tapping of underwater fiber-optic cables using submarines. Yes, someone went to the trouble of running that op.

What does it have to do with Supermicro? If you dismissed the story as incredulous, you’re likely taking things too literally. The real question is – did you change your operations to prevent a Supermicro-like attack against your supply chain?

For the vast majority of people, the answer is no. Prototypes for industrial automation projects, not to mention more critical applications, are routinely done in China, which provides a convenient point for someone to do target selection. These same designs are then thrown over the wall to supply chain teams that place the manufacturing orders with the lowest bidders in factories all over the world with no regard for security or IP protection. Supply chain security – for the real, physical supply chain, not software libraries used in the Solarwinds hack – is incredibly difficult. And we’re exposed.

That’s the real point of the Supermicro story and we better be listening, or someday you’ll be reading about yourself in the headlines. That’s just how it works.