Author: Dr. Andrea Little Limbago
An Inflection Point
Almost six years ago, Bloomberg published a report on Chinese government infiltration of 30 US companies through the technology supply chain. This report was highly controversial within the cybersecurity community and remains openly disputed regarding the validity of inserted ‘spy chips’. Since then, there has been less focus on infiltrated technology supply chains, as the pandemic and trade wars shifted attention away from espionage and toward more traditional industrial policy and risky businesses within the supply chain ecosystem.
On September 17 and 18, 2024, infiltrated pagers and walkie talkies exploded across Lebanon, escalating the decades-long conflict between Israel and Hezbollah. While investigations remain ongoing, reports point to Israel infiltrating a complex supply chain of devices sold in Hungary, and authorized to sell on behalf of a Taiwanese company, Gold Apollo. While the company sold devices to the broader population, those sold to Hezbollah contained the explosive PETN. As more information becomes available, a picture will likely unfold of complexity and extremely targeted backdoor infiltration of a technology supply chain.
This past week’s attacks in Lebanon are an inflection point, expanding technology supply chain risks toward supply chain sabotage, and shifting all rules of engagement in supply chain security and modern warfare. Whether or not ‘spy chips’ occurred in the past, given the shift in norms, a line has been crossed, rendering technology supply chain infiltration a growing supply chain security risk in a tenuous geopolitical environment.
New Rules of Engagement in Modern Warfare
The supply chain infiltration behind the attacks is on such a distinct scale and scope, it is reminiscent of the turning point from the Stuxnet cyber attacks, described as the world’s first digital weapon. In 2010, reports surfaced that several zero days exploits simultaneously sabotaged Iranian nuclear enrichment facilities. Most research identifies U.S. and Israeli intelligence as the creators of the exploits, which weren’t widely noticed until they spread beyond the Natanz facility.
Viewed as the first digital weapon to cause physical damage, it shifted all cyber norms and rules of engagement and opened Pandora’s Box to the modern cyber threat landscape. From the 2012 Saudi Aramco attacks where wiper malware destroyed over 35,000 computers to Russia’s BlackEnergy cyber attacks on the Ukrainian energy grid in 2015 and 2016 to Saudi Aramco to Iran’s failed penetration of New York’s Rye dam, physical infrastructure by cyber attacks is no longer unexpected or unprecedented. In fact, earlier this year FBI director Christopher Wray detailed how China is burrowed deeply within US infrastructure.
The Tipping Point for Security Risk
In a similar manner, just as Stuxnet upended the norms of cyber behavior and physical destruction, the explosive devices used against Hezbollah will upend all norms behind supply chain infiltration and destructive effects. There already has been a growing national and economic security concern over risky businesses within the supply chain ecosystem. Since 2016, the US has added thousands of companies to a range of sanctions lists, many of which are deemed national security risks.
Five years ago, the Pentagon blocked military from purchasing phones made by Huawei and ZTE due to national security risks. This has been a growing trend across the globe, as India blocked Chinese apps, China blocked Kaspersky and Semantic, Australia removed Chinese security cameras and so on. These have often been coined backdoor risks, as companies legally enter a supply chain ecosystem without any need for obfuscation.
These have generally focused on software, not hardware, backdoors into systems. Last week, we may have witnessed the tipping point for hardware backdoor supply chain security risk based on the insertion of illegal or unknown physical parts. While distinct in its execution, there has been growing concern over the security of the hardware supply chain.
The US CHIPS and Science, in part, targets this risk by incentivizing the manufacturing of semiconductors domestically. Nevertheless, the exploding devices manifest the real-world impact when foundational technologies are used as Trojan horses to carry out military objectives. As we have seen with Stuxnet, once that Pandora’s box is opened, it is a game-changer in the risk landscape and global norms.
How Can Companies Protect Themselves in this New Norm?
To prepare for yet another significant disruption shaping the new normal, there are several steps organizations can take.
First, foundational risk approaches still hold true but require even greater diligence. Perfunctory risk processes are inadequate for this risk landscape. Know your supplier (KYS) takes on even greater importance, not just within direct suppliers but across the entire supply chain ecosystem. This, in turn, requires augmented visibility across your supply chain, a difficult feat due to the hyperspecialized and complex supply chains built over the last few decades where geopolitics was not taken into account.
Gaining that visibility is just the start, additional context is required. For instance, are any of the thousands of restricted companies present several tiers within your supply chain? In many cases, these companies have already been linked to data exfiltration, it is not a great leap to consider hardware infiltration from these same technology companies. According to Interos data, 148 (~30%) S&P 500 companies have a direct supplier relationship with a banned company, risking severe civil and criminal penalties, 19% of which are in the Computer and Electronic Product Manufacturing industry. Beyond these direct (tier-1) suppliers, virtually every S&P 500 company has sub-tier (tier-2, tier-3 and beyond) supplier relationships with at least one at-risk or restricted company.
This has always posed a regulatory risk, but the national and economic security risks must also feature in supply chain security risk assessments. While last week’s attacks were not via a restricted company, those technology companies on restricted lists represent a more probable pathway to hardware infiltration and warrant heightened alert.
Tracking the latest in restricted companies is difficult as there is no single consolidated list across all U.S. and international organizations. Fortunately, Interos simplifies this process by surfacing several dozen restrictions lists across the US, Five Eyes, and international governmental organizations, extended across the entire supply chain ecosystem. These companies, especially those in technology, are at the highest risk of technology supply chain infiltration. These companies do not only pose a regulatory risk but could also interdict data or sabotage on behalf of adversaries.
The stark reality of this new era is that the geopolitical risk stems much broader than restrictions – companies and governments need visibility into all areas of supply chain risk: financial, cyber, ESG, geopolitical and catastrophic risk.
In short, the globalized era of entangled supply chains absent geopolitical considerations is over.
Supply Chain Security: Time to Double Down
Almost a decade ago, the fictional political thriller Ghost Fleet imagined a future war beginning with supply chain infiltration. In this futuristic scenario, China hacks the U.S. electronics supply chain, disrupting everything from navigation systems to fighter jets. The digital revolution – or the fourth industrial revolution – continues to shorten the time frame between futuristic scenarios and modern reality.
As Stuxnet demonstrated almost fifteen years ago, the shifting cyber attack landscape quickly expanded beyond governments and into the public sector. The device explosions in Lebanon similarly crossed a new line and will accelerate the pace at which the technology supply chain is exploited by government and non-government actors alike. Whether the Bloomberg report proves valid or not, the supply chain infiltration of the devices introduces similar supply chain security risks – it’s no longer a matter of if, but when a technology supply chain infiltration will occur again.
Just as software backdoors have increased in prevalence, the same may soon be true of hardware backdoors, making it all the more critical for a fresh look and reprioritization of supply chain security.
We are here to help. Speak to a risk intelligence expert today.