Let the finger pointing and denial begin!

Last Thursday, Bloomberg unleashed a damning report on the US’s tech industry. They documented and catalogued a range of evidence that seemingly proved China is spying on us.

Here’s an excerpt from the report about a company called Elemental Technologies. A small firm that was acquired by Amazon. And in the process of being acquired, the company’s hardware infrastructure was evaluated by security experts.

However, what should have been a standard review blew up into a massive scandal. As Bloomberg reports:

In late spring of 2015, Elemental’s staff boxed up several servers and send them to Ontario, Canada, for the third-party security company to test, the person says.

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.

Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.

Three years on and apparently an investigation into these chips is still ongoing. What is truly disturbing is the fact that this was a step up from the normal cyber-attacks.

These tiny chips are far more insidious than any software is likely to be. It could give hackers complete control over the system without anyone knowing. Any and all information passing through systems with these chips could be going straight to China.

At least that’s what the Bloomberg report was arguing.

 

Who is telling the truth?

Almost as soon as the report was made public, the companies implicated posted a response. Amazon and Apple, two of the larger names involved, immediately defended themselves.

Both companies have come out and vehemently denied the report. They aren’t just saying they didn’t know about it, they are claiming none of the report is true.

These weren’t just short PR statements either. Both companies painstakingly refuted the series of claims one by one. Here is part of Amazon’s response:

As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.

There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count.

And here is Apple’s:

We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident.’

So, what we have now is a good old case of ‘he said, she said’. We don’t know who is telling the truth and who is lying.

For all we know, everyone involved may believe they are telling the truth. However, for now we must stand by the fact that they are innocent until proven guilty. Even if it does seem incredibly suspicious.

The US department of Homeland Security has even publicly defended the companies implicated. They note that they have ‘no reason to doubt the statements from companies named in the story.

Perhaps this is all just a big misunderstanding. But it certainly isn’t a good look for anyone involved. [openx slug=inpost]

 

Why the outcome may never be known

Whether this report proves to be true or not has huge ramifications. Whether you or I will ever learn if it is actually true though is doubtful.

The simple fact of the matter is this report puts us in uncharted territory. We’ve never had to deal with a coordinated hack of this magnitude, that is if it actually happened.

But, the fact that it has now come into question at all is troubling. While companies like Apple and Amazon may be safe (for now), what about smaller, less secure firms?

China still makes most of the world’s hardware. Now though, there is a serious cloud of doubt about whether that hardware is safe. Even if we don’t evidence of the fact, the sheer possibility is enough to warrant concern.

As Bloomberg notes,

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest.

“You end up with a classic Satan’s bargain,” one from U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

We have reaped what we sow, but we may not enjoy the consequences. Whether the real truth will ever come out regarding this ordeal is questionable. I’m certainly doubtful about it happening.

Ultimately, the issue is and continues to be one of trust. Now, more than ever, we need to know whether we can trust China. Sadly, I don’t think we’ll ever get a straight answer to this question either.

Regards,

Ryan Clarkson-Ledward