October 13, 2013
At a remarkable conference held at the Aspen Institute in 2011, General Michael Hayden, a former head of both the NSA and the CIA, said something very interesting. In a discussion of how to secure the “critical infrastructure” of the United States he described the phenomenon of compromised computer hardware – namely, chips that have hidden “back doors” inserted into them at the design or manufacturing stage – as “the problem from hell”. And, he went on, “frankly, it’s not a problem that can be solved”.
— Siraj Solutions (@sirajsol) October 13, 2013
Now General Hayden is an engaging, voluble, likable fellow. He’s popular with the hacking crowd because he doesn’t talk like a government suit. But sometimes one wonders if his agreeable persona is actually a front for something a bit more disingenuous. Earlier in the Aspen discussion, for example, he talked about the Stuxnet worm – which was used to destroy centrifuges in the Iranian nuclear programme – as something that was obviously created by a nation-state, but affected not to know that the US was one of the nation-states involved.
Given Hayden’s background and level of security clearance, it seems inconceivable that he didn’t know who built Stuxnet. So already one had begun to take his contributions with a modicum of salt. Nevertheless, his observation about the intractability of the problem of compromised hardware seemed incontrovertible. This is because covertly modified hardware is hard to detect – much more so than dodgy software. The hardware in a computer can do things like access data in ways that are completely invisible even to the machine’s security software. At the Black Hat security conference in August last year, for example, a researcher named Jonathan Brossard demonstrated software that can be burned into the hardware of a PC, creating a back door that would allow secret remote access over the internet. And – here’s the really scary bit – the secret entrance couldn’t even be closed by switching off the computer’s hard disk or reinstalling its operating system.
The reason this is so scary is because virtually every bit of kit that runs the internet – the machine on which you compose your emails, the tablet or smartphone with which you browse the net, the routers that pass on the data packets that comprise your email or your web search, everything – is a computer. So the thought that all this stuff might covertly be compromised in ways that are impossible to detect is terrifying. It’s this fear that underpins American (and British) reservations about network products made by the Chinese company Huawei – the suspicions (vehemently denied by Huawei, of course) that the kit has secret back doors installed in it to facilitate the Chinese’s cyber-army’s penetration of western networks.