In a must read article, Bloomberg Businessweek reported on ‘The Big Hack’ of SuperMicro in what could possibly be the biggest data breach in recent history. Quiet as kept, this story flew under the mainstream radar after dismissals from the supposed effected companies like Amazon Web Services and Apple. The ramifications of an admission of guilt could send their stock price tumbling by alerting millions to a data breach that stretches farther and wider than we are able to grasp.
The hack of hardware is something that, not only do we normally not see, we simply don’t check. There is a point where a vendor must simply be trusted. Hardware comes equipped with manufacturer’s warrantees that protect customers from failing equipment. They also regulate their use including spacing within racks at a data center or governing firmware updates. These warrantees can be voided if an IT professional for misuse of the equipment including dissecting a piece of equipment for examination.
The claim is that a tiny chip was inserted into a component of hardware deployed in thousands of data centers, used by the largest companies, storing some of the most critical data in the world. Apparently, we were hacked by China and they’re in all of these machines at these data centers. What they have, we may never know. The impacted companies released statements that left a lot to be desired. If you know you have this equipment in your data center you’d rip it out if you could and you certainly wouldn’t install them now.
What does the Supreme Court have to do with all of this? Here’s a hint, this goes back, way back to around the time Brett Kavanaugh began ‘Ralphing’ at Georgetown Prep and way before his appointment to the highest court in all the land. Judge Green’s impact on the telecommunications industry is that of legend. It’s a story of capitalism getting too big and the government overstepping their bounds.
AT&T had the whole industry under lock and key controlling both the network and the equipment that powered it. AT&T had the phone lines, the telephones, and the switches that made it all work. Their reputation for poor customer service didn’t help when it came time for the judges, many of whom had experienced AT&T’s lack of customer service. The company was broken up.
Fast forward to 2018 and that network provides much more than just telephone service. The underlying network is absolutely mission critical to our national security and our daily lives. Its become so powerful that the whole computing paradigm shifted onto its head pushing applications out into the cloud from a centralized platform that was slow, clunky, and difficult to access. Intrusion detection and prevention can allow you to see inconsistencies in your network but when the backdoor is within your hardware chances are you won’t detect the false positives.
So we eventually arrive at capitalism’s version of chicken or the egg. How much regulation? Then whose responsible for that regulation when it goes wrong. AT&T was broken up and other companies began making equipment to patch the vulnerabilities in an open and widely distributed system. There’s so much data flying over our networks that no one anticipated. Who would believe in 1986 that you can buy a car from a vending machine on the internet? No judge could foresee that flaw in their philosophy if they’re not a technologist. I’m sure the folks at Bell Labs thought it possible and they were thought to be crazy, weird, and geeks.
So here we are with a fully distributed system that transcends wired connections and is present in every facet of our life down to our refrigerators! Experian didn’t let us know of a breach of our financial data for over six months, this is much worse so mere statements aren’t going to cut it. We need to see proof that our network is still secure.
Amazon Web Services and Microsoft Azure are the hottest topics in IT which is curious because less than 10 years ago the thought of crucial data being housed outside of your company’s data center was unheard of. Today, it’s a best practice to use some sort of hybrid architecture for your data center but the key is to mitigate exposure by dishing our your data based on its level of confidentiality and accessibility requirements. I wouldn’t be surprised if we start to see the pendulum swinging back to the data center and away from the cloud as companies keep their data closer to the chest. In fact, WikiLeaks recently released a map of AWS’s global data centers increasing their vulnerability.
It’s necessary to have progressive minded individuals to set policy. Breaking up AT&T was a controversial decision with long lasting implications. Would we be better off had it not been broken up? Would speeds be as fast? Would we be talking about AT&T Web Services instead of Amazon Web Services? Would SuperMicro be compromised by chips allegedly inserted in devices by the Chinese government? Would those devices ever have been manufactured oversees?
With Net Neutrality still threatening to change the nature of the broadband landscape and telecom companies merging back towards whence they came, it looks clear that the bigger players are getting bigger. With less competition the true answers will be harder to find. That’ll keep you awake at night as a security minded IT professional or CISO. The ‘take it or leave it, where else are you gonna go’ mentality of the telcos of yesteryear is being adopted by many of the cloud providers, at least that’s how one could interpret their denials of the breach.
I don’t expect this equipment to begin being manufactured in the states anytime soon. I don’t expect our judges and politicians to begin to understand technology on a fundamental level. I don’t expect AWS, Microsoft, or Apple to admit to a breach. I don’t expect technologists to begin to consider regulation when innovation. I don’t expect to see the sucker punch, all you can do is stay a vigilant as possible, ready to react should an event occur, and pray that it’s not a crippling zero day attack that leads to a breach massive enough to send you to barista training.