The biggest cybersecurity threat you never thought that much about is the factory

Oct 9, 2018

A report last week from Bloomberg Businessweek suggested that Chinese spies had embedded tiny little microchips on motherboards that control computers in order to steal information from nearly 30 U.S. companies, including Apple and Amazon. Both of those companies, and Super Micro Computer Inc., the electronics maker that was allegedly infiltrated have categorically denied the report. China issued a statement in response to the report that said in part: "Supply chain safety in cyberspace is an issue of common concern, and China is also a victim.” But the story is lingering, in part because it brings up a very scary reality that lots of cybersecurity experts keep talking about. Bruce Schneier is a cybersecurity expert. He tells Molly Wood that it's very difficult to figure out whether our supply chain is being attacked. The following is an edited transcript of their conversation.

Molly Wood: You've written about how, true or not true, this points to a very real security vulnerability in the supply chain for the electronics that we use all the time, right?

Bruce Schneier: And we saw this earlier this year with Kaspersky. Can we trust an antivirus program made in Russia? Can we trust handsets and networking equipment from Chinese companies? And this is the tip of a much bigger problem. Because here in this Bloomberg story, it's not necessarily the company that makes the hardware. It's the country where it was fabricated. But, you also have to be concerned about where the software is made, where the chips are made. I have an iPhone. That's not made in the United States. Its programmers carry a couple of hundred different passports. And anybody in that process can subvert it. And that's the lesson of this Bloomberg Chinese chips story. We have to trust everybody. Yet we can't trust anybody. And solving it is actually insurmountably hard.

Wood: Yeah, that's what I wondered. Even if we wanted to create a supply chain for both the hardware and the software that entirely relied on U.S. manufacturing and companies ... Would that even be possible?

Schneier: It'd be possible, but you might have to pay 20 times the price for your iPhone, which means you're not going to. This is global. There's no way to make "country-only" anything. So largely we ignore the problem.

Wood: Right. What if anything does that mean for consumers? Should we even worry that we individually are being spied on at all?

Schneier:  For consumers, this is largely above our pay grade. This is nation-to-nation stuff. If you are an activist working against the interests of the government in China, you might have to worry about it. But, for the rest of us, the worry is in our power plants, in our infrastructure. I only hope that we are so embedded in their systems, just as they are in ours, that if something happens nothing works. Because that's what's going to happen. I mean, the offense is so dominant here.

And now for the tech stories we're following:

  • The Wall Street Journal story reported yesterday that the social network Google Plus had a bug that could have let outside developers get profile information on hundreds of thousands of people. But, Google and parent company Alphabet decided not to disclose that information, because it was around the time of the Cambridge Analytica and Facebook scandal and the company worried that it would cause more attention and possible regulation.
  • As you might imagine, Tech Twitter has a lot of thoughts on Facebook's new "Portal" devices, video-enabled gadgets that will let you chat with your Facebook and Messenger buddies. The first line in a USA Today story about the new gadgets: "hell no." Molly chatted with Kai Ryssdal about the Portal announcements on Marketplace yesterday afternoon. Check out the Marketplace podcast for more.