We spend a lot of time securing our perimeter networks and our internal systems. We fret about public cloud and private data centers. But what if the hacking can be done at a level that we can’t even begin to detect? The supply chain is the grail of undetectable hacking. If you can get integrated into the supply chain of a device you can own every one of them from now until forever.
Bruce Schneier has some great thoughts on the need to secure the supply chain and what could happen if something really were to slip in and cause issues. As he states here:
This is an area that needs more research. Today, the advantage goes to the attacker. It’s hard to ensure that the hardware and software you examine is the same as what you get, and it’s too easy to create back doors that slip past inspection. And while we can find and correct some of these supply-chain attacks, we won’t find them all. It’s a needle-in-a-haystack problem, except we don’t know what a needle looks like. We need technologies, possibly based on artificial intelligence, that can inspect systems more thoroughly and faster than humans can do. We need them quickly.
Make sure you check out all his thoughts about the possibility of supply chain hacks.
Read more: Supply-Chain Security and Trust