Bloomberg reported last week that Apple and Amazon, along with several other companies and government agencies, used servers hacked with secret Chinese spy chips. Apple and Amazon denied the claim, the Department of Homeland Security says it believes both companies, and now we’re left wondering if there’s any truth to the report.
According to Bloomberg, China’s People’s Liberation Army designed chips no bigger than a grain of rice to intercept data on servers, and to allow remote control. They forced a manufacturing plant to install the chips on Supermicro server boards that were ultimately shipped to U.S. companies and government agencies.
The report states,
The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
Apple and Amazon denied the allegations. Apple even included a statement making it very clear they aren’t bound by any government imposed gag order:
Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.
If Apple were under a gag order, the company wouldn’t be able to confirm or deny the order exists. In other words, there is no gag order preventing Apple from talking about a Chinese server hack and FBI investigation.
Now the Department of Homeland Security is chiming in. The agency says it believes Apple and Amazon’s statements. The agency said:
The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely. Just this month – National Cybersecurity Awareness Month – we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation’s collective cybersecurity and risk management efforts.
This is where the conspiracy theories kick in: Of course everyone is denying the spy chip hack. It’s a matter of national security, after all.
Here’s the deal: Just let that one go. I could go into the technical details about why the spy chip incident is extremely unlikely, but instead I’ll go to the heart of it. People love to share secrets, especially when they’re really big. It’s just a thing people do.
The more people who’re in on a secret, the more likely it is to get spilled. In this case, we’re talking about people from over 30 companies, several government agencies, and potentially hundreds of supply chain and factory employees. That’s a lot of people, and now that the Bloomberg report is out, odds are at least one person would’ve come forward with corroborating information.
Instead, we’re seeing denials and statements that could be legally damaging if they’re false. That brings me to one conclusion: the Bloomberg report is wrong.
I can’t imagine a scenario where Bloomberg would intentionally fabricate the report. If I’m right, that means Bloomberg’s investigation team was either duped, or stitched together the pieces of information it had incorrectly. Either way, the fix for that problem is to conduct a more thorough investigation.
Sadly for Bloomberg, this throws its previous big tech news scoops into question, and means its future reports will be looked at with a big dose of skepticism.