DHS and GCHQ join the China spy BS brigade

The Department of Homeland Security (DHS) has stated it, and the UK’s National Cyber Security Centre, are supporting industry denials regarding malicious microchips installed on hardware by China.

Last week Bloomberg unveiled a weighty report which pointed the finger at the Chinese government for an in-depth and delicate espionage campaign which would have shaken the telco industry’s global supply chain. By allegedly compromising motherboards produced by Super Micro, the security protocols and trade secrets of more than 900 companies have been directly compromised. Who knows how wide the web could spread when you look at the indirect implications, partners who use the infected networks or collateral damage.

While the claims have been refuted by all the parties involved, including Apple and AWS, and despite confidence from the DHS and the National Cyber Security Centre, a division of GCHQ, without a denial from the body likely to be conducting the supposed investigation, the CIA, or a flat-out rejection from the White House, there is still an air of possibility.

“Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story,” a statement from the Department of Homeland Security reads. “Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.”

The initial report is a damning one. According to Bloomberg, Chinese agents infiltrated subcontractors of Super Micro operations in Shanghai, or coerced the managers of these facilities, to gain access to the motherboards. A microchip, smaller than a grain of rice, was placed on the hardware, before it was shipped onto customers to be incorporated into servers. Elemental, now an AWS company, was supposedly one of the customers who used the motherboards, as was Apple, a major US bank, the US Navy and the CIA, who used Elemental servers for drone missions. The information which would be available is staggering.

All parties involved have denied finding any malicious microchips on hardware, and also being aware of or aiding in any investigation led by US intelligence services. With the DHS and GCHQ also stating they have no reason to doubt the statements of denials, the chorus of disapproval is getting louder. That said, there is still an element of doubt.

Bloomberg is one of the most trusted and professional news sources on the planet, with a pedigree for unveiling worrying truths which have been deemed unsuitable for the general public. The report, which was researched and written over months, points to a total of seventeen sources. One source might have been suspect, two or three might have been dubious, but seventeen individuals confirming the same story suggests there is at least an element of truth to the claims.

Ultimately we doubt there will be anything the companies or government can do to completely remove the element of distrust. The claim of nefarious actors and activity has been raised, and now there will always be a heightened suspicion. A concrete rejection of the claims from the White House and the US intelligence services would set the ball rolling, but don’t expect that any time soon. This saga conveniently supports the anti-China rhetoric being fuelled by the US government; why would it want to do anything to discredit the help Bloomberg is giving it?

5G could open us up to digital terrorism – GCHQ

Connecting our toothbrush to the internet might sound like a futuristic dreamland, but are we fast becoming the architects of our own downfall.

Writing for the Sunday Times, Head of GCHQ Jeremy Fleming has aired his concerns about the digital economy. Yes, it has the potential to create a sophisticated and efficient society with opportunity for all, but also runs the risk of a new form of danger with terrorists hijacking the very same 5G networks which are supposed to make our lives so wonderful. He even managed to drop China in, hinting at the threat of allowing the country to provide the majority of our critical communications infrastructure.

“They will transform healthcare, create smart, energy-efficient cities, make work lives more productive and revolutionise the relationship between business and the consumer,” Fleming writes. “But they also bring risks that, if unchecked, could make us more vulnerable to terrorists, hostile states and serious criminals.”

While it might sound very doom and gloom, Fleming is of course correct. The internet is a scary place with dark corners. New ideas are created every single day, some of them are a force for good, some of which will be utilised by nefarious individuals. The more light which is shed into these unexplored corridors of the web, the more we realise how exposed we are.

Unfortunately, Fleming is raising an argument which is not original; incorporating security into the building blocks of services and products, not simply treating it as an add-on. This should be the approach for making the digital economy secure, though this is rhetoric which we have been hearing for years. The more often it is said, the less impactful it becomes. Perhaps we are blindly wandering down the path to destruction purely because it is easier than tackling the difficulties of making consumers secure.

Another interesting point is collaboration. Again, this is not a new argument, but Fleming seems to be attempting justification for increased access to our digital lives. Using friendly words such as ‘collaboration’ or ‘public debate’ and ‘open co-operation’ should not put a smile on the face of an campaign which has been going on for years.

“We believe some principles allowing industry and governments to demonstrate responsible access that protects privacy are within reach,” Fleming states. “These do not require unfettered access for governments through so- called ‘back door’ or global ‘skeleton key’ schemes. But they do require public debate and close, open co-operation and agreement with technology companies. And when these solutions exist, they also require modern legislation and strong oversight to maintain public confidence.”

Fleming is right though. There does need to be a mechanism to ensure intelligence and police services can ensure our safety, but there is yet to be a sensible solution which offers security, accountability and justification. Last year, former Home Secretary Amber Rudd tried to scare us into submitting to government snooping by suggesting paedophiles use the same services as you and me. It didn’t work, though current Home Secretary Sajid Javid is yet to reveal his ambitions here. The encryption debate has been too quiet in recent months, perhaps another onslaught is on the horizon.

The dark corners of the web are full of nightmares which we are yet to discover. By connecting everything, we are making the digital dream a reality, but exposing ourselves more than ever before.