There's a serious cyber warfare problem that may be affecting some deployed U.S. military and aerospace mission-critical embedded computing systems, and nobody really wants to talk about it.
It has to do with a computer chip no bigger than a grain of rice that's suspected of being installed by Chinese intelligence agencies on embedded servers made by San Jose, Calif.-based Super Micro Computer Inc. These tiny chips may be enabling China and other U.S. adversaries to monitor the inner workings of military computers and the data they are processing.
Super Micro embedded computing servers are now, or in the past have been in use by some of the world's largest corporations, including Amazon and Apple. They also may now, or in the past have been in use by several companies that specialize in real-time mission critical computing for military and aerospace applications.
Are these Chinese spy chips actually out there today in deployed U.S. military systems at sea, on the ground, and in the air? Nobody's talking. It could be that this represents one of the biggest national security breaches in U.S. history. If it is, we need to find out how big the problem is, and how to fix it.
How could this have happened? Well, as it turns out, Super Micro designs these embedded servers in California and Taiwan, yet has them manufactured in China, where assembly lines were infiltrated and spy chips installed on some of Super Micro's high-performance computer boards. The chips are small, and it took quite a bit of doing to detect that the chips are not part of the computer boards original designs.
How many boards made it into the supply chain with the Chinese spyware? It's not clear. Exactly where were these boards installed? Also not clear, and the companies using Super Micro embedded server boards are silent on the topic.
So what's the solution? Some in industry maintain that the boards and components down to the tiniest diode and resistor that go into U.S. military systems must be made in America, and that each component and board that goes into these systems must be traceable to U.S. suppliers with approved security processes in place.
Hasn't this been happening all along, what with regulations in place like the International Traffic in Arms Regulations (ITAR)? Apparently not. What regulations are in place may have allowed one of the biggest foreign intelligence coups against U.S. national security interests ever.
"We believe the DOD [U.S. Department of Defense] should buy only American -designed, - manufactured and -owned servers from ITAR-approved American suppliers," said Ben Sharfi, chief executive officer of General Micro Systems in Rancho Cucamonga, Calif., in a commentary he wrote titled "Alleged China spy chips are another wake-up call to buy only American-manufactured servers."
Christopher Cummins, chief operating officer of Abaco Systems in Huntsville, Ala., says he agrees that buy-American is perhaps the best place to start working these problems out. Cummins penned an article titled "Cyber attack compromises trusted computing, and raises questions about industry's secure supply chain." "As an industry, our need for diligence in this area is paramount," Cummins wrote. "Abaco Systems doesn't buy in commercial products and then make them rugged after the fact; we design and build rugged into our products from the ground-up. We manufacture everything ourselves: we don't subcontract offshore."
Do Abaco Systems and General Micro Systems have their own business interests to support here? Sure ... but they also have a point. It's a lot harder for Chinese intelligence to gain access to U.S.-based assembly lines than it is for them to access contract manufacturing lines inside China.
Would there be such a risk to crucial U.S. military technology if the Pentagon had been diligent about buying all computer components only from security-certified U.S. manufacturing lines. Probably not.
No matter, though. It's imperative for the Pentagon to get to the bottom of this, determine if Chinese spyware is inside any deployed U.S. military computer systems, and rectify the problem, fast. As for the future? It seems obvious that the Pentagon needs to do a better job of relying exclusively on U.S.-manufactured computer systems.
Read the full article here.
October 30, 2018
By John Keller