Everyone I know believes Supermicro is guilty. The story, which you know by now, is that during the assembly process at this $2B company, oft-called the Microsoft of hardware, a rice-sized Trojan chip was placed onto their motherboards, which are manufactured in San Jose. Despite the U.S. venue, if you wanted to find a more guilty-looking crime scene, then you'd have trouble: Supermicro is teeming with Chinese staff, speaking Mandarin, and munching on Chinese pastry.
Now, kudos to the Amazon team for discovering this issue. By most accounts, they were the first to find the malicious insertion, and I can promise that this is easier said than done. And kudos also to Amazon and Apple for canceling their business relationships with Supermicro - although Apple swears this had nothing to do with the bug (ahem). My suspicion is that the U.S. intelligence community also knew about this security problem, but that's just my hunch.
Anyway, none of this matters much to the average Joe like you and me - and here's why: I believe, based on what is now approaching for me a total of four decades staring at this damn issue of cyber security, that the following five countries, and their close allies, can use a wide range of cyber offensive measures to break into your system at any time, at any place, and for any reason: Russia, China, America, UK, and Israel. They can get you: Whenever. They. Want.
The way they do this involves all sorts of clever technical, operational, and even human means. Go back and read Ken Thomson's Turing Lecture. It gives the who-what-and-where of how you dissolve malicious code into software in a way that code inspection cannot find. And that paper is from four decades ago. Since then, foreign and domestic intelligence groups have gotten so much better at this, that it should send shivers up the spine of any supply chain team.
What this means is that the Supermicro situation was not some close call, as the popular media seems to represent. My belief, in fact, is that this was uncharacteristically sloppy work. If I was a cyber commander in China, I'd never have approved such a thing. I mean, you're leaving visual evidence on a motherboard! I understand the power of hardware, but I'd have pounded my fist and demanded in my broken Mandarin that they find an invisible means for insertion.
And now here is the really bad news: My belief is that the Chinese have, in fact, created invisible means. And I believe these are present and active. I'd bet anything on this. But rather than blame the Chinese, I'd extend the claim to all countries mentioned above. Lest we forget that engineers discovered _NSAKEY in Windows NT 4 Service Pack 5. I know there are explanations for this weirdly-named key, and it's all been hotly debated ever since. But I'm just saying . . .
Bottom line: If you are being asked what to tell your senior management about this situation, and my guess is that 95% of you reading this article are thus motivated, then below are the brief answers that I recommend you provide your bosses to the most common questions you will get about the problem. I'd recommend you keep things brief and simple. Trying to explain signal conditioning couplers will get you nowhere:
Did Supermicro do this? Yes, Supermicro did it. But we do not know if leadership was involved, or if this was done by insiders planted by the Chinese government.
Is the problem fixed? No, because other more effective means exist for nation-states to break into our stuff. And these are likely hidden in ways we could not possibly conceive.
Should we cancel our AWS and Apple contracts? No, we should not stop using Amazon or Apple. In fact, it's impressive that their engineers found this subtle Trojan.
How do we protect ourselves? By distributing, virtualizing, and improving our security design. We must assume, in all our work, that malicious nation-states are after us.
Should we stop buying from the Chinese? Well, uh, it depends. But we need to be aggressive in searching for bugs in our equipment and software. Especially software.
Can the government help? Yes. But they haven't done a great job to date. We must lobby our leaders to negotiate for realistic norms and policies in international cyber security.