- Goldman Sachs and Intel published a white paper Tuesday detailing the importance of supply-chain security.
- Transparency into the supply chain is critical, security experts from both firms said, as understanding the state of devices when they arrive gives companies a secure foundation to build trust upon.
- “There’s lots of different opportunity for a device to have been altered in some way,” Tom Garrison, vice president of client security strategy and initiatives at Intel, told Business Insider.
- Visit Business Insider’s homepage for more stories.
Wall Street has put plenty of resources toward ensuring its technology remains safe and secure. But what happens if tech gets compromised before it even arrives?
That’s the question Intel and Goldman Sachs are raising in a white paper published on Tuesday by the two firms. The paper, which also includes endorsements from companies like LG Electronics and Lenovo, focuses on supply-chain security.
“What we’re trying to do is provide transparency into what components were used to build the device that you’re using,” Tom Garrison, vice president of client security strategy and initiatives at Intel, told Business Insider.
Having better insight into what was used to build out different tech products means that you’re more likely to spot when something is amiss, he added.
“Understanding what firmware is running, what the state of the firmware is, and do you trust that device, is a fundamental question. And that really gets to the heart of when we’re talking about supply-chain security,” said Garrison, who was a co-author on the paper.
Attention towards cybersecurity among financial firms has significantly increased over the past decade and it’s now a top-of-mind issue for all executives, not just those in technology.
But while plenty of focus is given to double-checking applications and educating employees on what emails to avoid, knowing the status of hardware when it is first delivered hasn’t always received top billing.
However, having strong supply-chain security is critical, Garrison said, as understanding the state of devices when they arrive gives companies a secure foundation to build trust upon.
“If somebody were to put in a component, like sneak it into the circuit board of your device — whether it be a switch, a server, or any piece of technology, really — how would you know? How do you know if someone did that? And the reality is it’s actually very technically complex to figure out. It’s expensive, and it’s not a simple answer,” Michael Mattioli, a principal engineer in hardware engineering at Goldman Sachs, told Business Insider.
“The first step is obviously the transparency part. At least know. If you know, you can do something about it,” added Mattioli, who is a co-author on the paper.
With cyberattacks on the rise, supply-chain security is key
Breaches in supply chains can come in multiple forms. A chip in a piece of hardware could be modified — or replaced completely — to give bad actors a way in once it arrives and is installed at the target.
Incidents like that can occur when companies don’t have insight into how their tech navigates its way through complex supply-chain networks.
“When you receive your PC, it has gone through lots of different hands from the time it left the factory, when it was manufactured through the channels, until it ultimately shows up on your front door or your dock. And so there’s lots of different opportunity for a device to have been altered in some way,” Garrison said.
Wall Street, while always a target for hackers due to its proximity to money and important data, has been forced to be even more on guard in recent months as the coronavirus pandemic has introduced widespread remote work. According to a report from VMware Carbon Black in May, there was a 238% uptick in attacks against financial firms from February to April 2020.
And it’s not just about making sure your own environment is in order. With more client interactions taking place via digital channels, firms want to make sure those they do business with have taken steps to make sure their supply chains are secure as well.
As a result, Goldman’s Mattioli said, this is an issue everyone needs to consider and work to improve.
“Not one technology company or entity can fix this on their own,” he said. “This requires everybody to get on board and say, ‘Let’s go and fix this.'”
Extended WFH means a focus on tracking the status of devices
While solving supply-chain security will be an industry effort, some firms are well positioned to take the lead. Intel’s own supply chain is 16,000 suppliers across 60 countries, according to Garrison.
The tech giant is already figuring out ways to lend its expertise. In December 2019, it rolled out Compute Lifecycle Assurance, which helps companies track products not just before they arrive to them, but throughout their entire existence at the firm.
The significance of tracking a device’s status has become even more crucial this year.
Many firms are welcoming employees back to their office after months spent working from home. With their return come devices that have spent extended periods of time outside of companies’ networks.
As a result, they need to ensure what’s being brought back into their offices is secure and safe.
“It obviously adds a significant amount of complexity,” Mattioli said. “There are definite checks and validations that you need to do to make sure that if stuff is coming back in it’s up to date and trusted.”