Welcome to Supply Chain Hell

Shortages Highlight Tech and Security’s Critical Role in the Global Market

The word of the week (or month, even year) is “supply chain” and it’s been causing a ruckus. Let's take a closer look at the two recent headlines that reflect this supply chain hell: The global microchip shortage and the American gasoline market.

Microchip Shortage Crisis Reaches New Urgency

You might have noticed a few headlines and articles mentioning the global semiconductor microchip shortage. This a big deal, enough that it may be hard to conceptualize in a tangible sense. The current shortage threatens to destabilize the entire supply chain ecosystem of essentially every major industry. This week the shortage has hit new levels of distress and at the same time, the monthly consumer price index has begun to show signs of inflated prices due to higher production costs for goods. In other words, our life and the digitized ecosystems that support it will be impacted by the microchip shortage, and we have just hit a turning point.

In a tangible sense, “supply chains” are informal ecosystems reflecting the intertwining relationships between goods, services, and the resources (natural or manufactured) that they rely on – including how these relationships interact with other industry sectors, or how they might feedback into collecting more resources. Supply chains tell us that if there is a shortage of microchips, there will also be a shortage of electronics; if there is a shortage of electronics, there will also be a shortage of vehicles. If there’s a shortage of vehicles, all of the things that require vehicles to be transported will also experience shortages. And this all costs $$$.

The microchip shortage, in particular, is forcing us to confront the repercussions of the shortage in other industries, even those that do not manufacture microchip-laden goods. The more interpersonal consequence of the shortage results in increased consumer prices, which drives directly into the “surplus” of cash on hand for many households.

The major U.S. policy holdovers from the Trump administration favor industrial nationalism and a firm stance against China, which has been responding to the microchip shortage in its own way. We are being told by the Biden administration that both of these hawkish policies will be necessary to gain domestic supply chain independence in the semiconductor space. Regardless of the many microchip summits of the past and future in the White House, it’ll take years and billions of dollars to make true supply chain independence happen.

Ransomware Attack Reminds us Critical Infrastructure Security is Essential for Supply Chain Health

Not be outdone in the apocalyptic-headlines-of-the-week contest: A major ransomware attack triggered a gas shortage on the East Coast of the United States.

Colonial Pipeline cautiously restarted operations Wednesday evening following an aggressive ransomware attack that forced a shutdown of services last Friday. By Monday, the FBI issued an update that the ransomware in the attack was linked to the Russian group DarkSide.

DarkSide itself acknowledged the incident on the group’s website and appears to take credit for the attack claiming that their motivation was to make money, and didn’t mean to spark the resulting market chaos. It is currently believed that about 100 gigabytes of data were stolen in the hack and that the company’s computer system was accessed through parts of its network responsible for business and administrative operations.

Colonial Pipeline is one of the largest pipeline operators in the United States, and because the company provides almost half of the fuel on the East Coast, the shutdown triggered a gas buying frenzy in Eastern states. This rolled into a gas shortage during the first half of this week. We even spotted some social media posts showing plastic bags being used to transport purchased gasoline instead of gas canisters.

The situation has resulted in several states (such as Virginia and Florida) declaring their own state of emergency, as well as temporary federal orders to mitigate the fallout from the closure that includes waiving the 11-hour-per-workday limit for gasoline transporters.

Now is the Time to Listen to the Experts

The material consequences of a microchip shortage and the pipeline ransomware incident – and all the ways these shortages impact the many different supply chains that they touch – are distressing. But perhaps equally distressing is the knowledge that security experts have been predicting massive cybersecurity attacks on critical infrastructure (like what happened to Colonial Pipeline) for some time. Last year, there was a record-breaking number of cyber attacks against critical infrastructure, including against systems that provide water and electric utilities. And there is no indication that such attacks are going away anytime soon.

This is the time to listen to experts or, at the least, find a way to integrate the life’s work of professionals who have made it their mission to find solutions to these problems. In the first two years of the Trump administration, 1,200 federally funded scientists were pushed out the door while the Trump administration waged a long and hard battle against the role of subject matter experts in policy-making decisions.

Consider the microchip shortage: In our opinion, some of the best analyses on the flailing microchip industry come from Ben Thompson on his Stratechery blog. His prescient note from May of last year about the geopolitics of microchips, most of which come from Taiwan, foreshadowed many trends coming to a head today. These trends indicated that political systems, supply chains, and computing are all being pushed to unsustainable thresholds, and each requires a careful examination.

We seem to be at an even 50/50 split here at Hatemail. We are by no means supply chain experts, and after all, we are humans (well...mostly). Some of us see these events as the means to an end that results in extinction. Some of us conversely see this as an opportunity to return to a time when we let the smart people who do the smart things guide us on a path of recovery and ultimately towards whatever path isn’t a dystopian cyberpunk wasteland.

In the interim, as we collectively navigate supply chain hell, let’s hope the memes are good. #YOLO

P.S. Please don’t put gasoline in bags. We need those bags for Sprite.

Fraud, Leaks, and Phishing

• [Washington Post] Last Friday, news broke that the Trump administration’s Justice Department secretly obtained phone records of journalists working for the Washington Post. Three journalists were notified by the Justice Department earlier this month that the agency had received 2017 “toll records” of their personal phones. It appears the Department had tried to obtain email records for the three journalists due to their reporting on the Trump administration and Russia’s interference in the 2016 election.
• [NBC News] [CNN] Fraudulent COVID-19 vaccine cards are popping up all over the country. The market for fake cards has grown as the anti-vaccination movement and online conspiracy theories concerning COVID-19 have gained traction among Americans.
• [Vice] A large phishing scheme targeted workers across the country earlier this year, attempting to buy company login details from workers. It turns out that the groups associated with the phishing schemes are linked to a well-funded start-up called Argyle, which sells access to employment and payroll information.
• [Wired] In 2020 the Finnish mental health company Vastaamo (which is now defunct) experienced a massive data breach of patient information, including social security numbers and therapist notes. The breach resulted in an extensive blackmail scheme against former patients and revealed major security vulnerabilities, and outright negligence, in Vastaamo’s system.

China’s Militarized Surveillance and Cyber Espionage

• [Technology Review] The Chinese government used exploits found on Apple devices and Google’s Chrome browser to track and spy on Uyghurs, the country’s Muslim minority, whose treatment by the Chinese government is increasingly being recognized as a genocide by the global community. U.S. officials believe the exploits were developed at a hacking competition.
• [Intrusion Truth] The folks at Intrusion Truth breakdown what we know about Li Xiaoyu and Dong Jiazhi, to Chinese hackers affiliated with the Guangdong State Security Department.
• [The Record] According to procurement documents obtained by The Record, a Chinese military unit bought batches of different antivirus products in 2019. The very same unit was accused of cyber-espionage last month by Japanese authorities.

On Our Radar...

• [Verge] [Mashable] Last week, the notoriously violent website LiveLeak shut down following 15 years of hosting brutal footage of real violence, such as videos of real murder, acts of terrorism, and everyday crime. Founder Hayden Hewitt has not publicly disclosed the reason behind the decision but has launched another, content moderated media site called “ItemFix.”
• [Mother Jones] A group of security researchers from the British cybersecurity company Comparitech recently discovered a massive bot farm designed to influence public opinion via Facebook during the 2020 presidential election. Researchers believe that, during some months, over 200k political posts were produced by the farm.
• [AP] A new report released by the New York State Office of the Attorney General found that a broadband industry group submitted millions of fake public comments against net neutrality to the Federal Communications Commission (FCC). The coordinated campaign was, reportedly, meant to make it appear like there was grassroots support for repealing net neutrality.
• [Bellingcat] The 2020 Annual Report produced by Bellingcat has been released which transparently details all of the work that has happened in the past year, lists contributors and recognition, financial and organizational recording, and breaks down individual investigations.

(NOT) A Hate speech website: hate.wiki

Who hosts: Us!!!!

Tech Against Fascism and LaBac Collective are pleased to announce that we have started work on hate.wiki, a wiki dedicated to archiving information related to known hate groups around the world. It’s early days, but go ahead and have a look as we begin to catalog and collate the wealth of information we have to work with!

CyPurr Session: Mobile Security (Sat. May 15, 2021 - 2:00pm to 3:00pm EDT)

This month our comrade organization CyPurr Collective is running a workshop on mobile security! They’ll be covering techniques and concepts you can implement in your own day-to-day security models to be a bit more at ease about your phone and what it's doing for you! [RSVP]

S.T.O.P. x RadTech: Carceral Technologies & Imprisonment Remarketed (Tues. May 18, 2021 - 3:00am to 4:00am PDT)

S.T.O.P., a local organization in the Electronic Frontier Alliance is co-hosting an event with RadTech to examine the ways that technology recreates carceral systems beyond the borders of jails and prisons. [RSVP]