Supply Chain Risk Management Highlighted by a Tiny Computer Chip

Stephen DeAngelis

October 10, 2018

As recent events demonstrate, science fiction often turns into science fact. Jason Koebler and Joseph Cox explain, “In the 2015 novel Ghost Fleet, the spark that starts World War III is not a nuclear bomb, but a supply chain hack. In the book — which is based on real-life technology, technical papers, and diplomatic meetings — national security and international relations expert Peter W. Singer suggests that Chinese-made microchips embedded in our appliances, devices, satellites, fighter jets, war ships, and tanks could turn against us.”[1] As most people are now aware, the beginning of a similar real-life tale is beginning to unfold. The story line begins back in 2015 when Amazon was considering the acquisition of Elemental, a video-compression company. As part of Amazon’s due diligence process, a third-party security firm was hired to assess Elemental’s cybersecurity. That assessment turned up a troubling discovery. Jordan Robertson and Michael Riley explain what happened next.[2]

“The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression. These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small. In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says. Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers. During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”

Aside from national security implications, the main lesson to be learned here is how vulnerable companies are to risks associated with their supply chains. Lillian Ablon, an information scientist at the RAND Corporation, told Koebler and Cox, “Supply chain risk management is difficult enough for conventional threats (disruptions in operations caused by natural disasters, financial failures, poor quality, etc.). A key component of managing supply chain risk — conventional or cyber — is identifying the suppliers involved, getting visibility to lower-tier and sub-tier suppliers, and determining which suppliers pose the most risk. Gaining full visibility into every supplier at each sub-tier is a herculean task.” Peter Smith adds, “We’ve probably come to a point where pretty much every sentient senior procurement person understands how important supplier and supply chain risk is — to us as professionals, to our organizations, even to the wider economy and society. Yet if you ask the same professionals whether they are happy with the status of risk management in their organization, and whether enough and the right investment has been made, we would bet that a majority would say ‘no’. So, there is a bit of an issue there.”[3]

Smith insists, “The business case for supply chain risk management investment needs to be made convincingly and robustly to justify investment.” He also acknowledges that under-investment in supply chain risk management is understandable. He explains, “Investments in sales and marketing, or new products, or acquisitions, are based on doing something that leads to very directly consequential sales or profit improvement. On the other hand, investment in risk management is principally about stopping things from happening.” There are very few ways to measure the return on investment for something that doesn’t happen. Most business leaders intuitively know burying their heads in the sand with regards to risk management is a losing strategy — even if they can’t effectively measure the ROI of preventative and mitigating measures.

According to Elisabeth Braw, transnational businesses face the risk of being hoisted on the petard of their own success. The petard (or bomb) in question is the global supply chain. She explains, “The global distribution system is extraordinarily efficient, thanks not least to the world’s oceans. As the British journalist Rose George documents in her book Ninety Percent of Everything, some 100,000 enormous freight ships transport 90 percent of the world’s trade. Trucks, railways, and distribution centers take over once the goods reach dry land. All of this is extraordinarily cheap. It costs a retailer less to send a shoe to Europe from a factory in Southeast Asia than it does to transport it from a local European warehouse to a shoe store in the same country. This system means that consumers can enjoy steady supplies of cheap goods from any part of the world.”[4] Braw goes on to explain, “When everything works, the supply chains allow distributors and retailers to keep minimal stocks, a model known as just-in-time. … But if someone damaged the supply chains, all of this falls apart fast.” Hence the need for supply chain risk management processes.

Although Braw primarily addresses the threat of physical disruptions to the supply chain, the staff at Material Handling & Logistics emphasize that cyber attacks are a rising concern. They write, “The risk of cyberattack, once overhyped, now threatens businesses’ very existence, according to a recent survey, 2018 FM Global Resilience Index. These attacks raise the specter of stalled operations, disrupted supply chains, class-action lawsuits and permanent brand damage.”[5] As Ablon noted, gaining visibility into first-, second-, and third-tier suppliers is a difficult challenge. Going deeper is an almost impossible task. Recent events prove, however, that failing to do so can cause serious consequences. Risk managers can point to the millions of dollars lost when physical disruptions occur, but the ultimate cost of ignoring physical and cyber supply chain risks is probably incalculable. Nevertheless, it would be unwise to ignore the risks or fail to do everything possible to prevent those risks from occurring. Koebler and Cox conclude, “Cybersecurity experts have been screaming from the rooftops about the possibility of supply chain attacks for years now, and America’s reliance on Chinese-made electronics has continued unabated. With the news that the supply chain may have been compromised, the United States will have to figure out what to do next.”

Footnotes
[1] Jason Koebler and Joseph Cox, “The Worst Hack in Science Fiction Has Allegedly Already Happened in Real Life,” Motherboard, 4 October 2018.
[2] Jordan Robertson and Michael Riley, “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” Bloomberg Businessweek, 4 October 2018.
[3] Peter Smith, “Building the Business Case for Supply Chain Risk Management,” Spend Matters UK/Europe, 25 September 2018.
[4] Elisabeth Braw, “Global Supply Chains Are Dangerously Easy to Snap,” Foreign Policy, 7 August 2018.
[5] Staff, “Cyber Attacks Are Major Risk in New Global Resilience Ranking,” Material Handling & Logistics, 23 May 2018.