The Department of Homeland Security (DHS) has stated it, and the UK’s National Cyber Security Centre, are supporting industry denials regarding malicious microchips installed on hardware by China.
Last week Bloomberg unveiled a weighty report which pointed the finger at the Chinese government for an in-depth and delicate espionage campaign which would have shaken the telco industry’s global supply chain. By allegedly compromising motherboards produced by Super Micro, the security protocols and trade secrets of more than 900 companies have been directly compromised. Who knows how wide the web could spread when you look at the indirect implications, partners who use the infected networks or collateral damage.
While the claims have been refuted by all the parties involved, including Apple and AWS, and despite confidence from the DHS and the National Cyber Security Centre, a division of GCHQ, without a denial from the body likely to be conducting the supposed investigation, the CIA, or a flat-out rejection from the White House, there is still an air of possibility.
“Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story,” a statement from the Department of Homeland Security reads. “Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.”
The initial report is a damning one. According to Bloomberg, Chinese agents infiltrated subcontractors of Super Micro operations in Shanghai, or coerced the managers of these facilities, to gain access to the motherboards. A microchip, smaller than a grain of rice, was placed on the hardware, before it was shipped onto customers to be incorporated into servers. Elemental, now an AWS company, was supposedly one of the customers who used the motherboards, as was Apple, a major US bank, the US Navy and the CIA, who used Elemental servers for drone missions. The information which would be available is staggering.
All parties involved have denied finding any malicious microchips on hardware, and also being aware of or aiding in any investigation led by US intelligence services. With the DHS and GCHQ also stating they have no reason to doubt the statements of denials, the chorus of disapproval is getting louder. That said, there is still an element of doubt.
Bloomberg is one of the most trusted and professional news sources on the planet, with a pedigree for unveiling worrying truths which have been deemed unsuitable for the general public. The report, which was researched and written over months, points to a total of seventeen sources. One source might have been suspect, two or three might have been dubious, but seventeen individuals confirming the same story suggests there is at least an element of truth to the claims.
Ultimately we doubt there will be anything the companies or government can do to completely remove the element of distrust. The claim of nefarious actors and activity has been raised, and now there will always be a heightened suspicion. A concrete rejection of the claims from the White House and the US intelligence services would set the ball rolling, but don’t expect that any time soon. This saga conveniently supports the anti-China rhetoric being fuelled by the US government; why would it want to do anything to discredit the help Bloomberg is giving it?