Hard(ware) questions about government hacking: what if the Bloomberg story is true?

Governments around the world must make a formal commitment not to engage in cyber operations that impact the security of the global internet, particularly attacks that implicate hardware, and they must condemn those who carry out these operations.

In our view, that is a key takeaway from the report by Bloomberg last week that details an alleged attack perpetrated by a group that appears to be associated with China’s People’s Liberation Army (PLA). According to the report, attackers secretly inserted a tiny chip in essential hardware supplied to major tech companies, including Apple and Amazon. The chips are reportedly capable of allowing Chinese hackers access to secure networks. However, the companies named in the report have issued firm denials (Amazon; Apple; Supermicro), and U.S. and U.K. government agencies have supported these denials. The Chinese government too denies involvement. Yet in a follow-up report this week, Bloomberg reveals additional details about a similar hardware hack of a U.S. telco.

Given the dispute regarding the basic facts in this developing story, we will not speculate on what has happened until more information is available. That said, these reports highlight a scary reality. Politically motivated attacks that leverage hardware, like the one described in the report, are technically possible (and have precedent). Yet the world is still unprepared. Governments and companies must do more prevent these attacks. They must make definitive global commitments to refrain from these operations and take coordinated action to foster strong digital security.

Below we share our recommendations.

What governments should do

The only real way to stop us from becoming the victims of state-perpetrated cyber operations is to convince governments not to undertake them. The risks created by attacks like the ones detailed by Bloomberg are monumental. In our report on government hacking in which we call for a presumptive global ban on these operations, we highlighted the fact that governments around the world are hacking to facilitate surveillance, and explained how these activities are far more invasive than other measures for surveillance. Hacking that implicates the very infrastructure of the internet is inherently disproportionate and represents a violation of human rights on its face.

So what should governments do? They should work together, and with other stakeholders, to publicly condemn government hacking, especially hacking that implicates internet hardware. They should commit not to engage in government hacking of internet infrastructure and pressure other governments to do the same, subject to meaningful accountability mechanisms. Where government hacking is already taking place, they must ensure it is subject to a law with affirmative safeguards, the deliberation of which legislators should take up promptly. Movement to prevent the kinds of operations described in Bloomberg’s report will prompt other governments to do the same.

Governments should also pledge to notify impacted users when attacks like this are discovered. This is precisely why Coordinated Vulnerability Disclosure (CVD) processes like the Vulnerabilities Equities Process in the U.S. exist. U.S. government officials must answer the question of whether this vulnerability was or would have been subject to that process and explain what analysis led to its failure to directly notify those impacted. While, as some have noted, even acknowledging an attack may have security implications, when you fail to alert those impacted, it stops users and companies from taking measures for remediation. People cannot be incidental damage in online battles between governments.

It is not likely that we will see commitments like these arise in the cybersecurity processes that are led in silos by military interests. Governments should therefore lead an open and pluralistic discussion on appropriate limitations to cyber operations. Moreover, governments should mandate civilian agency leadership on government cybersecurity policy. While some refer to attacks on companies as “cyberwar,” this military framing can only lead to even more harm to users. It suggests solutions ought to be led by the military and driven by conflict, but it is essential to avoid militarization of the internet to promote and protect the rights of users.

Importantly, while we haven’t yet established these global commitments and norms, we are seeing steps in this direction. Bodies at the United Nations have addressed government interference with hardware supply chains. The U.N. General Assembly adopted a report by a U.N. Group of Governmental Experts on Information Security (GGE) that condemned interference with the supply chain and the use of harmful hidden functions. While the GGE was unable to reach consensus on its report, the General Assembly is expected to introduce another resolution on its next steps later this month.

In addition, global consensus on the specific harm of government hacking is growing; at the 39th session of the United Nations Human Rights Council, a resolution on the safety of journalists identifies government-sponsored hacking as a threat.

What companies should do

Companies must also be active in resisting attempts to undermine the integrity of their platforms, and the internet’s infrastructure as a whole. Some Chinese technology companies already suffer repercussions outside China because of their association with the government’s surveillance regime. The U.S. and E.U. governments have taken measures to limit the ability of ZTE and Huawei to do business in their jurisdictions. However, simply singling out those companies ignores the complexity of the global supply chain, as contractors, subcontractors, and factory workers all play different roles. In order to ensure respect for user rights, companies should commit to conduct regular audits that cover supply chains across the sector. Those commitments should be backed by strong global norms and national laws that protect user data and ensure corporate accountability.

Companies have internal responsibilities too. They must evaluate the risks of their operations to human rights and take measures to prevent and mitigate any harms. For hardware vendors, those harms can range from labor abuses and environmental damage in their supply chains to “value chain” abuse, such the theft of intellectual property and the pilfering of users’ data. The U.N. special rapporteur for freedom of opinion and expression has brought attention to contracts between the companies, to ensure “all parties uphold their human rights responsibilities.” Likewise, once they identify risks, companies should develop rights-respecting policies, use their business relationships to ensure suppliers uphold principles protecting users, and, through human rights due diligence, reduce opportunities to subvert product security. This may mean that more companies move their supply chains out of jurisdictions where threats of interference or manipulation are high.

Companies have also made progress in responding to the threats of nation-state attacks and they deserve credit when they support policy solutions to limit the harm to their users and platforms. The “Cybersecurity Tech Accord,” launched earlier this year, has its limitations, but the participants are calling for genuine solutions like broad adoption of CVD policies. We urge stakeholders to go further, working together to strengthen current domestic and international standards for CVD to provide better transparency and coordination for sophisticated hardware attacks.

This alleged hardware attack is not a first, and it won’t be the last — unless we change things 

To some, the fact that an aggressive government may be interfering with the supply chain to enable broad surveillance might not come as much of a surprise. After all, as we note above, it’s happened before. On the policy level, China’s new cybersecurity law will enable greater surveillance. If it turns out that China launched an operation to insert chips in hardware destined for the U.S., it would signal the desire to likewise pursue technical measures to exert control of the internet. The damage of this approach would be significant, not just for human rights, but also for global technology markets that are built on trust. It is essential that governments and companies work together to reverse course. Otherwise, we will not see the last of these attacks, and operations undertaken in the name of “cybersecurity” will leave us with no security at all.