Exploding pagers sound global alarm for supply-chain security

Thousands of pagers and other devices exploding in Lebanon this week mark a new and deadly escalation in the use of supply chains against adversaries, giving new urgency to global leaders' drive to reduce their dependence on technologies from rivals.

Lebanese officials believe the gadgets were rigged with explosives as part of an elaborate attack allegedly by Israel on Hezbollah, penetrating the Iran-backed group's procurement chain with links from Taiwan to Hungary.

While booby-trapped devices have been used in spycraft for years, the scale and violence of the attacks in Lebanon - which killed at least 37 people, including two children, and injured about 2,300 more - alarmed even some seasoned officials. They fear the globalized supply chains that help produce cheap goods and power global growth could become weapons in the hands of foreign adversaries.

"When you depend on other nations for key inputs or technology you give them a back door into everything you do," said Melanie Hart, who until recently was a senior State Department official responsible for these issues and now is at the Atlantic Council. "This is a demonstration of what it looks like to weaponize that dependence."

US officials have long acknowledged that the US is too dependent on China for a variety of goods and services and in recent years the government has begun seeking to move some vital supply chains, especially those that touch on national security, to the US, a process known as on-shoring, or moving them to friendly countries, known as friend-shoring.

A former senior US intelligence official described the Lebanese blasts as just the latest and most dramatic of a number of supply-chain attacks underway around the world at the moment. They often take years to prepare and tend to be narrowly targeted to limit collateral damage, the official said, asking not to be identified to discuss matters that aren't public. Interdiction operations - where goods are intercepted and tampered with before delivery to their ultimate recipient - are rampant, the former official said.

"Infiltrating a supply chain is a pretty standard tool of intelligence services," said Holden Triplett, a former Federal Bureau of Investigation official. "In the last few years, we seen it used mostly to collect information but as we've witnessed recently it can also be used for targeted killings."

US spies have a history of taking advantage of America's dominance in many supply chains to insert technologies to target rivals, from the Stuxnet operation that struck Iran's nuclear program to revelations over a decade ago that agents modified equipment from US tech companies shipped overseas.

Protecting against intrusion in the virtual world is especially difficult.

"You have a lot of devices out there, whether they're communication, whether they're critical infrastructure, that already have malicious code inside," said Eran Fine, chief executive of Israeli company Nanolock Security, which secures industrial critical infrastructure from cyberattacks and disruptions along the supply chain.

Washington has sought to reduce or even eliminate reliance on Chinese firms for infrastructure and national security, including removing hardware in a program known as "rip and replace."

But interdependence is hard to escape. Last year the US navy reduced the number of Chinese supplies in its "critical technologies" supply chains by some 40 per cent, according to Govini, a government data analysis firm. But the Air Force and other defense agencies increased their dependence on China, according to the firm.

China, for its part, has long been engaged in a push for "indigenous innovation" to lessen the country's reliance on foreign technologies from jet engines to computer operating systems. Last year, multiple Chinese agencies and government-backed firms ordered staff to stop bringing iPhones and other foreign devices to work.

Alternatives can be hard to find.

"The U.S. can rely on high-tech partners everywhere - staunch allies, friends we share our deepest intelligence secrets with," said Hart, the former US official.

Even going low-tech can't guarantee security, as events in Lebanon this week demonstrated.

Hezbollah had embraced pagers - a technology synonymous with the 1990s - in a bid to avoid US and Israeli surveillance.

"Hezbollah decided to go low-tech to reduce its susceptibility to attack, but clearly you can't go so low-tech that you escape vulnerabilities," said Brad Glosserman, a senior adviser at Pacific Forum, a think-tank.

"The bottom line is that in a world of grossly extended supply chains, vulnerabilities are part of the system," said Glosserman. "Every organization has to buy things. Vulnerability is a fact of life."