It has become increasingly clear that supply chains have become a prominent vector for cyber-attacks. These attacks are becoming increasingly common, not to mention costly for both the companies and the economies in which they occur. Are things set to get worse?
The most recent spate of supply chain attacks started gaining attention in 2020 with the SolarWinds attack, which many consider one of the most damaging attacks in recent times. With SolarWinds having over 300,000 customers, including the US federal government and most of the Fortune 500 companies, the significance of this attack cannot be overstated. In May of last year, a ransomware attack on the IT systems controlling the Colonial Pipeline created a stir when it forced the company to suspend all pipeline operations to contain the threat. Adding to the stew, researchers have discovered nearly half of the open-source libraries in the Python Package Index (a critical link in the global software supply chain) are riddled with “software weaknesses that may lead to concrete software vulnerabilities.” Supply chains are clearly vulnerable.
While many of these attacks have focused on software vulnerabilities, potentially a more powerful, harder to detect, and more pernicious attack vector is in the hardware supply chain for the IT products themselves - an issue that is not as widely discussed as it should be. These recent attacks have exposed many of the fragile systems that currently run our world, bringing new attention to whether nations have sovereign resilience built into their country’s critical technology infrastructure. The stark reality is that most countries don’t. Virtually every country today relies on opaquely made, foreign-manufactured chips and hardware sub-assemblies, most often built in China.
A Trend Toward Sovereign Resilience
These dependencies, which have become unavoidable, are starting to raise concerns among policymakers. In a recent talk at the Global Emerging Technology Summit, the US Secretary of Commerce, Gina Raimondo lamented that zero percent of leading-edge chips are made in America right now. She called it a national security risk. Similar concerns erupted last month after an announcement that Chinese-owned Nexperia was acquiring the Newport Wafer Fab, the largest chip producer in the United Kingdom. Concerns over the sale caused Prime Minister Boris Johnson to order a security review of the deal, signaling that the UK government might block the sale.
In all of this, new trends are emerging that appear poised to take prominence in the effort to secure the IT supply lines of the world. The first is the rise in concerns over sovereign resilience, as demonstrated by the examples mentioned above. This trend is further underlined by an executive order by President Biden earlier this year that directed a broad review of critical supply chains. The goal of the study, it was said, was to produce a long-term plan to address supply chain problems. Likewise, Australia has been moving in this direction for the last few years, launching its Defense Industrial Capability Plan. This plan provides grants to ensure Australia’s defense industry has the “capability, posture, and resilience” to meet Australia’s defense needs over the next decade. Sovereign resilience is becoming a subject of intense focus for national governments.
The Problem with “Zero Trust” as a Strategy
An emerging security strategy, now gaining widespread acceptance, is that of “Zero Trust.” Microsoft recently revealed that in a survey of 1,200 security decision-makers, a full 96% of them consider Zero Trust to be critical to their organization. What’s more, the Biden Administration has ordered all US agencies to move to a Zero Trust security model by mid-November. Zero Trust has quickly become a clear path forward.
The Zero Trust concept acknowledges what our company, SoftIron, has recognized as a founding principle: reliance on trust as a foundation for security is a fundamental vulnerability. The popular concept of Zero Trust is network-based, pertaining to the question of who and what can be trusted within the firewall. It does not, however, apply the same question to the hardware that the network itself runs on. What good is a Zero Trust architecture if employed on hardware that is implicitly “trusted” not to be compromised?
Zero Trust, Resilience, and IT Manufacturing - Putting the Pieces Together
This question brings us back to the manufacturing issue and sovereign resilience. SoftIron’s “Edge Manufacturing,” combines open-source technologies with local manufacturing to enable a new model for competitive domestic IT manufacturing. This approach enables us to produce a truly Zero Trust hardware offering by allowing customers to audit the hardware, software, and manufacturing of our products at a component and source-code level before installing them operationally. Most IT consumers aren’t aware (because, frankly, they don’t think to ask) that virtually no other vendor will allow customers to audit source code. So much for Zero Trust.
The bottom line is that sovereign resilience can only be reliably achieved by building on Zero Trust principles that extend to the hardware level. While the current paradigm has relied heavily on cheaply produced Chinese components, countries can establish locally sourced technology supply chains that are both performant and competitive. Many technology manufacturing vendors are starting to talk in the right direction, but it is up to procurement experts to turn up the heat. This begins by applying Zero Trust principles to hardware acquisition processes and asking the right questions about component sourcing from the outset.
In the end, however, remember that it’s not the source that matters, but what is in the box. The goal is always to install clean, effective hardware into your racks – not to boast about where your hardware was (or wasn’t) made. To get there, trust ultimately needs to be replaced with transparency and auditability.
