Ira Winkler: Press falls short in reporting on chip hack

When researchers uncovered a back door in a MILSPEC chip, the reports all seemed to imply that it was no big deal

I'm a writer, not a reporter, but like many consumers of news reporting, I sometimes think reporters take the easy way out. They report on someone saying or doing something controversial, then they find one person who will say that what that person said or did was wrong. End of story, so to speak.

This follows the "there are two sides to every story" theory of news reporting; once you've reported the point and counterpoint, there's nothing else to say, right?

But truth and reality -- those things that reporters presumably should be trying to reveal -- are often more complicated than that. And I often see how inadequate this approach can be when I'm reading about something that I know a good deal about.

Case in point: Researchers from the University of Cambridge revealed that there were back doors in military-grade chips and suggested that China was behind their installation. In story after story in the computer press, I read that information, followed by quotes from the Errata Security blog of Robert David Graham, who argued that there was no evidence China was involved and that it was unlikely that there was any malicious intent behind the installation of the back door. And that was all; no quotes from any other experts.

That bothers me, because I know they could have found plenty of people with solid credentials to refute what Graham had to say. They could have asked anyone familiar with national cybersecurity matters, people like former White House adviser Richard Clarke and current top cyber cop for the FBI, Shawn Henry. Both have been vocal about the cyber-espionage threat that the U.S. and U.S. companies face from China and other nation-states.

And it especially bothers me because this is the computer press we're talking about. When a vulnerability like the one described by the Cambridge researchers is downplayed in the computer press, there can be repercussions. Security managers in major companies know firsthand that they are being breached by China on an ongoing basis. They ask for budgetary resources to deal with such threats. Then along comes a story about researchers verifying that chips from China do indeed have a major vulnerability. To me, that should be the story. No one is disputing that the vulnerability exists. It was uncovered by researchers with very limited resources. That suggests that, even if China didn't install the back door, a nation-state, backed by tremendous resources, certainly could have found this vulnerability before now and could be exploiting it. But the news stories do not make that point; instead, they quote someone who says, in effect, this is nothing to take seriously; we've seen it all before; it's no big deal.

The result? The keepers of the budgets at major companies and their shareholders can all say, "These reports about threats are all overhyped," or at least the threat is too vague to base budget allocations on. The companies do not allocate the resources to defend themselves properly against what is a very real threat.

That threat is not hype; it is simply true. Let's consider China. Does anyone not think that its leaders consider the U.S. and the West to be adversaries? And doesn't every country put a high priority on its own national security? Of course they do, and with that in mind, it's ridiculous to think that China would not implement back doors in adversaries' technology, especially when that technology is actually manufactured in an environment that is under their complete control, just as the U.S. National Security Agency embedded a back door in encryption gear more than two decades ago. Why is it outside the realm of possibility that an incredibly capable nation would attempt to undermine random systems used throughout the U.S. military? China has already been identified as hacking the White House, embedding malware in the power grid and stealing designs for the F-22 advanced fighter aircraft, as well as breaching just about every other country and Global 500 company.

So, yes, it bothers me very much that no one was called on who could have countered Graham's argument by pointing out such things. And this is true of other things Graham had to say. For example, he seemed to scoff at the idea that the back door could have been intentional, since it is difficult to modify designs. But there are many plausible possibilities. An insider could have stolen the design plans, something that has happened before, in the case of Bill Gaede at AMD and Intel. And given the prominence of Chinese nationals in chip design around the world, the design could have been placed in the chips maliciously from the start.

To say that it is unlikely that China could have reverse-engineered the chips is insulting to China, which produces more engineering Ph.D.'s than any other country in the world, not including the Chinese students who study at top engineering schools outside of China, as well as utterly naive and absurd.

Graham also points out that activating the back door would require physical access to the device. That is very true, but does that mean it can't be done? We know it can be done; just look at Stuxnet, which could be deployed in Iran's nuclear facilities only with direct physical access. And the bulk of the U.S. military is significantly more open than Iranian nuclear facilities.

Another attempt to downplay this threat is to say that the chips in question don't have a specific purpose, and therefore China wouldn't know what it might be compromising in advance. But China employs a "grain of sand" approach, which implies that you will comb through an entire beach to find the one grain of sand that has value. And China has vast resources to pursue such a strategy.

So there you have my learned opinion: China has more than sufficient ability and motivation to modify a chip that is being manufactured in its factories.

But do I know definitively that China had anything to do with that back door? No. But it's just as true that Graham doesn't know that China didn't have anything to do with it. What I do definitively know is that China is a sovereign nation, and just like every other sovereign nation, there is every expectation that it will take whatever action may be necessary to further its security and economic agendas.

In the end, what I think is irrelevant. The opinions that really matter are held by stakeholders within the U.S. intelligence and military complex. But you didn't see the media reporting what these people think about the matter.

To recap: is there a back door in a MILSPEC chip that requires physical access to systems? Yes. Is it hard to maliciously plant a back door in a MILSPEC chip? Yes. Have similarly difficult things been accomplished before by capable intelligence agencies? Yes. Is it hard for an intelligence agency to gain physical access to chips deployed in the field? Definitely. Has it been done before by capable intelligence agencies? Definitely. Does China have highly capable intelligence agencies? Most definitely. Should the possibility that China was behind the back door by mocked? Hell no! If nothing else, it would be an insult to China's capabilities to think it cannot accomplish this. Did the computer press adequately address this point? Sadly, no.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site,

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place