Businesses are worried about supply chain tampering. Intel has a plan.
VP of Global Supply Jackie Sturm says customers demand to know how Intel is "ensuring the security" of devices.
Intel VP of Global Supply Jackie Sturm was in Japan in 2011 when the disastrous 9.0-magnitude earthquake struck, seriously affecting the company's primary source of high purity chemicals and precision equipment. In more recent years, Sturm has had to deal with disruptions from a new type of threat: cyberattacks that cripple factories and suppliers for days.
Intel isn't the only organization dealing with new supply chain cybersecurity risks. The Trump administration has pressured allies to ban Huawei components from their 5G infrastructure rollouts, arguing that the equipment could be used to sneak in malware for espionage or sabotage. The Department of Defense is also developing a cybersecurity certification model for its contractors in an effort to improve its supply chain's integrity.
Over the last two months, Intel has been spearheading an industry-wide initiative, including significant partners like Lenovo, aimed at improving security in the world's increasingly complex supply chains. (Intel alone works with 16,000 suppliers in 60 countries.) The program, called Compute Lifecycle Assurance, consists of tools and standards that allow organizations to verify that components are what they expect and haven't been tampered with by hackers or other malicious actors. Intel says it plans to share more about "industry momentum" during the RSA conference later this month.
In multiple interviews, Sturm provided the closest look yet at the program.
The interviews have been condensed and edited for clarity.
Adam Janofsky: In one sentence, how would you describe the Compute Lifecycle Assurance initiative that Intel is rolling out?
Jackie Sturm: It is an industry alignment that over the lifetime of a computer, its users and its owners can continuously ensure that it has not been tampered with and has integrity inside the system to perform without intrusion.
AJ: Is there an analogy that can be drawn? Is it like a Carfax for computer components, where you can get a history report for used devices?
JS: I think it would be very similar, honestly. I believe it's going to give you the data you need; just like when you have a used car, it will help you know how well a device has been maintained, what's the current firmware status, how many owners have had it. I think that is actually a pretty good analogy.
AJ: What prompted the initiative?
JS: It's very clear that this is an increasing area of focus worldwide for policymakers, who are starting to shine a much brighter light on supply chain risk. U.S. federal agencies — which we and our customers are selling products to — are looking at supply chain risk as a much more important part of procuring products.
And it's not just the U.S., but if you look to Europe and their focus on digital sovereignty, or Japan and their cyber/physical framework, what we're seeing is everywhere we turn there's a deep interest in scrutinizing the transparency of the supply chain for information and communications technology because it's become so much more pervasive, not just in how we live and work but how the world operates its most critical infrastructure. In this kind of environment, we think there's an opportunity for Intel to step up and provide our customers with a whole range of tools and solutions so they can be confident in the integrity of their platforms across their lifecycle — whether it be from trusted sourcing all the way through to a device's retirement.
AJ: Is it just policymakers, or are businesses also asking for this kind of program?
JS: The business community is absolutely looking for security. All of our customers are hearing these kinds of demands from their end customers. It's not uncommon for them to ask us: "How are you ensuring the security of the devices you're shipping to me?" It's clear there's a collective need and an expectation that we can be a pivot point for some of this work because it's in our collective interest not to duplicate standards and methods and have to reinvent the wheel on our own.
AJ: A Bloomberg story in 2018, which has since been challenged, started a conversation in the industry about malicious actors sneaking components into devices. Is that possible, and is increased traceability able to prevent something like that from happening?
JS: It is possible. But generally, for us, our focus has been more to ensure people are not getting counterfeit components. If things are constrained, if the market is hot, people might give you a part that is not one you're expecting, and that integrated product needs to work at a specific level. Our historical approach has been to make sure we're getting what we're paying for, and what our customers expect.
Over time there has been more concern about the potential for malware to be included in some products, and as a result, you generally see the U.S. government or some major customers asking for a secure supply chain or country-of-origin specifications. Malware hasn't been a particular challenge for us. We've increased the traceability for the components we do have to understand where they're coming from and how they've been handled through the course of their sourcing through delivery to us.
AJ: Can you give an example of what a supply chain cybersecurity issue looks like for Intel?
JS: One of our suppliers is a very large player, and they have a pretty robust set of security processes, but the WannaCry virus [an attack that crippled hundreds of thousands of computers worldwide in 2017 and was carried out by North Korean hackers, according to the U.S. government] was inadvertently connected to their network, and as a result, it brought down equipment that was building products that we were constrained on. They ultimately were able to trace it back to a Windows 7 device that had not been cleansed and was attached to their overall network. That was a challenge, and we worked through it with our supplier, and shared all the learnings across the supply base and asked them to cascade that into their own business continuity plans.
In another situation, one of our suppliers was struck by ransomware. It was a quarter-end period, and this was a constrained commodity that was required to support our customers, and the supplier's data was all locked up. We didn't know it because they weren't allowed by their insurance company to notify anyone that they were subject to this ransomware attack, so we were trying to desperately figure out what to do — what's the failure mechanism, how can we support them? The outcome was they reverted to manual processes and were able to apply brute force to deliver what we needed. We are in the process of building into our contract a waiver that allows a supplier's insurance company to authorize us to be informed so we can assist in the recovery process.
AJ: Can you share more details about who these suppliers were and what they produce?
JS: No. I can say both were in Asia, but we don't release the names of our suppliers except through very structured agreements that we have with them.
AJ: Are you concerned about cyber intrusions that are focused more on espionage instead of disruption?
JS: We believe those types of things would be captured in our deep quality analysis. We do onsite reviews, we have very specific vetting of suppliers through tools that look at the owners of companies, at any IP challenges they've experienced, legal entitlements they have, or accusations. We try to thoroughly vet the integrity of the supplier, and we also adhere very strictly to any controlled country or controlled individual specifications.
AJ: Countries including China and Russia have attracted scrutiny in recent years over laws that give them greater control over the technology that's produced and used there. Are there any countries that Intel wouldn't incorporate into its supply chain?
JS: We in the supply chain do not determine whether we will or will not do business in a specific country if it's unsanctioned, but we will look at alternatives, and we absolutely try to avoid a concentration of sourcing. If we're going to be single-sourced and that factory will be in an area of concern, we try to strengthen our preventive and detective controls, such as quality evaluation that looks at security, compliance to our labor practices laws, etc. We also conduct deep validation that probes the components and commodities. But we as the supply chain organization do not dictate where we will source from. If they're compliant, high-quality, responsible providers, we consider them all.
AJ: Do customers ever request products that have no components from certain countries?
JS: Yes. Sovereign nations, when they are looking for very high-end high-compute capabilities, can ask us for something that excludes materials from certain regions. And those may be more costly, but where that security or provenance of the material is of a particular focus, then we design within those parameters. It's not always easy because it is a globally distributed economy, and people are using comparative advantage to deliver particular elements that go into product, but we can do that, and we do hear those requests.
AJ: With the new initiative, how do you plan to get people to work together on it?
JS: We're definitely still in the early stages. Because of the integrated nature of the computer supply chain, we're going to need to work together with others. It may be regulators, customers, industry consortia, etc. The good thing is this is not the first time we've done something like that. We tend to be in the nice position of a trusted provider in the ecosystem, and we have already got major customers like Lenovo onboard. So we're not entirely alone, but from Intel's standpoint, we think we can help drive it by making some investments in tools we share with others, and leverage some of our long-term experience in collecting, measuring and putting out platform data so we can highlight what we're hearing from all our customers.
We know how to coalesce industry groups, particularly when there is a big impetus going on, which we're clearly seeing today. And by bringing in problem-solving techniques and a vast amount of data, as well as a vision for how we're going to do this together, I think we're in a pretty good position to help drive everyone to work together. We're out actively engaging our customers, key policymakers, and stakeholders to make this work. We are at the early stages, but we think this Compute Lifecycle Assurance program is a great way to get started.