Most of our attention around supply risk in the past few years has been diverted to deploying preemptive strategies and programs to identify, manage and mitigate supplier financial risk and to minimize the fallout from Black Swan events that disrupt supply chains across a particular geography. But supply risk is something that can manifest in areas far beyond disruptions, from supplier financial hardship/bankruptcies and production/logistics disruptions from weather and other natural (or man made) disasters. Consider a recent case involving HP hardware according to a store in PC Magazine.
The article sums up the rather unsettling situation by noting that “Hewlett-Packard is trying to figure out what happened as the technology giant warned customers that some of the HP ProCurve switches shipped last year contained malware-laden flash cards…While the malware couldn’t do anything to the 10 Gbps-capable line of LAN switches, if the customer ever decided to re-use the card and insert it into a computer, that computer would likely be compromised.”
Unfortunately, this is not a one-off occurrence. Later in the article, we learn that “Software and hardware embedded with malware are often shipped because of a malicious actor or a compromised computer somewhere in the supply chain, Greg Schaffer, acting deputy undersecretary of the DHS National Protection and Programs Directorate, told a House committee last July. When pressed details, Schaffer just said he was ‘aware of instances where that has happened.'”
Spend Matters readers likely recall our past coverage of DoD related concerns surrounding supply chain traceability, especially for sub-tier components from overseas making their way into military equipment. Concerns over the “ET Phone Home” type of embedded chips and parts/components in which China gains access to secrets — or worse, gaining control over assets — is certainly a worst case scenario here. But like it or not, it seems that we now must all consider supply risk for the hardware we purchase to run our systems — and the steps computer and networking providers are taking to secure their supply chains.