printer friendly version

From the editor’s desk: Integrate or fail

The news earlier this month was that Bloomberg Businessweek published a story about Chinese cyber spies (well, with our media it has to be them or the Russians). Apparently, these devious spies had corrupted the supply chain for a company that makes circuit boards in China and inserted a tiny chip on the boards which would allow someone to gain full access to computers and networks.

The accuracy of the story is still not 100% verified, although it is pretty much accepted as accurate. There again, in the current climate of hysterical news opposed by hysterical censorship in the name of propaganda (and not only in America), who can be sure what the facts really are. You can read more at www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies (short link: securitysa.com/*bloom1), as well as comments from some of the companies involved at www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond (short link: securitysa.com/*bloom2), and a good summary of the whole saga at https://krebsonsecurity.com/2018/10/supply-chain-security-is-the-whole-enchilada-but-whos-willing-to-pay-for-it/ (short link: securitysa.com/*krebs3).

We’re not in a position to know how accurate the report is, but it does highlight a common weakness in security all over the world – silos. It’s standard that when a company or individual tries to secure their people, systems and assets, they concentrate on doing what is in their immediate scope and leave the rest to other people – assuming everyone else does the job properly. And this is where the problem lies.

You can make your little world 100% secure (if it was possible), but as soon as you interact with other people and systems, you have strangers coming onto your premises and data going in and out of your systems to unknowns. In other words, your supply chain.

You can’t control what anyone else in your supply chain does or doesn’t do, but working together to integrate your physical and logical security based on industry standards won’t risk anyone’s intellectual property, but will strengthen the chain from beginning to end. Unfortunately, as one of the authors above notes, this will require time and money (and mostly effort and support from the top), which is why it doesn’t happen.

On another cyber/physical security note, you may remember the Mirai botnet from a few years ago that used IoT devices, including DVRs and surveillance cameras, to form a botnet to launch denial of service attacks on some high-level websites – with great success.

Well, the authors of the botnet have been caught and convicted, but won’t spend any time in jail. Due to their “extraordinary cooperation” with authorities, they get probation and community service, and a fine.

Well, fine. To me it seems like a colossal omnishambles, much the same as we saw here with the Brett Kebble murder. I suppose it’s good to know that such Brobdingnagian blundering is not confined to the South African government. (After last month’s new word I discovered and mentioned in my column, someone suggested I introduce a new word in this column as well; so there it is, Brobdingnagian.)

Andrew Seldon

Editor

Share this article:

Further reading: