In their 2015 novel "Ghost Fleet: A Novel of the Next World War," authors P.W. Singer and August Cole postulate a future conflict between the U.S. and China that’s enabled by supply chain hacking. But rather than suggesting that Chinese agents somehow inserted a secret chip into a few servers, they take the far more likely route of altering many specific components in the supply chain of electronics manufacturers so that they could be turned on to do China’s bidding.
When the war in Ghost Fleet breaks out, the bidding by the Chinese military is to simply disable those components. The result is chaos, because most of those components, and the equipment in which they’re installed, simply stop working. What saves the U.S. in that novel are the hundreds of ships and aircraft that have been mothballed and which were built using older technology.
Chances are, we won’t see the future as its laid out in Ghost Fleet, but the threat described by the authors is very real indeed. The fact is that the supply chain that enables the constant stream of technology-based products, ranging from iPhones to interceptors, is vulnerable, and fixing it is either extremely difficult or impossible, depending on whom you ask.
DHS Primarily Responsible for Federal Action
At this point, officials with the U.S. agencies responsible for supply chain security, which is primarily the Department of Homeland Security for civilian agencies, have said that they’ve found nothing to indicate that the reports last week by Bloomberg BusinessWeek are accurate, which is also what we reported in eWEEK. However, the risk is sufficiently serious that DHS has issued a Request for Information on Cyber Supply Chain Risk Management.
A key addition to the DHS RFI is a new question and answer section, added on Oct. 11, 2018, that discusses the goals of the RFI and which asks the industry to assist the government in finding ways the secure the supply chain. It’s important to know that in this case the RFI is aimed at the supply chain for products that will be procured for government use, but the principles will be useful to anyone.
What’s equally important is that DHS has said that they plan to make the process as public as possible. This means that the department will depend on unclassified sources where possible and will make its findings as public as possible.
“The intent is not to hoard information but to use it as the basis to engage in productive dialogue with companies,” the DHS document explains. “This year, DHS is initiating some related work with some of its partner agencies. If this process unearths actionable information, DHS will share it.” The full RFI is available here, and is worth a look to get an idea of how DHS is looking at supply chain security.
How Do You Protect Yourself and Your Company?
Eventually, DHS will turn its RFI into a Request for Proposal, and from that it will develop a procedure for security the supply chain for critical items for the federal government. Because DHS says it will share its findings, those same procedures should be available to enterprises for use in their own procurements.
However, the DHS effort is only at its earliest stages. And even when it’s complete, the process is likely to be sufficiently difficult and expensive that it will be used only for the most critical items. This means that you might use what DHS develops for your cloud operations, but you won’t use them for your office PCs.
So what do you do to protect yourself? The only rational approach is to assume that your digital infrastructure is already compromised and act accordingly. Because compromised components must have communications with the outside world if they’re to fulfill their covert master’s orders, you must deny them that access. And because their masters will try to reach them, and the components also will try to reach out, you must also monitor the network traffic that moves outside of your company for command and control messages.
There are basically three types of actions that such compromised hardware may take, and each of those will have a somewhat different type of traffic. Here’s what to look for:
- Coded instructions coming from the outside. This is what would happen if components are designed to simply stop working on command.
- Brief incoming instructions, followed by continuing outgoing data. This is what happens if the goal is to have compromised hardware redirect traffic or stored data.
- Constant dialog between a device and an outside location. This is probably what Bloomberg BusinessWeek envisioned, and it’s what happens with the Russian LoJax UEFI malware we reported on in September. Such malware can also be inserted in the supply chain by simply infecting all chips of a certain type, such as non-volatile RAM.
The one key factor to all of these types of attacks is access to incoming traffic from outside. Isolating your network hardware so that it can’t receive such traffic will keep those command and control messages from working. But you also need to monitor outgoing traffic on your network, and you need to block outgoing traffic where possible.
This means that traffic monitoring is essential for your network where you may be vulnerable. It also means that you will need to pay attention to how your routers and firewalls are configured to reduce the likelihood of success of such an attack.
But remember, just because this discussion and the Bloomberg discussion involve China, you can’t assume that the bad guys who want to attack your enterprise are from China. They can be from anywhere and everywhere. That’s why it’s critical to take precautions.