The paranoia of trojan horses in supply chains

The pager attack also reminds both security and insecurity organisations of the importance of the human factor.
The paranoia of trojan horses in supply chains
(Photo | AFP)
Updated on
4 min read

The wave of exploding pagers and walkie-talkies that hit Hezbollah in Lebanon and Syria will spur the ongoing trend of ‘reshoring’ and ‘near-shoring’ manufacturing, and reducing reliance on global supply chains.

This week, the US proposed to clamp down on automobile imports from China and Russia for security reasons. It’s a small segment of the auto market, but the US commerce department proposes to ban the import of smart cars and auto components from the two countries because modern vehicles are, potentially, internet-connected surveillance units. It isn’t completely outlandish, but it does look like the popularity of hackers in action movies is stirring the popular imagination.

After a border conflict with China began in 2020, the Indian government had similarly curbed the use of Chinese-made communications equipment in sensitive areas and banned their apps from mobile networks. Network infrastructure manufacturers Huawei and ZTE were excluded from India’s 5G trials. The US and Australia banned them from supplying 5G equipment. The UK is weeding them out of its 5G network, and Germany proposes to exclude them from critical infrastructure in two years.

But globalisation has been a powerful economic and cultural force throughout human history, as inexorable as osmotic pressure and gravity. We regard it as a modern phenomenon dating from the European age of exploration, but goods and ideas had travelled across the Old World in early times, following the laws of demand and supply.

Curbing globalisation for security concerns doesn’t work, as socialist India learned. The import of Chinese goods like smartphones paradoxically boomed after the 2020 crackdown, because market forces don’t respect politics.

An example from an even more sensitive sector than telecom: Indian-made munitions sold in Europe have found their way into Ukraine, riling Moscow. The weapons trade is strictly regulated by end-use certification, which earmarks military hardware for specific buyers and purposes. But the laws of economics have always trumped them, though the Indian government has ritually denied a Reuters report as “speculative and misleading”.

The pager attack also reminds both security and insecurity organisations of the importance of the human factor. Israel has demonstrated extraordinary intelligence capabilities in infiltrating the supply chain of the Taiwanese pager brand Gold Apollo, whose products exploded.

The company has denied manufacturing the rigged pagers, which were traced to the operations of a businesswoman in Hungary. Her company, too, claims that they were middlemen and the Hungarian security agency asserts that the pagers were never in its territory. The trail becomes labyrinthine after that.

The Hezbollah incident must be the most successful remote attack with physical consequences since the Stuxnet worm that sabotaged Iran’s nuclear programme in the late 2000s. The methods were different, but there is one significant similarity: both were made possible by physical human intervention.

Stuxnet targeted highly specialised equipment in nuclear fuel production facilities in Iran. Detected in 2010 after three years in stealth operation, it is regarded as the first cyberweapon. The pager hack is primitive in comparison: an explosive charge packed beside the battery, along with a circuit board that would trigger a detonator on command. The command was sent as a standard system-wide page.

Iran’s nuclear facilities were ‘air-gapped’, meaning that their network was isolated from all others, including the internet. The gap could have been bridged only by a human being who copied the malware to the system from storage media. Similarly, Hezbollah had ordered the rigged pagers to build a secure communications system isolated from other networks, but the devices themselves were Trojan horses.

Stuxnet, and now the pager attack, remind us while the romance of hacker culture is beguiling, it is direct human intervention that does maximum damage to a system of trust, which is what all networks are, whether digital or physical. The humans who compromise systems usually go unsung, but those who expose breaches become famous and sought after by security agencies.

The surveillance programme of US’s National Security Agency was exposed by Edward Snowden, the most celebrated resident of the transit lounge of Moscow’s international airport. WikiLeaks hit the headlines with a chilling video of US military action against civilians in Iraq, smuggled out of a military base on a CD labelled ‘Lady Gaga’. It remains to be seen who will become famous for dissecting the pager attack.

Meanwhile, security agencies and militaries will become more alert to human intervention. Hezbollah is a major player in the region with representation in the government of Lebanon, a large stockpile of ballistic missiles and a medium-sized standing army.

It is surprising they did not detect the increased weight of the booby-trapped pagers. They must be deeply embarrassed and would want to do something about it.

At the same time, governments may use the famous ‘security reasons’ to restrict electronics imports. Pagers are niche but used in critical settings like hospitals. The Hezbollah attack provides a good reason for production facilities to be revived domestically. The fear of auto imports is nebulous in comparison. But there will always be something to fear. Washing machines, toasters, MP3 players - the possibilities are endless.

(Views are personal)

(On X @pratik_k)

Pratik Kanjilal | For years, the author has been speaking easy to a surprisingly tolerant public

Related Stories

No stories found.

X
The New Indian Express
www.newindianexpress.com