Pagers attack brings to life long-feared supply chain threat (original) (raw)
The deadly attack that caused thousands of pagers used by members of Hezbollah to explode Tuesday shines a spotlight on an inconvenient truth: It is virtually impossible to secure the modern electronics supply chain against a determined and sophisticated adversary.
Experts call the Israeli attack unparalleled in the history of spycraft in its scale and casualty count, and believe the risk is low that other governments will follow suit in rigging consumer electronics this way. But the Lebanon attack brings to life a long-theorized, worst-case scenario that has troubled governments including the United States as electronic devices have grown more complex and global supply chains more convoluted.
The incident may add momentum to political efforts from the United States and others to localize more production of critical technologies at home or with trusted allies.
“This exposes the kind of risk that we’ve been running,” said Mark Montgomery, former policy director for the Senate Armed Services Committee, “with hardware and software running in countries of concern.” On Wednesday, more deadly explosions rocked Lebanon, with a state news agency saying some occurred in a brand of two-way radio.
Israel has not claimed or denied responsibility for the attack but informed Washington of its specifics after the operation through intelligence channels, according to U.S. officials who spoke on the condition of anonymity to discuss sensitive matters. The exact origins of the deadly Hezbollah pagers remained a mystery on Wednesday.
While the devices bore the brand name of Taiwanese pager manufacturer Gold Apollo, the company told reporters the devices were “entirely handled” by a Hungarian company, BAC Consulting KFT. Hungary’s government posted on social media that BAC had no manufacturing site in the country, and The Washington Post could not reach BAC for comment.
Much of the world’s electronics supply chain runs through Taiwan, a self-governed island off the coast of China, or through other countries in East Asia. However, construction of the typical modern gadget involves dozens of countries, with a dizzying number of component suppliers, contractors and subcontractors.
A fire engine and ambulances responded to a shop in Sidon on Sept. 18, as Lebanon’s state news agency reported new blasts linked to electronic devices. (Video: Reuters)
“When you have these global marketplaces, it’s sometimes really hard to figure out exactly where something came from,” said Daniel Castro, vice president of the tech policy think tank Information Technology and Innovation Foundation, who previously audited IT security for federal agencies.
After decades of globalization, officials in Washington had begun warning that dependence on overseas manufacturers for everything from batteries to cargo cranes could bring security risks. Bothformer presidentDonald Trump and President Joe Biden have pushed to reshore more high-tech production to the United States, in a rare point of policy agreement. Governments in Europe, China and other parts of the world have launched similar drives.
Hezbollah’s use of pagers, a throwback technology, reflected the growingunderstanding that more advanced electronic devices like smartphones are easily hacked or modified.
“They can’t use mobile phones. They can’t use pagers. They now can’t use radios,” said Nigel Inkster, former director of operations and intelligence for British intelligence agency MI6, of Hezbollah. “It’s going to be very, very difficult for them in the short term to exercise effective command and control.”
How and where the pagers were tampered with is still unclear and such operations can count among governments’ most closely guarded secrets.
One of the most detailed cases publicly known surfaced in 2014, via documents leaked by former National Security Agency contractor Edward Snowden. They described a secret warehouse where NSA workers intercepted electronic devices shipped from U.S. networking supplier Cisco Systems, without the company’s knowledge. Documents and photos indicated that the workers carefully opened the boxes, implanted surveillance devices into the products, and sent them onward to the unsuspecting overseas customers.
Israeli operatives may have used a similar process to intercept pagers after they were shipped from the factory. It’s also possible the pagers were tampered with at the factory, a scenario that could require the involvement and secrecy of a greater number of people. And some supply chain infiltrations have involved cooperation from a manufacturer.
“Ten years later, and shipment security never improved,” Snowden posted on X on Tuesday. He also called the pager bomb operation a “horrific precedent” and “crime,” saying that “everyone in the world is less safe for it.”
Andrew Hammond, a historian at the Washington-based International Spy Museum, said there is a long history of intelligence agents using everyday devices that hide deadly secretsto kill targets, from a poison-tipped umbrella to exploding landline telephones. But he said that an attack on so many individuals at once with modifiedgadgets appeared to be unprecedented.
“I certainly can’t think of anything that’s happened on this scale,” Hammond said. “It’s almost flabbergasting.”
Israel has used compromised electronic consumer devices against its enemies in the past. In 1996, Yahya Ayyash, a Hamas bombmaker, was killed when he answered a call from a cellphone rigged with explosives, likely placed there by Israeli operatives through a relative of one of Ayyash’s friends. In 2000, an activist from Fatah, the Palestinian political party, was killed when the cellphone he was using exploded.
Video verified by Reuters shows the moment of an explosion at a funeral in Kfar Sir, Lebanon, on Sept. 18. (Video: The Washington Post)
Israel, working with the United States, created a cyberweapon called Stuxnet in the late 2000s thatinfiltrated computers running Iran’s uranium enrichment centrifuges and slowly caused the spinning machinesto fail while making it look like an operator error. The computer worm stunned cybersecurity experts with its sophistication,but also inadvertently spread to other industrial control computers around the world.
Like Stuxnet, this week’s pager attack in Lebanon will likely cause security agencies around the world to reassess the potential threats they face. Michael Watt, a supply chain expert with the business risk consultancy firm Kroll, said governments may begin toincrease inspections of shipments of consumer goodsgoing in and out of their ports.
“This should be very much a wake-up call for national governments to consider any gaps in their own customs controls,” Watt said.
But the complex web of international trade underpinning the electronics industry depends on the fact that most items cross borders with little scrutiny. “That would lead to additional bottleneck of supply chains if all goods need to be additionally inspected,” Watt added.
In recent years, U.S. officials have become increasingly focused on securing U.S. communications systems against intelligence operations or attacks fromChina. These efforts have included subsidizing domestic production of cell tower technologies and the chips that power communications systems, banning Chinese telecom gear made by the likes of Huawei, and restricting the use of smartphones from Chinese brands by government employees.
Taiwan, a world leader in electronics manufacturing, has generally been viewed in Washington as a dependable friend and a counterbalance to China, but more recently, the United States has sought to reduce its dependency on the democratic island that nearby China claims as its own territory.
The Biden administration has pushed for the world’s biggest producer of chips, Taiwan’s TSMC, to move some of its operations to the United States to ensure security for U.S. customers. Trump has on the campaign trailblamed Taiwan for stealing the U.S. chip business.