Bloomberg Businessweek broke a major story today, which they split up into three articles so far, about a long term Chinese military intelligence operation that compromised the security of 30 American companies including Apple and Amazon, DoD data centers, and some CIA drone operations. The People's liberation army had somehow managed to sneak a chip with security back doors into the manufacture of servers for large data farms.
Bloomberg's editorial staff immediately switch gears into international relations and trade relations mode rather than start asking the hard questions that really need to be asked. One such question would be: “Why didn’t somebody think of this sooner?” The reality is that somebody did, it has been theoretically on the table since the mid 1990s, the United States has done it at least twice, and you can not shrug and call it a consequence of a global supply chain.
The first time I thought of doing this myself was as an undergrad in 1996. In one of my textbooks, Bruce Schneier's Applied Cryptography, a method to build a massively parallel engine to crack codes could be built into consumer electronics and distributed across China. The unused clock cycles on the computer that controls a TV would be used to crack codes that come across the airwaves centrally. If your TV is the lucky one that cracks it, a phone number flashes on your screen and you win a prize. The details, as well as the concept of distributed password crackers using viruses are in chapter 7. The book is still on my shelf. This is old news to everyone in the information security world. Not reading this is like not having read Shakespeare in high school. I'm not the only devious little college hacker to have theorized a supply chain based infiltration.
There are really only a few points of vulnerability that need to be struck in order to secretly ad a chip that small to somebody else's product, especially if you are the government in question.
Because of the possibility of supply chain infiltration, actual chip manufacture is a strategic industry, like shipbuilding. The federal government subsidizes unprofitable shipbuilding in the United States simply to have the industrial capacity and trained labor force to be able to do it during wartime. The NSA has their own chip manufacturing facility on site at the Fort Meade Headquarters for exactly this reason. If the Chinese military had bought American computers, you had best believe the NSA would have found a way to get a chip on them or at least tried. The NSA are spies. Spying on China is their job.
Hardware based micro-surveillance is not a new concept and it has been deployed against the American public since at least the early 1990s. Every printer hides a small distributed set of barely visible yellow dots on every page they print, linking it to make and model number and thus to the purchaser. This is how Reality Winner got caught. Remember that mail-in rebate card you got with your printer? Unless you paid cash and did not get a warranty take my advice and cut letters out of magazines for your ransom notes.
The spy on a chip was done my America for purpose built Windows 8 devices. The German Economics Ministry said of such devices “The use of 'trusted Computing' technique in this form... is unacceptable for the federal administration and the operators of critical infrastructure.” Apparently they can not shop in China either.
While we look at bad Spearphishing attacks that may have been done by teenagers in Russia, we were getting played at our own game, and it's an old game.. In 1962, the CIA rented a space directly below the consulate United Arab Republic in Uruguay in order to place listening devices on the ceiling. They were doing this to listen to turns of the rotors of the WWII era German Enigma machine we had sold them in order to decode their diplomatic communications both locally and around the world. This was recounted by the former CIA agent who did it, Phil Agee, in his tell all book Inside the Company.
In 2002, the NSA tried to re-package the SKIPJACK algorithm and sell it to Slovenia. Security Researcher Matt Blaze found a huge hole in the hardware implementation of this in 1994, touching off the Clinton era Clipper Chip controversy. Slovenia declined to purchase the warmed over failure of decades past. The technique was the same, get your target to build in a backdoor that you design or even better build it in for them.
These compromised computers are likely to have been used at least in part for intelligence operations. Amazon Web Services provides cloud computing to local police for body cameras and to the CIA for a bunch of functions the CIA is not talking about. Whatever those functions are, they provided Jeff Bezos with the money to buy the Washington Post. Bloomberg's pearl clutching about business environment is simply proof that the banking-intelligence complex is so flush with hubris and profit that it refuses to consider the security of it's own strategic industrial resources.
While this is an information security Pearl Harbor, it is not a conspiracy. In plain speak on both cases, they should have known this would happen. They should have had a back up way of building untampered with hardware quickly. However they do not, because they exported the capacity without retaining some for themselves and here we are.