China’s alleged supply chain hack: Explaining the controversy around Bloomberg’s ‘Big Hack’ reporting

The smoking gun may be out there, or Bloomberg may be chasing ghosts. Either way, the damage is already done.

• Since October 4, Bloomberg has published three stories about Chinese attempts to compromise hardware sold to major U.S. companies. Those reports have been widely criticized in the cybersecurity community, though Bloomberg stands by its reporting.
• The absence of evidence has led to speculation that someone, perhaps the U.S. government, is generating fake news to cast suspicion on China.
• If Bloomberg’s reporting is right and there is a real threat against U.S. systems, it would be a stunning validation of China hawks’ concerns.
• Either way, Bloomberg’s articles are already furthering mistrust, and will contribute to a worsening of relations at a sensitive time in the U.S.-China relationship. This has the potential to get ugly.

On October 4, Bloomberg dropped a cybersecurity bombshell. Writing in Businessweek, reporters Jordan Robertson and Michael Riley alleged that the People’s Liberation Army had compromised hardware used by leading U.S. tech companies and government organizations by using a Chinese subcontractor to install a hardware implant on motherboards manufactured for Supermicro, a California-based company.

The Bloomberg account, backed by more than a dozen anonymous sources, riled the cybersecurity community, sunk Supermicro’s stock price, and prompted full-throated denials by several of the companies involved.

Two weeks later, confusion reigns. After the initial Businessweek bombshell, a second Bloomberg story alleged that Chinese intelligence had targeted software related to the same motherboards. A third story claimed that an unnamed U.S. telecommunications company had discovered an implant in a network card in August.

Elements of all three Bloomberg stories have been widely criticized in the cybersecurity community, and the stridency of the company denials has raised eyebrows. Still, none of the skeptics have managed to fully refute the Bloomberg reporters’ central claims.

Some senior U.S. officials have characterized the first Bloomberg story as part wrong and part right. Officials from the Department of Homeland Security and Federal Bureau of Investigation issued carefully crafted statements questioning the story and backing denials by the only two companies named in the first report, Apple and Amazon.

Now, people who should know have started to weigh in. Unfortunately, the news is far from definitive. National Security Agency official and former White House cyber czar Rob Joyce, for example, said he was worried that people were “chasing shadows” and the government was “befuddled.”

The fact that there is still a question of where those shadows might lead is startling. If Bloomberg is right, this could be the most important cybersecurity story ever. So where does this leave us?

It seems increasingly likely there was some type of supply chain effort uncovered in the 2015-2016 time frame described in Bloomberg’s reporting, and that the server vendor Supermicro was at the center of an investigation.

The details of what was discovered and how, and how big the threat was, remain murky, however. It is possible that concerns about a possible supply chain attack sparked other efforts to determine the extent of the problem among government agencies such as the U.S. Department of Defense, given longstanding concerns at the Pentagon about potential threats to tech supply chains.

At the same time, the classified nature of the investigations, plus corporate nondisclosure agreements and legal constraints, mean that few people had the complete picture: There were likely multiple ongoing investigations. Bloomberg is trying to piece this together years after the fact, from sources with varying agendas and unknown amounts of firsthand knowledge.

The situation is further complicated by the fact that the technical details in Bloomberg’s reporting have been garbled from start to finish. These are complex issues, and no one has produced an actual device for independent analysis, something the cybersecurity community has become accustomed to with malware, from Stuxnet to Wannacry.

The absence of evidence has led to speculation that someone, perhaps the U.S. government, is generating fake news to cast suspicion on China. After all, supply chain security is a hot topic. Over the past year, the U.S. has grown increasingly vocal in expressing its concern that allowing Chinese vendors to participate in 5G networks could lead to them being compromised with potential security backdoors. Still, there has been no smoking gun made public on Huawei and ZTE, the two leading Chinese firms developing 5G technology.

The reality is that it would be very difficult to locate the alleged implant, described in the Bloomberg story as the size of a grain of rice, if one did not know where to look. Hundreds of thousands of Super Micro motherboards run server software in data centers around the world, and there is little clarity on how many may be affected. Detection requires taking out the board and examining tiny components.

If Bloomberg’s reporting is right and there is a real threat against U.S. systems — not from Chinese equipment, but from U.S. company equipment tampered with in China by subcontractors — it would be a stunning validation of U.S. China hawks’ concerns. It would also buttress the arguments of an increasingly influential faction of supply chain nativists inside the Trump administration, who believe that the U.S. should try to decouple its technology supply chains from China to protect U.S. military equipment from tampering.

One good thing that could come of all this is tighter cybersecurity checks related to network products and services, including hardware. Up to now, this area of potential security vulnerabilities has been largely ignored due to the difficulty of establishing a chain of custody within complex global supply chains, from subcontractors to assembled products. Ironically, China is in the process of installing just such a system, as it works to manage risks to its own information and communications technologies (ICT) supply chains.

The bad news is that the Bloomberg articles are already furthering mistrust, and will contribute to a worsening of relations at a sensitive time in the U.S.-China relationship. Supply chains are likely to move, pushing the U.S. and China further apart, whatever the outcome.

This has the potential to get ugly. It feeds directly into longstanding fears of Beijing’s agents using China’s crucial position in ICT supply chains to compromise the national security of the United States. The timing of the Bloomberg report and the recent release of a major Pentagon report on threats to U.S. military supply chains may be coincidental, but it is hard to shake the perception that both are part of the administration’s stepped-up messaging to paint China as a technology and cyber threat to U.S. national security interests. What different stakeholders believe about this story will likely depend on their views on China in general, regardless of where the facts may lead.

Several companies are reportedly searching for current evidence of hardware implants. Further revelations will be forthcoming in the days and weeks ahead. The smoking gun may be out there, sitting on a motherboard humming away deep inside a windowless datacenter. Or Bloomberg may be chasing ghosts. Either way, the damage is already done.