By Seth Jaffe.
Last week, Bloomberg exposed a hardware backdoor surreptitiously placed on circuit boards by operatives from a unit of the China People’s Liberation Army. This tactic is not new. Indeed, the article claimed that U.S. officials had caught China attempting this in the past. Edward Snowden, back in 2014, famously accused the NSA of covertly implanting interception tools in hardware headed overseas.
Most companies (other than department of defense contractors) probably dismissed the nation state threat, assuming they possessed nothing of value to foreign militaries. But that has changed in view of China’s targeting of U.S. intellectual property and North Korea’s policy of funding its military through cyber bank theft.
And now we have a new threat, one that may not sufficiently be managed in a conventional cyber security program. I’ll leave technical controls to LEO’s CISOs (look for a future post on the subject), but I spent last night thinking about the legal issue. Companies installing vendor hardware in their network may want to demand a representation and warranty that the hardware will be free of vulnerabilities. This is a big ask in light of how difficult it was to locate the Super Micro chip. But if a vendor isn’t even obligated to look, the risk increases.
To that end, the following is a draft clause imposing a vendor, at the very least, to spot check its hardware and to rep and warranty that it is free of vulnerabilities. Obviously, it can be freely negotiated to meet the scope of the deal. I invite my transactional law colleagues to play around with the language and suggest improvements.
For any hardware constructed by, or at the direction of, VENDOR, VENDOR acknowledges that it has conducted a security inspection of a sample of said hardware, the inspection team including, inter alia, the original design team. VENDOR represents and warrants that [there are no/it has no knowledge of any] vulnerabilities existing therein. Furthermore, VENDOR agrees to conduct a spot security audit on the hardware at least annually and to report any security anomalies to COMPANY within 48 hours of discovery.