Bloomberg’s ‘bombshell’ (or dud) on Chinese espionage: Even if true, what’s new?

We are now three weeks past the publication of Bloomberg Businessweek’s “bombshell” story that claimed that groups associated with the Chinese military had managed to introduce malicious server chips during the manufacturing process in China. According to Bloomberg, the tiny chip corrupted thousands of servers that were subsequently used by some 30 US companies, including Apple and Amazon.

Specifically, the report alleges that the chips had been inserted during assembly of server motherboards by the US company Supermicro, a major supplier for a number of high-tech companies. According to the Bloomberg reporters, Chinese intelligence officials had coerced or bribed at least four Chinese subcontractors for Supermicro to allow the introduction of the malicious chips. (The “backdoor” chips can either take control of the server, giving it secret directions, or just lie in wait for the opportunity to control other more valuable servers.)

Chinese President Xi Jinping and Gen. Fang Fenghui, chief of the general staff of the Chinese People’s Liberation Army, in Beijing, China August 17, 2017. via REUTERS

The Bloomberg team of reporters had worked on the story for over a year, and the actual espionage dated from 2014 to 2015. Bloomberg cited some 17 independent sources, almost all of whom were anonymous, in support of the veracity and accuracy of its claims.

Still, the story produced a storm of denials and even scorn. Both Apple and Amazon issued strong statements (as did Supermicro), asserting that they had searched their servers and had not found evidence of secret chips, neither earlier nor currently. They were joined by cautious statements by the UK cybersecurity agency (“no reason to doubt the detailed assessments made by . . . Apple”), the Department of Homeland Security, and the director of national intelligence. And in recent days, Apple and Amazon (and Supercmicro) have stepped up their campaign against the story, with demands now that Bloomberg publicly retract the story. Generally, with some exceptions, outside cybersecurity experts are also skeptical. But up to this point, Bloomberg is holding to its account, leaving a standoff.

Here are a few observations about the incident.

• We may never know exact details, as US intelligence will be reluctant to disclose full details. Ironically, the one group we know has all the answers are Chinese intelligence officials, who no doubt have watched this saga unfold with amusement and — depending on the truth — satisfaction or wistful puzzlement.
• Although cracking hardware for spying purposes is very difficult, it is not impossible. It is also true that the Snowden revelations some years ago produced evidence that US intelligence agencies used a variety of tools to glean information from the vast amounts of internet traffic that passed through the US, including by penetrating fiber-optic cables. The National Security Agency has also been successful in introducing malware into foreign (Chinese) equipment in carrying out its own intelligence mission — of just observing or potentially introducing misinformation.
• Thus, one should be careful about the “bombshell” aspects of the Bloomberg story. US intelligence agencies, given their own capabilities and missions, cannot have been surprised that Chinese intelligence agencies would probe and even possibly penetrate some US supply chains.
• Finally, whatever the truth of the Bloomberg assertions, the episode does represent a vital wake-up call. Digital supply chains are vulnerable, and both the US government and American high-tech companies will have to accept the necessity of ever-deeper defensive programs to detect and ferret out “secret chips,” malware, or other threats. It is simply not technically or economically feasible to pull back and produce all the myriad of advanced electronic parts and components in the US.

Specifically, as cybersecurity expert Nicholas Weaver has recommended:

Hardware manufacturers should aim to reduce the “trusted base,” the components that need to execute with integrity, to something far more manageable. Then, the goal should not be to remove China from supply chain — just to remove China from the trusted base. Manufacturers know how to design computers that don’t need to “trust” the motherboard. They should work to make that the standard design.