Globalization and business transformation have created for almost every manufacturer an incredibly complex worldwide supply chain. Hardware ostensibly manufactured in the US would inevitably include components produced in various places around the world— including nations described as “adversarial States” in other circumstances.
There is the potential for interference by foreign governments or criminal gangs in the supply chain. The Bloomberg article of October 2018 “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Corporations” offered evidence of this threat. This report states that a unit of the People’s Liberation Army has been engaged in an operation which has installed tiny spy chips on US-based Super Micro Computer (SMC) fabricated in China.
Within intelligence circles, the report was largely discredited, but Bloomberg declined to withdraw it. Valid or made, it is a visual example of western fear of hardware attacks on the supply chain. If this is accurate, the Chinese Government would have shipped any subsequently produced SMC machine pre-compromised.
American companies are all trying to protect their own supply chains. Intel has now developed a separate set of policies for the Transparent Supply Chain. “The industry needs an end-to-end system that can be used throughout the platform’s multiannual existence,” she announced today. “And that’s our aim with the Compute Lifecycle Assurance Initiative-substantially enhancing accountability and ensuring higher levels of assurance that enhance reliability, stability and security throughout the life-cycle system.” In the next year, it commits to expand on its Transparent Supply Chain resources, to apply best practices from experience, and to collaborate with the community on ways to improve security throughout the life cycle of the project.
The project is referred to as Compute Lifecycle Assurance. Intel doesn’t give any details as to what that might entail, but says, “In the coming 12 to 18 months, we hope that our customers, partners and government oversight agencies will see growing interest in increasing transparency beyond the manufacturing supply chain, including transport, supply, attestation and on-site updates.”
More recently, Intel gave the National Cyber Security Center of Excellence (NCCoE) a presentation (PDF) in September 2019. Mark Boucher, the developer of Compute Lifecycle Assurance at Intel, delivered the lecture. It shows clearly the application of the current principles of the Transparent Supply Chain to a private Ethereum blockchain.
It may be, but it is not stated in Intel’s statement today, that its vision of a standard security supply chain approach is based on the principles of learning transparency built into a blockchain. Intel says, “these are early days and we know we can’t do that alone. We invite the broader ecosystem to join us on this journey.”