Scandal Involving Major Companies, Pentagon, Congress, Homeland
Security Illustrates Need for Proper ITAM Procedures; No Firm or Agency
Gets a Pass Just Because the Global Supply Chain is Complex.
CANTON, Ohio–(BUSINESS WIRE)–Could the insertion of grain-of-rice-sized microchips in servers headed
for Amazon, Apple, other leading companies, the Department of Defense,
Congress, and Homeland Security been detected and exposed earlier? Not
only could this have happened, but it should have as a result of
adhering to good Information Technology Asset Management (ITAM)
procedures, according to the International Association of IT Asset
IAITAM noted that Apple alone appears to have applied at least some
proper ITAM practices for equipment acquisition and detected problems
with the Super Micro Computer Inc. (Supermicro) servers containing the
tiny microchips installed for hacking and spying purposes. The fact that
Apple spotted the issue in 2015 and stopped using Supermicro servers
shows that ITAM procedures work … even in the case of a nearly
microscopic flaw in the IT assets in question.
IAITAM President and CEO Barbara Rembiesa said: “Make no mistake
about it: This was a preventable hack and Apple deserves credit
for doing some things right here. The global supply chain is
complex, but companies do not get a pass because of that when it comes
to managing the IT assets that they use or sell to others. Companies
need to follow proper Information Technology Asset Management practices
to make sure that every piece of equipment is needed, configured and
functioning as intended, and is monitored on a continuing basis after
use starts. The Supermicro scandal shows that even the biggest
companies and government agencies don’t do their homework when it comes
to the handling of new IT equipment.”
Bloomberg was the first to report that unauthorized microchips have been
inserted into motherboards bound for servers sold by California-based
company Supermicro. According to the news account, the secret microchips
are capable of altering server code, downloading software to get through
passwords and other encryptions. Three years after the microchips were
originally discovered in 2015 by Apple, no technology for consumers to
detect the microchips has been invented. The microchips, which have been
linked to Chinese interests, are meant to steal corporate secrets and
breach government networks.
Rembiesa highlighted three notable moments on the Supermicro timeline:
Microchips Installed: Bloomberg reported that thieves
Apple Reacts: Meanwhile, Apple began disposing of
The Pentagon’s Summit: In September of 2015 the Pentagon
Rembiesa noted: “Fortunately, there are breadcrumbs on this trail and
they can be followed. Assuming proper documentation procedures
have been followed, authorities should be able to use invoices, shipping
manifests, and other documents to help with their missions. Proper
documentation is a best practice of a well-run ITAM program.”
How could ITAM help prevent a Supermicro-like situation in the future?
ITAM involves a detailed process that focuses on optimal acquisitions of
hardware, software, and any other IT asset an organization buys or
leases. Stages of this acquisition process include justifying the
purchase, managing negotiations with vendors and assembling vital
documents, such as the terms and conditions, among others.
A key part of the process is the testing of the hardware or software.
This stage determines whether the asset is appropriate and compatible.
At some point during their relationship with Supermicro, Apple
determined that the servers were inappropriate and incompatible. Apple’s
ITAM staff identified Supermicro as a threat during the “testing”
section of the process. They stopped buying from Supermicro and also
returned the products already purchased.
Beyond the acquisition process, Rembiesa said that IT Asset Managers
should be immediately consulted in a situation like this because of
their use of discovery data within an organization’s IT Asset
Repository. This process helps IT Asset Managers identify exactly where
hardware is located with an organization, cutting down immensely on the
time needed to find flawed or sabotaged pieces of equipment. The quicker
the hardware is identified and then “unplugged” from an organization’s
environment, the less damage the sabotaged item or items can do.
The International Association of Information Technology Asset Managers,
Inc., is the professional association for individuals and organizations
involved in any aspect of IT Asset Management, Software Asset Management
(SAM), Hardware Asset Management, Mobile Asset Management, IT Asset
Disposition and the lifecycle processes supporting IT Asset Management
in organizations and industry across the globe. IAITAM certifications
are the only IT Asset Management certifications that are recognized
worldwide. For more information, visit www.iaitam.org,
or the IAITAM mobile app on Google Play or the iTunes App Store.
International Association of IT Asset Managers (IAITAM)