Now with upcoming new year budgets to purchase the next tools and services for protecting our company to increase organization posture against cyber attack, I can't stop thinking if we should reduce all those budgets because there is no way to reduce the recent type of risk of chip cyber hacking.

  • 123,438
  • 55
  • 284
  • 319
  • 1,204
  • 10
  • 22
  • 6
    If you can't stop someone from driving a truck through your door, does that mean you should give up on locks? – Conor Mancone Oct 06 '18 at 01:39
  • I don't think it fair comparison @ConorMancone, since you can see the truck from a distance while this chip is not visible or detectable. – Filipon Oct 06 '18 at 01:41
  • 4
    @Filopn: *"... since you can see the truck from a distance while this chip is not visible or detectable"* - You claim that everything is lost since now there is a possibility that someone attacks you in a way you did not know existed and did not look for (yet). But there are many attack vectors like this. You run complex applications on a complex OS with complex hardware in a complex environment and most of this is out of your control and you don't actually know who controls all this and if you can really trust what you use. Thus, lots of attack vectors are already not visible by you. – Steffen Ullrich Oct 06 '18 at 04:57
  • 6
    As with many of your other questions, the answer is about a proper risk assessment. – schroeder Oct 06 '18 at 09:56
  • I agree with @schroeder, many questions in cybersecurity requiring a risk assessment but they are all not the same. – Filipon Oct 06 '18 at 09:58

4 Answers4


No, for so many reasons.

First, let's lay out there that right now (2018-10-05) there has been discernible concern within the Security community about the fact that "what we know" so far is very thin and rests heavily on the reputation of the reporters. The "targeted" companies have published denials which are "heavily detailed, denying the Bloomberg report point-by-point." The GCHQ has publicly supported those denials, and Homeland Security on 10/06 agreed that they "have no reason to doubt the statements from the companies named in the story."

It's very possible that people with enough clearance to know more have too much clearance to talk about it, but as it stands, there's a chance this could be FUD.

That said -

  1. All the non-Tiny-Chip threats still exist, and are just as worth spending money to mitigate tomorrow as they were yesterday.
  2. With what little we know about Tiny Chip today, there's no reason to think that traditional Security architecture, engineering, and operational practices won't reduce or eliminate the threat. For example, segmentation has been cited as a countermeasure that might be effective.
  3. Tiny Chip has always existed as part of the threat model. All that's (potentially) changed is the scope of it, and if a threat becomes industrialized enough to widen the scope like that, that's exactly the time to bring Security Professionals to bear on the problem. Industrial* problems are more susceptible to well-designed countermeasures than one-offs.
  4. Tiny Chip falls into the category of Nation-State Actor threats. There are many things that Nation-States can do to compromise your security, which you can do nothing about. Always have been. Always will be. Fortunately, for most of the businesses out there, Nation-State attacks are a limited or even non-existent part of their threat landscape. Kim Dotcom ticked off a lot of governments - Kim's Nails on Wabash Way, Plainfield, very few of them.
  5. You might, even more plausibly, propose that business simply stop using computers as an effective method of reducing the risk of Chip Hacking. The business would be less vulnerable, less reliant on Security professionals, and go out of business even faster - win, win, win!

*When I say "Industrial", I mean "rolled out in a systematic way, which implies some commonality of devices, methods, and behaviors." If you want to chip 5 laptops by hand, that's fine. If you want to chip a production line of 50,000 laptops, you're going to have to industrialize the process, and the result will carry a uniformity which makes detection and countermeasures easier.

  • 71,975
  • 17
  • 161
  • 198

Security budgets exist to mitigate your business and personal risk (regulatory/legal, PR, moralle, etc.).

They work in a similar manner as insurance policies. No insurance covers all situations, or fully indemnifies you from risk, but it reduces it and makes it more predictable.

You wouldn't cancel your insurance policies if there were a string of robberies in the neighborhood, in fact that's the last thing you would want to do.

  • 5,110
  • 1
  • 14
  • 24

The recent tiny chip attack requires the cooperation of your hardware vendor. Someone needs physical access to the hardware which is going to get delivered to you and place the chips.

So the only budget considereation which would make sense in light of this thread is to increase your budget for hardware acquisition so you can pick your vendors more carefully.

All the other threats to your operational security still exist.

  • Black hat hackers all around the world who sit at home and try to hack random servers for fun and profit do not have access to your hardware supply chain.
  • Your competitors who want to steal your business secrets won't have access to your hardware supply chain.
  • Disgruntled ex-employees who want to use their insider knowledge to harm your company have no longer access to your hardware supply chain (if they ever had any).

Further, proper security practice can actually defend against this attack scenario:

  • Proper Intrusion Detection Systems can detect unusual network traffic (this is how we found out about these chips in the first place).
  • Properly firewalled DMZs can prevent communication between chips and attackers.
  • Proper isolation practices can prevent compromised systems from accessing uncompromised systems.
  • 48,867
  • 8
  • 127
  • 157

Should we reduce budgets for cybersecurity? I would have to say NO! The thing about the human mind is that it evolves and someone will eventually come up with a solution. The budgets should be increased and more cyber warfare security researchers should take up the task because one mind will find a solution. One thing the creator always has the antidote. This is modern warfare: Learn, Adapt, Evolve & Retaliate

  • 123,438
  • 55
  • 284
  • 319
  • The question is about the risks, not about this one particular threat in particular. I removed the off-topic sections of your answer. – schroeder Oct 06 '18 at 12:30
  • The question is about whether an organisation should reduce budgets, not whether all budgets everywhere should be reduced. An organisation's cybersecurity budget is not going to find a solution to this particular threat. – schroeder Oct 06 '18 at 12:32