This week Bloomberg Businessweek (BBW) published “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” which claimed that 30 companies, most notably Apple and Amazon Web Services, had servers using hacked Chinese-made motherboards from U.S. manufacturer SuperMicro. Apple, Amazon, SuperMicro, and even the Chinese government issued strong denials. Additional denials are coming in as well, and right now BBW seems pretty far out on a limb with the story. True or not, the article publicized real concerns about the security of the technology supply chain. Concerns we are not taking seriously enough.
One bit of clarification (which is important, particularly if you don’t read the article carefully) is that the Amazon-related comment is about a company it acquired, Elemental Technologies. Allegedly the hardware hack in Elemental server products was discovered as part of Amazon’s pre-acquisition due diligence and nearly scuttled the deal. If there is any truth to the story, and Amazon gave quite a detailed response saying there isn’t, it should give some measure of assurance to AWS customers that AWS’ security processes caught this before the Elemental acquisition. One weird part of the story vis a vi AWS is that some of the hacked motherboards showed up in the AWS Beijing region. While I won’t say exactly why, that part of the story set off my BS detector. Otherwise, the AWS servers that run customer virtual machines (AMIs) and service control planes were not implicated in the story.
For all three major cloud providers I expect security practices that would either prevent or quickly uncover a hack such as the one discussed in the story. I have no personal knowledge of Google, but both Amazon and Microsoft are extremely thorough, sophisticated, and usually quite aggressive on the security front. Particularly when it comes to their own infrastructure. At AWS security is considered the #1 priority, and failure is treated as the ultimate risk for destroying customer trust. If the story about Elemental is even remotely true, the result of having discovered an actual hardware hack would have led AWS to implement numerous additional checks in its hardware acquisition and acceptance processes.
But to the meat of the issue, China is increasingly seen as a bad actor. When you combine repeated concerns about back doors in Chinese-made technology products with ongoing Intellectual Property theft concerns, rising wage costs, rising shipping costs, rapidly growing national security concerns, and the nascent trade war, I have to wonder how long until western companies just start removing China from the supply chain. That doesn’t necessarily mean moving manufacturing “back” to the U.S. (or western Europe), it may mean moving to other low-cost countries. Countries where, presumably, there is better protection of Intellectual Property and privacy. And far less national security risk as well. Basically, how long before western companies say the risks of having China in your supply chain far exceed the rewards? For those wanting to sell to the U.S. Government, and likely many allies, the day of reckoning is already here. That noose will just keep getting tightened.
When will we see an accelerated move away from including China in the supply chain of technology products? If the BBW story turns out to be true, that will certainly accelerate things somewhat. If the trade war lasts for more than a few months, that will have a major impact. Few, if any, companies are going to try to figure out how to remove China from the supply chain of existing or well along in development products. But probably every (non-startup) western company is looking at products just entering the development cycle and trying to figure out if there is a sensible way to not make that product in China or with Chinese-sourced components. Most will likely conclude there isn’t currently a sensible alternative, or decide to take the risk the trade war will be resolved before they go into production. Many will at least take some initial steps to reduce their China supply chain exposure, such as seeking second sources outside China for key components. The longer the trade war goes on the more they will conclude tariffs are a long-term part of the cost equation and shift away from China. And if another, confirmed, story of Chinese hardware hacking comes out during these deliberations? There will be a mad rush for the exit.
As for BBW, I’m concerned that the story doesn’t seem to have legs. And if the story is false, or at least got a lot of the facts wrong, then it gives a serious black eye to reporting on the technology business.