Ira Winkler: Press falls short in reporting on chip hack

When researchers uncovered a back door in a MILSPEC chip, the reports all seemed to imply that it was no big deal

I'm a writer, not a reporter, but like many consumers of news reporting, I sometimes think reporters take the easy way out. They report on someone saying or doing something controversial, then they find one person who will say that what that person said or did was wrong. End of story, so to speak.

This follows the "there are two sides to every story" theory of news reporting; once you've reported the point and counterpoint, there's nothing else to say, right?

But truth and reality -- those things that reporters presumably should be trying to reveal -- are often more complicated than that. And I often see how inadequate this approach can be when I'm reading about something that I know a good deal about.

Case in point: Researchers from the University of Cambridge revealed that there were back doors in military-grade chips and suggested that China was behind their installation. In story after story in the computer press, I read that information, followed by quotes from the Errata Security blog of Robert David Graham, who argued that there was no evidence China was involved and that it was unlikely that there was any malicious intent behind the installation of the back door. And that was all; no quotes from any other experts.

That bothers me, because I know they could have found plenty of people with solid credentials to refute what Graham had to say. They could have asked anyone familiar with national cybersecurity matters, people like former White House adviser Richard Clarke and former top cyber cop for the FBI, Shawn Henry. Both have been vocal about the cyber-espionage threat that the U.S. and U.S. companies face from China and other nation-states.

And it especially bothers me because this is the computer press we're talking about. When a vulnerability like the one described by the Cambridge researchers is downplayed in the computer press, there can be repercussions. Security managers in major companies know firsthand that they are being breached by China on an ongoing basis. They ask for budgetary resources to deal with such threats. Then along comes a story about researchers verifying that chips from China do indeed have a major vulnerability. To me, that should be the story. No one is disputing that the vulnerability exists. It was uncovered by researchers with very limited resources. That suggests that, even if China didn't install the back door, a nation-state, backed by tremendous resources, certainly could have found this vulnerability before now and could be exploiting it. But the news stories do not make that point; instead, they quote someone who says, in effect, this is nothing to take seriously; we've seen it all before; it's no big deal.

The result? The keepers of the budgets at major companies and their shareholders can all say, "These reports about threats are all overhyped," or at least the threat is too vague to base budget allocations on. The companies do not allocate the resources to defend themselves properly against what is a very real threat.

That threat is not hype; it is simply true. Let's consider China. Does anyone not think that its leaders consider the U.S. and the West to be adversaries? And doesn't every country put a high priority on its own national security? Of course they do, and with that in mind, it's ridiculous to think that China would not implement back doors in adversaries' technology, especially when that technology is actually manufactured in an environment that is under their complete control, just as the U.S. National Security Agency embedded a back door in encryption gear more than two decades ago. Why is it outside the realm of possibility that an incredibly capable nation would attempt to undermine random systems used throughout the U.S. military? China has already been identified as hacking the White House, embedding malware in the power grid and stealing designs for the F-22 advanced fighter aircraft, as well as breaching just about every other country and Global 500 company.

So, yes, it bothers me very much that no one was called on who could have countered Graham's argument by pointing out such things. And this is true of other things Graham had to say. For example, he seemed to scoff at the idea that the back door could have been intentional, since it is difficult to modify designs. But there are many plausible possibilities. An insider could have stolen the design plans, something that has happened before, in the case of Bill Gaede at AMD and Intel. And given the prominence of Chinese nationals in chip design around the world, the design could have been placed in the chips maliciously from the start.

To say that it is unlikely that China could have reverse-engineered the chips is insulting to China, which produces more engineering Ph.D.'s than any other country in the world, not including the Chinese students who study at top engineering schools outside of China, as well as utterly naive and absurd.

Graham also points out that activating the back door would require physical access to the device. That is very true, but does that mean it can't be done? We know it can be done; just look at Stuxnet, which could be deployed in Iran's nuclear facilities only with direct physical access. And the bulk of the U.S. military is significantly more open than Iranian nuclear facilities.

Another attempt to downplay this threat is to say that the chips in question don't have a specific purpose, and therefore China wouldn't know what it might be compromising in advance. But China employs a "grain of sand" approach, which implies that you will comb through an entire beach to find the one grain of sand that has value. And China has vast resources to pursue such a strategy.

So there you have my learned opinion: China has more than sufficient ability and motivation to modify a chip that is being manufactured in its factories.

But do I know definitively that China had anything to do with that back door? No. But it's just as true that Graham doesn't know that China didn't have anything to do with it. What I do definitively know is that China is a sovereign nation, and just like every other sovereign nation, there is every expectation that it will take whatever action may be necessary to further its security and economic agendas.

In the end, what I think is irrelevant. The opinions that really matter are held by stakeholders within the U.S. intelligence and military complex. But you didn't see the media reporting what these people think about the matter.

To recap: is there a back door in a MILSPEC chip that requires physical access to systems? Yes. Is it hard to maliciously plant a back door in a MILSPEC chip? Yes. Have similarly difficult things been accomplished before by capable intelligence agencies? Yes. Is it hard for an intelligence agency to gain physical access to chips deployed in the field? Definitely. Has it been done before by capable intelligence agencies? Definitely. Does China have highly capable intelligence agencies? Most definitely. Should the possibility that China was behind the back door by mocked? Hell no! If nothing else, it would be an insult to China's capabilities to think it cannot accomplish this. Did the computer press adequately address this point? Sadly, no.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies