Supply chain security was a pressing problem long before Bloomberg Businessweek published its article alleging that Chinese threat actors compromised SuperMicro’s supply chain. Why are American firms, the media, and the public only now beginning to take notice of the importance of supply chain security when defense, intelligence and other communities have been sounding the alarm for over a decade?
Bloomberg’s October assertion that SuperMicro’s supply chain might be vulnerable should not have been a bombshell viral report. Supply chains in every commercial sector have been vulnerable for over a decade, and not enough has been done by stakeholders to mitigate the risk of compromise. In order to achieve any measure of progress towards supply chain security, government agencies, private companies, the media, the public, and other stakeholders need to demonstrate through meaningful action that the security of the products employed in our critical infrastructure sectors, businesses, and everyday lives is a top priority.
In this paper, ICIT explores our history of ignoring calls to action on supply chain security, lays out both sides of the SuperMicro/Bloomberg debate in an objective manner without giving credence to either argument, and discusses what the global community can learn from the aftermath of this incident and what steps we can take to begin to improve our supply chains.
The authors would like to thank the following ICIT Fellows for their advisement and expertise around supply chain security. The views expressed in this paper is that of the authors, not that of the Fellows listed below.
- Michael Aisenberg, ICIT Fellow & Principal, Cyber Policy Analyst / Counsel, Center for National Security, MITRE
- Jerry Davis, ICIT Fellow & Vice President and Global Chief Security Officer, Lam Research