Cybersecurity is full of hard problems, but perhaps none so difficult as securing the supply chain for our electronic devices. That’s why the report published this week by Bloomberg about Chinese spies secretly planting microchips in American electronics in order to conduct espionage is so deeply unsettling. There is no way to address the threat of foreign governments compromising our hardware that does not require fundamentally and radically rethinking how we manufacture our devices and lead to more expensive, less ubiquitous electronics at exactly the moment when the internet of things seems to be pushing us in the opposite direction.
According to Bloomberg, members of China’s People’s Liberation Army inserted the compromised microchips during the manufacturing process for motherboards produced by Super Micro Computer Inc., a company based in California. Those compromised motherboards, in turn, found their way to nearly 30 different companies and prompted an ongoing investigation by the U.S. government when the errant microchips were finally discovered by Amazon. (Though the story appears solid, Apple and Amazon are flat-out denying it, maybe because the two companies are under strict orders from the U.S. government not to discuss the investigation, or maybe just because they are hoping to maintain friendly relations with China.)
If there’s a glimmer of hope to be found here, it’s in the discovery of these chips—which suggests that hardware compromises are perhaps not quite as undetectable and impossible to fix as we might fear—and the ensuing investigation, during which the U.S. government reportedly managed to trace the compromised chips to four subcontracting factories doing work for Super Micro. But while the detection of the compromised motherboards is cause for hope, not least because companies will probably be more attuned to these supply chain threats than ever following this revelation, the discovery that Chinese officials were bribing and pressuring manufacturing factories to alter hardware made for U.S. companies is reason enough to fear for the future of the high-tech industry.
For years, U.S. tech companies have relied on overseas manufacturing facilities to produce most of the components of the electronic devices they design and sell, including smartphones, personal computers, and wireless routers. That outsourcing has been a major driver of economic growth in the United States but also in the countries, like China, that provide manufacturing, packaging, and testing services to U.S.-based tech companies. More than that, it has made possible the plentiful, affordable smart devices that populate the modern world.
But, fundamentally, there is no way to secure a global supply chain and manufacturing process. Companies can—and probably will—spend more time and resources auditing and inspecting their products and reviewing their overseas production processes. But there’s no real way to protect a foreign factory from interventions and manipulations initiated by its own government officials. That means we either tolerate some degree of supply chain insecurity, or we try to move manufacturing and supply chain efforts back to the United States. That might improve security—though there are no guarantees that the PLA couldn’t infiltrate a U.S.-based factory—but would certainly cause a dramatic shift in the tech sector and significantly stymie its growth.
The Super Micro story lends support to the Trump administration’s ongoing tariffs against Chinese manufactured products as a means of trying to protect U.S. cybersecurity. It bolsters the administration’s attempts to squash Chinese tech companies like Huawei and ZTE from using U.S.-manufactured parts or selling smartphones through U.S. carriers and reinforces the idea that anything made in China is not to be trusted. In doing so, the story also serves as a keen reminder that when governments try to build back doors into information technologies, they inevitably do more harm than good, not just to their rivals but also to themselves.
At a moment when China is deeply invested in promoting and growing its tech industry, in having companies like Huawei help dictate the future of 5G, in leading the way on artificial intelligence and self-driving cars, it’s hard to imagine a story that could do more damage to its economic ambitions than this one. What country will want to partner with Chinese companies on 5G networks now? What country will welcome ZTE’s smartphones with open arms after this? Who will believe the Chinese companies’ assurances that they operate independently from the Chinese government and regard security as a top priority? After all, we now know that the Chinese military could be compromising their devices without their CEOs even knowing, just as they were compromising Super Micro’s motherboards unbeknownst to the California-based company.
Everyone will suffer for China’s decision to undermine trust in the global supply chain this way. U.S. companies will have to spend more on manufacturing and hardware security inspections; Chinese companies will lose out on international business and partnerships. Companies all across the world will have to re-evaluate their procurement and supply chain processes and security protocols. Perhaps those were all inevitable outcomes, given how globally distributed the manufacturing of electronics is today. But it’s hard not to feel that the Chinese government made a major strategic mistake when it initiated the compromise of Super Micro’s motherboards and, in doing so, committed far and away the largest deliberate breach of hardware security by a national government that has ever come to light.
It may take some time to feel the effects of this breach—supply chains are not changed easily or quickly—but in the long run, it will do more harm than good for everyone involved. This story will be invoked every time a Chinese tech company attempts to enter a foreign market, it will fuel the ongoing trade disputes between the U.S. and China, and it will push countries across the world to retrench to a position of fostering their own domestic tech champions or—even worse—their own hardware-based espionage efforts.