The US Department of Homeland Security and UK’s GCHQ have rallied behind the vigorous denials issued by Amazon and Apple, after Bloomberg BusinessWeek reported China had planted malicious computer chips on systems used by the tech giants.
The lengthy scoop by Bloomberg raised many eyebrows – partly because nobody seemed to be prepared to go on the record about the incident, and partly because nobody appeared to have physical access to an allegedly compromised server carrying a meddled-with SuperMicro motherboard.
But perhaps the fact that was most likely to sway observers were the strong public statements by Apple and Amazon, denying that anything of the kind occurred.
Now the DHS has declared which side of the argument (publicly at least) it is standing on:
“The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.”
Meanwhile, on the other side of the pond, the National Cyber Security Centre (a division of GCHQ – no, not that GCHQ) told Reuters that it was also siding with Amazon and Apple.
The UK snoops urged security researchers to contact the NCSC confidentially if they had “credible intelligence about these reports.”
Depending on the style of your tinfoil hat, you may believe that the NCSC and DHS statements are just further evidence that a cover-up is occurring.
But the ball does really seem to now be in the court of Bloomberg BusinessWeek to deliver some more convincing corroborated evidence of wrongdoing.
Update: Apple has also written a strongly-worded letter to the United States House and Senate about the Bloomberg article. It doesn’t pull any punches.
Part of the letter reads:
In the end, our internal investigations directly contradict every consequential assertion made in the article-some of which, we note, were based on a single anonymous source.
Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation.
On Saturday night, the U.S. Department of Homeland Security joined the U.K.’s National Cyber Security Centre in saying they have no reason to doubt the statements we’ve made.
Our frustration is animated by the fact that we share your rightful focus on cybersecurity and the integrity of the global supply chain. We understand that, though this story only relates to our enterprise hardware, Americans are justly concerned about how supply chain security affects the consumer products they use every day. Concern for supply chain security is absolutely central to the way we run our business.
If any of the reported details cited above were true, we would have every interest- economic, regulatory, and ethical-to be forthcoming about it. We hold ourselves to the highest standard in the products we create and the data we safeguard, and to help address any concerns you may have, I would like to offer a brief summary of the supply chain protocols we follow to protect ourselves and our customers.
I can't imagine how many hundreds/thousands of servers there could possibly be, and how the hell would either Amazon or Apple know if those tiny chips were there? Seems a bit ridiculous that they don't explain how the ensured that there is not this tiny chip that don't belong there, likely laying dormant, for years? I think we need more from both sides.