In a report filed by Bloomberg, allegations of China poisoning the hardware supply chain has some severe implications.
In a nutshell:
- Major server hardware manufacturer Supermicro has been producing servers for datacentres used by multiple government agencies including Australian Defence Department and Bureau of Meterology.
- Supermicro products are designed and developed in USA but manufacturered in China.
- Allegations of supply chain tampering by Chinese authorities modifying production design to include a small component not in the original design smaller than a grain of rice.
- Additional component allegedly could used as a “backdoor” into server management functions to allow unauthorised access from surveillance to tampering with operating system, firmware or communications.
- There are reports that previous attempts have been made giving weight to the allegations.
- Apple terminated Supermicro as a supplier in 2016. Denies it was related to altered Supermicro products.
- Supermicro, Amazon, Apple and Chinese officials deny the allegations.
So what does this mean?
Let’s look at the possible scenarios:
- The allegations are true.
Over 900 Supermicro customers in 100 countries are potentially compromised at the hardware level in datacenters all around the world. Possibly millions of servers need to be replaced to the tune of billions of dollars and China is effectively shut out of numerous supply chains worldwide for a number of years.
Cybersecurity is turned on it’s head as threats move from software which is easy and pretty quick to fix to hardware which is expensive and typically would take years to rectify.
- The allegations are false.
Supermicro and its shareholders have millions of dollars of value wiped from their business in stock and lost sales and Bloomberg faces damages (with a possible investigation into politically motivated interference in the publishing of the story as a part of the potential trade war – speculation on my part).
- Something else entirely.
To be honest, we don’t have all the possibilities mapped out yet so there are bound to be some unknowns still to come into play that could change the course of this story.
Either way, the genie is out of the bottle and there is a lot to lose on many sides depending on which way this falls. You can be sure of one thing though. Companies, insurers and compliance auditors will be taking supply chain security seriously as this story kicks off thought experiments in boardrooms worldwide.
Below is my regular stream from Mondays (8th October) picking up when I talk about this on air with Chris Ilsley at 6PR.