Panelists worthy of any CISO’s attention, discussed and prioritized the methods China is using to compromise enterprises via their supply chain, including the currently rare, covert placement of spy chips into computing hardware. China’s ‘2025’ strategy to steal and degrade western economic power affects any enterprise that generates high-margin value and/or is in the same supply chain with those that do. The world has not seen such intense and pervasive nation-state aggression since the Cold War. Arguably, the most disturbing point of all may have been missed by many attendees. Most enterprises are ill-prepared and/or ill-equipped to execute the recommended countermeasures. Further, all agreed that the enterprise should not wait for government to ride to the rescue. This blog post summarizes the hardware hack expert panelists discussions of the problems, remedies, and actions that most enterprise CISOs must incorporate into their cyber risk management efforts.
Panelists
Mike Rogers, Former Congressman and Chairman of the Permanent Select Committee on Intelligence
Mark Kelton, Former CIA, Deputy Director of National Clandestine Service and Counter Intelligence
Robert (Bob) Bigman, Former CIA, Chief Information Security Officer
Fatih Comlekoglu, PhD, Chief Technology Officer and Head of Research & Development, AppGuard
Moderator - Mike Lyon, CBS Analyst
Covertly adding spy chips to hardware is only an extreme example of a greater, broader problem of China aggressively executing its “China 2025” strategy, where numerous methods are applied to steal IP, trade secrets, and anything relevant to China’s commerce and geo-political aspirations. Whatever the method, the panel noted estimates that within five years, nearly all network equipment related to the Internet will be manufactured in China. This greatly expands the scope for enterprise risk planners, casting doubt on the trustworthiness of the their infrastructure as well as that of cloud services providers, even consumer ones.
The panel explored different methods, noting that a supply chain for IT infrastructures consist of hardware, firmware, and software. Compromising either of these greatly undermines confidentiality and integrity of enterprise data. Fortunately, covert additions of spy chips are rare. Apple, AWS, and others have disputed recent reports. Regardless, China’s possession of so much of the manufacturing supply chain for IT infrastructure makes such scenarios disturbingly plausible. Few organizations have the means to inspect hardware for spy chips. Detecting spy chips is very difficult. AWS is said to have outsourced their hardware inspections. New tools are coming, promising to make in-house vetting more likely. After deployment, detecting spy chips with their own CPU’s is the most difficult challenge. Spy chips without CPUs are easier because they are likely to insinuate detectable processes running within the hardware. CISO’s should be more concerned now with compromised firmware and software from the supply chain. Numerous incidents have been documents. All agreed, the frequency of all these methods will continue to grow, including spy chips.
“Don’t expect the cavalry” to save the day. While ever more incidents have increased Congressional awareness, inertia and partisanship make significant government help unlikely. The panel discussed the necessity and challenges in sharing information and vetting supply chain elements. Current information sharing is untimely and poorly structured. Its maturity must be accelerated. The individual enterprise, even the giant ones, struggles to scale to auditing one’s supply chain; it is very labor intensive. Worse, there are few people with the skills to vet firmware, software, and hardware. Collaboration is vital. Consider the inefficiency and ineffectiveness of each supply chain buyer vetting each of its suppliers for each of its widgets. Here the CISO must act now to establish some industry collective means to vet once for the many. Such institutions take great time to form. Enterprises must act now to form and mature them to reduce exposure from supply chain compromise risks.
Clearly, no vetting of the entire supply chain will ever be 100% effective. The panel discussed countermeasures. As noted, detection of supply chain compromised components in the infrastructure is very difficult. So, the panel essentially offered a submarine metaphor. Don’t look for the submarine so much as the noise and wake it makes. That means, look for command & control as well as data exfiltration network communications. Unfortunately, most organizations do not do this nearly well enough. The gap is shocking.
So, in addition to detection countermeasures, the panel recommended applying zero trust methods within the potentially compromised endpoints of the infrastructure. Quite simply, compromised endpoints have computing processes performing actions they should not be doing. Telling good from bad processes is extremely difficult. The enterprise needs tools monitoring, containing, and isolating processes dynamically. Hardware trust anchors (trusted platform module, a TPM) bolster but do not guarantee trustworthiness of an individual process. However, any process can be altered or hijacked. So, zero trust methods within an endpoint ‘contains’ and ‘isolates’ different processes differently. High-risk processes are ‘contained’, blocking attempts to harm or alter the rest of the endpoint (e.g., memory code injections). High-value processes are ‘isolated’, blocking attempts from the rest of the endpoint to harm or alter the high-value processes, or their related resources. Another zero trust method default-denies network communications to untrustworthy processes, limiting them to select trustworthy processes.
In sum, zero trust methods within the endpoint significantly raises the level of difficulty for the Chinese supply chain compromise efforts. Nothing can absolutely counter all methods. CISO’s must pursue all three avenues: audit the supply chain, search for anomalous communications through your perimeter, and execute zero trust methods within the endpoints of their infrastructure.
The panel also discussed countermeasures to protect communications between any two endpoints when one or both may have been compromised. A crypto-system isolated from ‘the rest of the endpoint’ is essential. It should be anchored in hardware such that only select processes can access its keys. All this must be part of a holistic framework to be practical. And since this scenario spans two or more endpoints, it must include remote and mutual attestation as well as strong authentication.
Voting integrity was discussed by the panel as well. This alone is worthy of its own panel. Similarities between these challenges and those of the supply chain abound. There have been simulations and real-life reports of compromising voting machines, vote aggregation systems, and the surrounding eco-systems, all of which affect voting outcome. Many of the same challenges and remedies for the enterprise regarding China 2025 apply to securing the election systems. And both macro eco-systems are very diverse.
The panel also compared and contrasted Russia’s efforts to steal and deflate the west’s economic power.
To listen to this discussion from leading cybersecurity experts click here.
Conclusion
The compromise of IT supply chains does not just affect government agencies and defense contractors. Nation-states, especially China, are aggressively trying to steal and degrade Western economic power. This impacts any enterprise that generates high-margin value and/or is in the same supply chain with those that do. Government is unlikely to do enough soon enough to make a difference. The enterprise must individually and collectively mobilize. This panel was an excellent primer for enterprise CISO’s, risk executives, and others concerned with cybersecurity.