Cybersecurity experts are reacting with a mix of concern and skepticism after Bloomberg Magazine published an article on Thursday alleging that China’s military had succeeded in placing microchips into widely used computer systems.
The article focused on Super Micro, a U.S. company that makes computer parts used by a variety of major companies as well as government systems. Bloomberg reported that 17 sources, who spoke to the magazine anonymously, found that some of Super Micro’s motherboards included previously unidentified microchips that created major security vulnerabilities, which were also difficult to detect.
The Super Micro hardware, Bloomberg reported, was used in computer servers made by Elemental Technologies, which counted Apple, the Department of Defense and major banks among its clients.
The article added that Apple and Amazon both discovered the issue, and that the U.S. government was able to trace the chips back to the Chinese military. Apple, Amazon and Super Micro have each issued lengthy, blanket denials of the story. Those denials have led some cybersecurity experts to urge caution about jumping to conclusions based on Bloomberg’s reporting.
Oren Falkowitz, CEO of cybersecurity firm Area 1 Security, said the Bloomberg article was an example of long-held concerns in the cybersecurity community.
“This is what people have been worried about for a long time,” Falkowitz said. “It is really scary that this is happening.”
Bloomberg’ detailed the ways in which Super Micro, like many U.S. companies, relies on Chinese manufacturing and contractors. Falkowitz said that computer systems relied upon by businesses and governments now include hardware parts and software sourced from all over the world, creating complex systems that are hard to secure.
“The effects of globalization both in the hardware and digital supply chains have long been a challenge for computer security,” Falkowitz said.
J. Michael Daniel, president of Cyber Threat Alliance, a non-profit coalition of cybersecurity companies, said hardware attacks require a high investment, high reward proposition.
“These kinds of supply chain attacks are very difficult to pull off but can have a high return if they succeed and are also very hard therefore to detect,” Daniel said.
Super Micro is not the only company to come under scrutiny for concerns that its systems may be compromised. The U.S. government has previously warned that smartphones made by Chinese companies Huawei and ZTE pose security risks, with the Pentagon banning their sale on U.S. military bases. The government also removed security software from a Russian firm, Kaspersky Lab, from its computer systems over concerns about its links to Russia’s security teams.
Robert Pritchard, a cybersecurity specialist with the think tank Royal United Service Institute and former deputy head of the U.K.’s Cyber Security Operations Centre, said supply-chain attacks are among the most sophisticated — and risky — efforts to infiltrate security systems.
“Interfering with the supply chain in a manner like this is something that is very difficult to defend against,” Pritchard said.
Pritchard noted that installing microchips results in physical evidence (the chips themselves) as well as a digital footprint, since the chips eventually need to communicate with their owners to transfer information of value or execute commands.
“It has to get out somewhere,” he said.
While Russia has dominated public concern about cyberattacks in part due to its efforts to meddle in U.S elections, China has quietly become a larger concern for many cybersecurity experts.
Tom Kellermann, chief cybersecurity officer of the security firm Carbon Black and the former commissioner of President Barack Obama's cybersecurity council, said the Bloomberg article is a small example of China’s larger efforts to spy on and disrupt U.S. businesses.
Kellermann said his firm has tracked a three-fold increase in destructive cyberattacks coming from China, pushing it past Russia over the summer to be the most active adversary targeting U.S. companies.
“We’re dealing with a surge, an unprecedented surge of economic espionage and traditional espionage from the Chinese,” Kellermann said. “And it’s not just limited to the chips.”
Concern about the Bloomberg article was tempered by strong denials from Apple and Amazon that gave some pause to cybersecurity journalists and academics.
“I have to say, this is all really bizarre,” tweeted Kim Zetter, a widely followed cybersecurity journalist. “The Bloomberg story is very detailed, citing documents and inside sources. But the company denials are also detailed and emphatic. You don't often see the latter when a company is trying to hide something or be coy.”
Thomas Rid, a strategic studies professor at Johns Hopkins University who studies security and intelligence, tweeted that if the story is true, “then we're looking at an intelligence operation of historic proportion” but also expressed some skepticism.
“I am filing this story as unconfirmed until we have an authoritative third party confirming the big picture outline as well as some of the details,” he tweeted.
Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania, said on Twitter that he expects other companies have similar security issues — or that the story had been oversold.
“If the supply-chain compromise capabilities are even remotely like what’s being reported, there will be more vendors than Supermicro affected,” Blaze said. “They just happened to be the first one to have their boards scrutinized this heavily.”
“High variance prediction: especially given the rather categorical denials from Apple and Amazon,” Blaze added, “there is either much more to this story or much less.”