October 8, 2024 | Chris Miller

The writer is the author of ‘Chip War’

The explosives that Mossad slipped into thousands of Hizbollah pager batteries and detonated last month in Lebanon should send a jolt of fear through the otherwise staid world of global supply chain management. Surely adversaries of the west will have their own tactics to compromise our electronics hardware. Most companies think only about cyber and software vulnerabilities. It is time they take hardware security more seriously.

The Russians are already so nervous that complex electronics can be manipulated by opponents that they have created a special institute to test the veracity of western chips smuggled in for use in missile and drone manufacturing. History shows that they are probably right to worry. Though many cold war-era spy games are still concealed by classification, Politico recently uncovered a 1980s FBI scheme designed to tamper with chipmaking tools that the Soviets were illegally importing.

However, western security agencies may no longer have the opportunity to repeat such practices — even if they are as skilled today as they were during the cold war. The epicentre of electronics manufacturing has shifted from the US to Asia — in particular to China and in the case of chipmaking to Taiwan. The more products a country assembles, the more opportunities for malfeasance.

Most of us don’t need to worry about exploding electronics. But what about devices modified to enable espionage? In 2018, Bloomberg reported that Chinese spies had added a rice-sized chip to server circuit boards used by Amazon, Apple and the Pentagon. The extra chip reportedly allowed an external actor to alter how the server worked and pilfer data.

All companies involved refuted the story and vehemently rejected the implication that their data security was compromised while US intelligence chiefs denied that there was any evidence of manipulation of products. But it is not always wise to take the public statements of spies at face value.

In comparison to implanting and then detonating explosives in pager batteries, placing an eavesdropping chip on to a circuit board is more straightforward.

Nor is espionage the only shape that a hardware attack could take. Counterfeit chips — especially simple, cheap, mass-produced semiconductors, like those that modulate electricity on a circuit board — are already a challenge. Chip companies don’t like it when their products are copied and sales are lost but there are broader safety problems to consider too.

Suppose a counterfeit chip was produced with deliberately low quality standards, aiming to reduce its working life. Outcomes could vary from irritating to debilitating. If the world’s electric toothbrushes started breaking down, we could still brush by hand. But if America’s submarines started spending more time in port to fix malfunctioning electronics, the US military could find itself spread thin in the Indo-Pacific.

Scenarios like this one are why US defence companies are not supposed to source components from adversaries. However, it’s an open secret in Washington that some big defence contractors don’t abide by this rule, claiming it’s impossible to follow. Certain types of components today are only made in Asia. One recent study found that new US aircraft carriers have 6,500 Chinese-made semiconductors inside.

If the military uses unreliable suppliers, so might telecom companies and other essential infrastructure providers.

Western companies have spent the past two decades building defences against cyber attacks, spending billions in the process. Yet even the most sophisticated of them devote few resources to verifying the chips or inspecting the circuit boards inside their systems. Some manufacturers still fail to monitor the origin of components deep in their supply chains, despite the creation of powerful software to facilitate this. 

Scrutinising hardware is expensive and often technically complex. The US military is creating a “secure enclave” for classified chipmaking, but even the biggest electronics companies cannot afford to bring all their manufacturing in house.

They can, however, use increasingly powerful software tools to better understand risks in their supply chains.

This is the work Hizbollah did not do, though after the pager explosions journalists were quickly able to ascertain that the Hungarian company that sold the devices was an Israeli front.

Hizbollah isn’t unique in relying on complex electronics production networks with limited visibility — we all do. No doubt it wishes it had devoted more resources to supply chain security and hardware verification. Western companies and governments must make sure they do the same.