Transparent Supply Chain: What’s Ahead in Security and Sustainability | Intel Business
(upbeat electronic music) - [Announcer] You're watching "InTechnology," a video cast where you can get smarter about cybersecurity, sustainability, and technology. Here are your hosts, Tom Garrison and Camille Morhardt. - Hi, and welcome to the "InTechnology" podcast, I'm your host, Tom Garrison, and with me as always is my co-host, Camille Morhardt.
And today we have a guest, Patrick Bohart, who is a longtime Intel employee that I have had the privilege to work with for many, many years. And he is currently leading Intel's effort around Transparent Supply Chain, a topic that we've talked about before, but we're gonna go into depth today, really to give an update on what is the capability, and how are people using it, and so forth. And so, Patrick, welcome to the podcast. - Happy to be here. Thanks, Tom, thanks, Camille. - So, Patrick, you know, we've talked about Transparent Supply Chain before, but for those guests that may not have heard the podcast previously, can you describe what Transparent Supply Chain is and what problem it's trying to solve? - 100%.
So, Transparent Supply Chain is a process by which we gather information as compute systems are manufactured. So, we start back at the components, the component standpoint, as components are assembled into motherboards, gather information as the motherboard gets configured into a full system, all the way through the supply chain until the device arrives at its final destination, whether that's an IT organization, or a data center, or a cloud service provider. And the Transparent Supply Chain process leverages the fact that Intel's tools, Intel's manufacturer tools, are in every factory around the world that's building anything based on Intel.
And so we use that beachhead, we use that tool footprint, to take electronic measurements of the platform, not only what components are active, or what components are communicating to subsystems like the CPU and stuff like that, but also, where are we? Who's involved in the supply chain? What ODM is this? What OEM is this? What country are we in? We electronically gather all that information as the system's being built, and we make that available to the end-user, who can then use it to generate insights, like, "Did I get what I purchased?" Or "did the system arrive and the exact same state that it left, or was there any evidence of tampering?" So that, at a really high level, is the Transparent Supply Chain process. - That is mostly sort of a security value proposition. Are there other use cases of the using that same data, but in other other ways? - A lot of the security technologies that we use today that involve telemetry of the platform, they started for the purposes of quality.
Do we know exactly what manufacturing lines this device, or these devices, came from, so that if there's a problem in the field we can, you know, look at all these devices and say, "Oh, all these devices came from the same factory, the same location." Right? But as the geopolitical climate changed and security became a bigger concern, all this data that we've been capturing, and all this data and these tools that we put in place to understand the transparency and traceability of the system became even more useful for the purposes of security. So, our customers use the data for quality assurance, they use the data for security, not only identifying problematic vendors or problematic contributors to the supply chain, but also things like, in the past, if you got a system from, a Dell or a Lenovo, there was really no way of understanding what other companies had contributed technology. And now, with the explosion of vulnerabilities, and bug bounty programs, and ethical hacking, it's important to have that information, because if a hackathon identifies a problem with a particular Texas Instruments component, how do you know whether you have that component in your environment? Years ago, you didn't.
And now, with Transparent Supply Chain, you have that roadmap of what's in the environment. - Is this the first time that this kind of information is available, or has this sort of tracking and tracing been done kind of at a recorded level, but not at like a generated level? Were people sort of tracing the supply chain, and you know, where the parts were coming from, and what the components were, and this is a shift to digitization of that tracking, or is it the first time we've seen it? - No, exactly. It's a shift to digitization, it's a shift in usability. Lemme give you an example. I was speaking to the Deputy CIO of the Department of Defense, and we were going through, you know, we were showing him the types of data sets that we could expose.
Not only like, you know, "Hey, are you buying Lenovo X1 Carbons," but we can tell you what's in Lenovo X1 Carbons, we can tell you what's in this specific Lenovo. And he was telling us he would get alerts in the past that said, you know, a particular vendor is problematic, and it would take him and his team weeks of time scouring their environment, trying to understand. They would call the OEM, the OEM would send them a spreadsheet, which they would have to sort through, and it was a big mess. And with Transparent Supply Chain and that move to digitization, it's now all at your fingertips, and we actually even provide the tools so that you can ask, "Do I have these components in my environment?" And not just look at a single machine, but look across the entire fleet.
- What about things like sustainability? It seems like this data could be also used to try to track things like carbon footprint, or other areas of concern that, maybe in the past, weren't that important, but have been growing in importance over time. - That is exactly where we are going. So, the Transparent Supply Chain process today really focuses on the motherboard and system-level manufacturing, and then integration. But more and more, we want to go farther back into the supply chain. So we began building in capability, not only for Intel products, but for all products, to begin capturing more and more information about the components that were coming in. Information like what was part number, what's the serial number, was the part purchased through distribution, or was it purchased through direct from a vendor? But then, exactly, the security and sustainability effort globally, across the high-tech manufacturing industry, was being asked to generate information about the sustainability, product carbon footprint, recyclability, possible minerals, lead content, arsenic content.
And these vendors were generating these reports, and it was unclear, how do we get the report from the component vendor all the way to the person that wants to use it? Which is maybe the person who's recycling the system eight years from now. And raised our hand, and said, "We can use Transparent Supply Chain for this." We're already capturing information about what's going into the system, we can also add information about the sustainability profile of the components going into the system, or the software bill of materials for those components that are going into the system. So, as we put better tools and better tracing into the supply chain, the other industry groups that are trying to communicate data about how their components are made, reached out, or we reached out to them, and it was like, yeah, we should be including all this information, the 23andMe for your laptop, or for your server.
- And where is all that information stored? - Those vendors that work with us, we store it in an AWS protected cloud service. So there's a way you can identify yourself to the system, you can prove your identity, and then access the files from that AWS database. But we're moving to blockchain, we're moving there next year for a couple different reasons. One, it's gonna make it, first of all, just blockchain was designed for supply chain, right, because you literally are moving from taking pieces, and combining them into bigger pieces, and then those pieces, and combining them into bigger pieces and chaining them together.
It's just a natural technology for supply chain. But the other reason why blockchain makes so much sense here is, what people are putting into their systems, or who's participating in the supply chain of a system, is intellectual property. And competing vendors don't want their competitors to see what they're doing, so there's a tremendous need from privacy, there's tremendous need for permission-based access. Camille can see this data because she has a business need to see it, but, Tom, you don't need to see it, so you can't see it. And blockchain provides us the ability to do that, so we're in the process now of building and transitioning that service to a blockchain solution.
- So you're looking at making kind of system-level transparency, of a computer in this case, and who decides that, and what are you checking, and is it kind of vendor specific? So, are you checking, hey, we're checking 80% of the components, so we're fine, or we're checking only components with active firmware, or we're checking only the CPU? How are you coming to a conclusion about, okay, this is generating some kind of a threshold of system-level transparency? - The answer to the question has two parts. One part is is that one of the pieces of data that Transparent Supply Chain delivers actually conforms to an industry specification. So the Trusted Computing Group, which is an industry body, took on the challenge of, how do we improve traceability, how do we improve transparency in the supply chains of systems as they're being built? And so, Intel was a big contributor to this, probably the biggest contributor to this.
We said, "Hey, here's the types of data that we capture on Transparent Supply Chain, and here's the way that we attribute the data back to a specific machine." We use the Trusted Platform Module, which is also governed by a Trusted Computing Group specification, so, you know, everybody was pretty happy with that. So a chunk of the data that we capture is governed by that specification, but our solution, the Transparent Supply Chain solution, actually goes much farther than that, we've extended our tools to go much beyond that. And then so the second part of your question is, how far we go is really vendor specific. So if we're working with an OEM, the reality is is that the end-user doesn't care where the screws came from. Our recommendation of where we've seen the industry sit is active components.
So if you're a component on the system, and you're executing firmware, you're executing code, you should be logged into the supply chain of the platform. And the sum total of all the acting components on the system is greater than what's specified in that specification, but we still think it's important, and since we can capture it, we offer it to our customers. - So, Patrick, this is obviously something that Intel has been working on, actually, you and I worked on this, for some time. It's not new, but it has been growing in sort of acceptance and availability in the industry. So can you share with our listeners how pervasive is this kind of solution? If they're interested in having this kind of information, where can they get machines that have Transparent Supply Chain as part of the platform? - Well, if you go to intel.com,
and you type in Intel Transparent Supply Chain, we do have a list of vendors. We've got a handful of server vendors that we provide the service to, we have a handful of client vendors we provide the service to. But you're right, although the standard was written, whenever, like seven years ago, it really does take the industry that long to get from somebody finalizing a specification to the standards bodies, and the regulatory bodies, and NIST, to the Department of Defense, to get it, and put it into committee, and understand it, and then get to the point where they say, "Hey, systems coming into our environment should have Transparent Supply Chain. Systems coming into our environment should support TCG platform certificates." And then the OEMs themselves start wrangling on, "How are we going to support this?" And so, it's taken that long. Our volume projective for 2023 is gonna be 10x our volume from 2022, and that was 10x from our volume in 2021.
We really are this hockey stick explosion where, what was it, crossing the chasm or whatever, where the recommendations are turning into requirements, and vendors are beginning to realize they have to do this in order to win business, and so that's why we're seeing the numbers grow. - I was gonna ask you about that. It seems like one of those things where there's been a growing desire and demand for it in the government space, and now that's extended across enterprise. Is this gonna be one of those things that everybody expects to have complete transparency into the supply chain of their products? - We can't just take a piece of software and trust that, "Oh, yeah, I'm sure those guys did a good job building."
And we can't do that on the hardware side either. And then you mentioned government, but the interesting thing is, they're not the biggest customer. The biggest customer, by a long shot, is what I'll call IP-sensitive firms, which are high-tech companies who are buying PCs for their employees, and they're worried about spying, and they're worried about IP theft. Right? And financial services is second, and then government is third. Government probably has, you know, more reason to be concerned, but of course they move so slow compared to corporate high-tech IT that they're getting their act together. But the big deals that I see come through, almost without fail, are big, high-tech companies that are worried about the IP theft.
- And you mentioned software a second ago, but most of what we've been talking about has been more sort of hardware examples. So can you talk about the software and the firmware, and how does that factor in to Transparent Supply Chain? - As a motherboard's being created, we have a set of tools at the ODM, the device manufacturer, the MiTACs, and the Quantas, and the Inventechs of the world, that load the firmware, and load the BIOS, and test to make sure it's a genuine Intel CPU. And so we've just extended those tool sets to capture information about, okay, what firmware is being loaded, what microcode is being loaded, what BIOS is being loaded, what's the description string, who's the vendor, what's the date code? A lot of information. We can get a fairly accurate accounting of what was loaded into the system at a particular point in time, and then we store that in the cloud. And so if the system arrives at Intel's IT department, and they're gonna hand the system to Camille, they can use our tools to remeasure those values and do a comparison, that's what our tools do, and look to see if those values have changed. Intel, you know, sort of sits in that unique situation that we have the opportunity to capture some of that really hard to capture information, it's just not readily available.
- Don't IT departments like, re-image systems though before they send them out to employees? - They do tend to wipe away the software layer and re-install it, but we still provide that check of the hardware somewhere. - But the IT shops in terms of re-imaging BIOS, and re-imaging firmware versions and whatnot, I think they're more reluctant to mess with those, because they're afraid that, through that re-imaging of those low-level software that they might do something to mess up the system, they brick the system, or make it unusable. So they tend to stay away from that level and just re-image OS and above. - So we're just on the cusp of the next set of standards that I believe, and we're investing based on this belief, will provide the next level of transparency, not only into the supply chain, but into the trust state of the platform. And so where Transparent Supply Chain basically takes a set of static measurements as the system's being manufactured, and then you compare 'em to a static measurement later, the standards are gonna take us to a new level where we're gonna use DICE, which is a new device identification capability, where devices will have a unique identity fused into their hardware. So there'll also be a mechanism for those individual devices to communicate themselves to a controller, which will generate a manifest at a trusted point, like at the manufacturer, and say, okay, here's who's on the bus.
Here's who's getting on the plane, Tom Garrison's getting on the plane, he was able to, he knew the secret password, he showed me his ID. You know what I mean? Everything matched up. Tom, you get on the plane.
Camille, we do the same unique identity check to you. Plane takes off and lands, and at any point in time, at any airport, any layover, I can go down the seats and say, "Camille, tell me the secret password that you told me before. Prove to me that you are who you say that you are." And if at any point in time you can't reestablish your trust, we can go so far as to cut power to that component. And this dynamic model of challenging each active component, actually it's called an active component root of trust, where you say, these are the active components, and they all individually, dynamically identify themselves, and then you go to a different point in time, and you ask those same components to identify themselves, and if something has changed, if somebody swapped out an active component, we'll catch it. And the other thing is if at some later point in time a device says, "Hey, I would like access to the CPU, and I would like access to the comms stack to send information over the internet," if that device can't prove that it's legitimate, and prove its trust status, and prove that it's supposed to be there, it could be a spy chip, right, that was built into the system latently, and is now waking up and saying, "Hey, I'm capturing data, I wanna send it back to wherever."
And if it can't prove it's supposed to be there, then we can capture it. And that's what we're building right now. A lot of it's based on industry standards. The manifest, it's actually called a reference integrity manifest, that gets generated, these also perform to another standard, but we think there's a unique opportunity for Intel to put all these pieces together, and string all these capabilities together to create a whole solution, and then offer that solution not as bits and pieces, but as a red light, green light, can I trust this system? - And, Patrick, you said that those identifiers, it's like a serial number, right? But it's a serial number that's unique to every specific component. So even the same component, like same part number, will have a different identifier, and it's built into the device, so it can't be mimicked, right? Is that the idea? - The key is fused into the silicon.
- And everything's unique, so even if they swap that part out with the same part, but just a different version of it, it couldn't pretend to be the first part. Is that correct? - Yeah. - Sorry, but just to be clear, when you're talking about this kind of dynamic recheck, continuous checking, this is no longer just while the system is in transit, you're extending now into operational phase, is that right? - Exactly. If somebody came into my office last night and swapped out the graphics card with a similar graphics card, but with an altered BIOS, in that situation, when the check is performed, and when that device is required to identify itself, it doesn't know the secret code word that it was given, and we've held a copy in the cloud, or in the blockchain.
You know, then we will say, that graphics controller is not trusted, and shut that system down, kick it off the internet. - Patrick, it's been great to get the latest on Transparent Supply Chain, it's come a long way from when you and I worked on it years ago, and kicked it off, and introduced it, actually, to the industry. So, thanks for coming, and I wish you the best of luck driving it forward.
(upbeat music) - [Announcer] Never miss an episode of "InTechnology" by following us here on YouTube or wherever you get your audio podcasts. - [Announcer 2] The views and opinions expressed are those of the guests and author, and do not necessarily reflect the official policy or position of Intel Corporation.