Exploding Pagers Raise Global Supply-Chain Security Concern
Thousands of pagers and other devices exploding in Lebanon this week mark a new and deadly escalation in the use of supply chains against adversaries, giving new urgency to global leaders’ drive to reduce their dependence on technologies from rivals.
Lebanese officials believe the gadgets were rigged with explosives as part of an elaborate attack allegedly by Israel on Hezbollah, penetrating the Iran-backed group’s procurement chain with links from Taiwan to Hungary.
While booby-trapped devices have been used in spycraft for years, the scale and violence of the attacks in Lebanon – which killed at least 37 people, including two children, and injured about 2,300 more – alarmed even some seasoned officials. They fear the globalized supply chains that help produce cheap goods and power global growth could become weapons in the hands of foreign adversaries.
“When you depend on other nations for key inputs or technology you give them a back door into everything you do,” said Melanie Hart, who until recently was a senior State Department official responsible for these issues and now is at the Atlantic Council. “This is a demonstration of what it looks like to weaponize that dependence.”
US officials have long acknowledged that the US is too dependent on China for a variety of goods and services and in recent years the government has begun seeking to move some vital supply chains, especially those that touch on national security, to the US, a process known as on-shoring, or moving them to friendly countries, known as friend-shoring.
“If Israel can do this, China can do it too,” said US Representative Seth Moulton. “Long, opaque supply chains leave gaps that can too easily be exploited, and we need a strategy for closing them in close collaboration with our allies.”
A former senior US intelligence official described the Lebanese blasts as just the latest and most dramatic of a number of supply-chain attacks underway around the world. They often take years to prepare and tend to be narrowly targeted to limit collateral damage, the official said, asking not to be identified to discuss matters that aren’t public. Interdiction operations – where goods are intercepted and tampered with before delivery to their ultimate recipient – are rampant, the former official said.
“Infiltrating a supply chain is a pretty standard tool of intelligence services,” said Holden Triplett, a former Federal Bureau of Investigation official. “In the last few years, we seen it used mostly to collect information but as we’ve witnessed recently it can also be used for targeted killings.”
The operation was put in place by Israel years ago as a measure to use in case of a major war with Hezbollah, according to people with knowledge of the plan. On Thursday, Israel carried out extensive air strikes across southern Lebanon, a further sign of its focus on Hezbollah and deep concern about the heavily armed Iran-backed militant group on its border.
China has prepositioned cyber attackers to “wreak havoc on our critical infrastructure at a time of its choosing,” Federal Bureau of Investigation Director Christopher Wray warned in April. “Its plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist.”
US spies have a history of taking advantage of America’s dominance in many supply chains to insert technologies to target rivals, from the Stuxnet operation that struck Iran’s nuclear program to revelations over a decade ago that agents modified equipment from US tech companies shipped overseas.
Protecting against intrusion in the virtual world is especially difficult.
“You have a lot of devices out there, whether they’re communication, whether they’re critical infrastructure, that already have malicious code inside,” said Eran Fine, chief executive of Israeli company Nanolock Security, which secures industrial critical infrastructure from cyberattacks and disruptions along the supply chain.
Tom Katsioulas is among those calling attention to that danger. He’s been working on semiconductor security for nearly a decade, first with Mentor Graphics Corp. — now part of Siemens AG — and then with the Global Semiconductor Alliance. The technology to track chips exists but building a multi-company, multinational platform has been an uphill battle, he said.
“Everybody wants security. Nobody’s going to pay for it. And when things break, everybody blames somebody else,” said Katsioulas, who left the chip organization and is now on the US Commerce Department’s Internet of Things Advisory Board.
The government needs to allocate some of its Chips Act funding to semiconductor plants to jumpstart a program to begin tracking the components, he argued. Establishing a rigorous security system requires just $5 million to $10 million per plant, Katsioulas estimates. But critics tell him the cost escalates dramatically once you add up the hundreds or even thousands of parties involved in any typical chip supply chain.
“People tell me, ‘good luck,” he said.
Washington isn’t blind to the threat. It’s sought to reduce or even eliminate reliance on Chinese firms for infrastructure and national security, including removing hardware in a program known as “rip and replace.”
But interdependence is hard to escape. Last year the US navy reduced the number of Chinese supplies in its “critical technologies” supply chains by some 40%, according to Govini, a government data analysis firm. But the Air Force and other defense agencies increased their dependence on China, according to the firm.
China, for its part, has long been engaged in a push for “indigenous innovation” to lessen the country’s reliance on foreign technologies from jet engines to computer operating systems. Last year, multiple Chinese agencies and government-backed firms ordered staff to stop bringing iPhones and other foreign devices to work.
Alternatives can be hard to find.
“The U.S. can rely on high-tech partners everywhere — staunch allies, friends we share our deepest intelligence secrets with,” said Hart, the former US official.
“China’s best options for friend-shoring are Russia, North Korea, and Syria,” she said. “Beijing is shopping for new friends in the global South but it’s hard to replicate the Western technology advantage.”
Even going low-tech can’t guarantee security, as events in Lebanon this week demonstrated.
Hezbollah had embraced pagers — a technology synonymous with the 1990s — in a bid to avoid US and Israeli surveillance.
“Hezbollah decided to go low-tech to reduce its susceptibility to attack, but clearly you can’t go so low-tech that you escape vulnerabilities,” said Brad Glosserman, a senior adviser at Pacific Forum, a think-tank.
“The bottom line is that in a world of grossly extended supply chains, vulnerabilities are part of the system,” said Glosserman. “Every organization has to buy things. Vulnerability is a fact of life.”
Top photo: The remains of exploded pagers in Lebanon on Sept. 18. Photographer: AFP/Getty Images.