There’s a song by Don Henley (of Eagles fame) called “New York Minute” that includes the line:
Lying here in the darkness, I hear the sirens wail / Somebody going to emergency, somebody’s going to jail
I thought of that line reading Bloomberg’s cover story this month alleging that China’s spies infiltrated the supply chain of Chinese-made devices, adding a chip that interfered with data as it moves across the motherboard. The story, based on 17 unnamed sources in the US intelligence community and the companies affected, claims that the infected chips found their way into servers at Amazon, Apple, NASA, the Houses of Congress, and the Department of Homeland Security.
Almost everyone involved in the story has issued unequivocal denials. Either the story has holes that will sink it, or the principals are lying.
Someone’s going to come out of this looking very bad.
Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.
As Ina Fried wrote in Axios
, these statements are “strong, specific, and highly unusual for both companies.”
Here’s an interesting tidbit in a Reuters story
about a UK government cybersecurity agency backing up Amazon and Apple’s denials:
Apple’s recently retired general counsel, Bruce Sewell, told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer Inc[,] a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips.
“I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”
No two ways about it: either the Bloomberg article is seriously wrong in critical ways, or Apple and Amazon PR is blatantly lying.
On the one hand, the story doesn’t really tell us anything we don’t know. It reminds us the paradox that China isn’t particularly trustworthy state actor, and yet so much of our technology supply chain relies on Chinese-made elements.
On the other hand, this is much more strongly worded than has been previously reported, and much more specific as to what parts of the US government have been impacted. Bloomberg specifically cites Navy warships, Department of Defense data centers, and CIA drone operations as having been impacted by the malicious servers.
On the other, Apple PR in particular is not known for lying. Either they’re deviating from that strategy, or someone higher up at Apple is lying to the PR department.
Bloomberg, for their part, is not known for fanciful reporting — I don’t know the journalists whose bylines appear on this story, but I do know other folks at the organization, and I don’t for a second think it’s an organization that would make something out of whole cloth.
All this is what makes this story so fascinating.
This is a national security story more than a tech story, and Zack Whittaker at Tech Crunch
has it right: “either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary… or it’s not, and a lot of people screwed up.”
Which is it? We’ll have to wait and see. But this story isn’t going anywhere.
Bonus round: credit where it’s due
These lines, from the Bloomberg report:
Elemental servers sold for as much as $100,000 each, at profit margins of as high as 70 percent, according to a former adviser to the company. Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not.
As always, I welcome your feedback, and I’d love to hear your suggestions for what you’d like to see covered in this newsletter. I’m @tommycollison
on Twitter, or you can email firstname.lastname@example.org
. Please get in touch! 📩📬