I have to assume we'll start to see a rise in American high tech manufacturing for security purposes alone. Some of these companies may want to manufacturer these critical components themselves, maybe even hand deliver them from their US factory to their customers in the US too.
I know that some refineries do direct delivery for some of their large customers, especially industrial lubricants and other by-products. If the order is big enough, or someone wants to pay the premium, then direct delivery could be very feasible for tech too.
It's
odd to me to assume that people should trust US-based supply chains. We
know that the NSA has done supply chain attacks in the past[1], while in
this case we only have allegations of China doing the same (don't get
me wrong, I wouldn't be surprised if China did this, I'm just saying we
have more evidence for the NSA doing it).
Personally, as someone outside the US, I would gladly trust alleged
Chinese malware over known NSA malware. Or even better, literally any
other country outside the 5-eyes.
Is there any way to solve this problem without needing a "trusted manufacturer"?
I know it won't probably won't apply to general purpose motherboards or devices, but is there a way to design or build some components or devices in a way that you can verify that they can perform their purpose and nothing more?
If we start with that concept, and slowly build up "verifiably secure" components, they can be the islands of security that we can build off of without having to worry if the manufacturing plant left their door open one day and some random person was able to sneak in.
What happens when your attacker knows how your safeguards work and can route around your door though the windows?
For a motivated and well funded attacker who has an ability to manufacture a replacement chip with an additional coprocessor that can siphon or modify data from the main processors, network cards, and baseband modems, short of decapping every chip and component that comes through your assembly line your resources would be better spent on establishing trust mechanisms with your suppliers and the transportation couriers touching your devices before the end user acquires it.
My thought was it would be something that would get more secure the more knew about it, similar to math proofs or cryptography code.
A way to verify a chip is working as expected in a way that it can't be gamed without breaking multiple fundamental proofs, so that you won't need to worry as much about who makes it, just that it "passes the tests". (and you'd probably need a system to validate the validators, but splitting up the people involved means it is significantly harder to hack multiple products to all have them falsely verify each other)
Obviously I have no idea what I'm talking about and am just kind of musing at the idea, but trying to secure the whole supply chain from digging materials out of the ground all the way until it is in the hands of the consumer seems like an exercise in futility. You'll never be able to secure it in all cases, and like you said a truly motivated attacker is going to be able to break the chain (even if it means threatening a handful of people with death so you can get 5 minutes alone with a board).
I know that some refineries do direct delivery for some of their large customers, especially industrial lubricants and other by-products. If the order is big enough, or someone wants to pay the premium, then direct delivery could be very feasible for tech too.