No easy answers

Hacking of tech hardware, allegedly by China, raises questions

In 2015, Amazon was interested in taking over a company, Elemental Technologies, an American company at the cutting edge of creating video compression software, which is used to convert content designed for TV to be streamed to small screens over mobile networks. While Amazon did take over the company, an audit stumbled upon some anomalies, which led to an in-depth investigation. The security issues were traced to high-end servers that Elemental bought from Super Micro Computers (Supermicro), a Silicon Valley company. These servers were, in turn, assembled in Taiwan and mainland China. The trouble was that these servers were found to have a very small chip on the motherboard, which interrupted data and communicated with anonymous internet addresses. While it is hard to ascertain who inserted these chips, it has been alleged that they were designed, and inserted, by a specialised unit of the People’s Liberation Army. The problem was not contained to just one company. About 30 other well-known American companies including Apple and, reportedly, many military establishments and espionage agencies used customised Supermicro servers, including many clients outside the US.

While most companies have thrown a blanket over the story — for instance, Amazon, Apple, etc. have denied any such thing happened — yet the organisation that broke the story (Bloomberg) claims to have spoken to many people, including Central Intelligence Agency staffers, who confirmed such a breach. Moreover, independent security consultants, too, have taken apart servers and confirmed the hardware hack. Supermicro has also lost major clients and, reportedly, over 20,000 Supermicro servers have been replaced by the erstwhile clients. The implications are unnerving and have sent shivers down the spine of Fortune 500 companies and national security establishments. Dealing with it may require rebooting global supply chains for hardware that enables the digital economy. It will also necessitate a review of security processes that underpin data protection laws. Most data protection procedures depend on software-based solutions, which hardware hacks bypass. The more paranoid may design their own hardware as, indeed, Supermicro did. But over 90 per cent of global electronic devices use Chinese components and over 75 per cent are assembled by Chinese contractors. There is no cost-effective way to check if a tiny extra component has been embedded in millions of devices, ranging from low-end smartphones and laptops to high-end servers. Checking every link in the global supply chain is practically impossible. Nor is it possible to easily replace the supply chain due to sheer scale.

This hack had been operational for three years at least, and it could have garnered petabytes of sensitive data. Moreover, there is no obvious way to prevent something similar from happening again. Companies, data security experts, and security establishments will have to think out of the box to find solutions. That could mean a tectonic shift in global supply chains over time, despite the huge replacement costs. It could mean a backlash against the Chinese electronics assembly industry. In the Indian context, it should lead to a review of the proposed data protection law and a long, hard look at the supposedly secure Unique Identification Authority of India, and at the hardware used in sensitive defence and national security establishments.