A bipartisan pair of senators requested more answers from Supermicro, the motherboard producer that an explosive report said sold equipment to major US tech companies that had been infiltrated by the Chinese government.
Republican Sen. Marco Rubio and Democratic Sen. Richard Blumenthal sent a letter Tuesday to Supermicro’s CEO, Charles Liang, asking for more information following a Bloomberg story that reported the company sold motherboards to Apple, Amazon, and the US government that contained microchips implanted by Chinese spies.
In turn, Bloomberg reported, these microchips could have given the Chinese government backdoor access to data on servers where the motherboards were installed.
“If this news report is accurate, the potential infiltration of Chinese backdoors could provide a foothold for adversaries and competitors to engage in commercial espionage and launch destructive cyber attacks,” Rubio and Blumenthal wrote.
The pair added: “As Members of Congress, we are alarmed by any potential threats to national security and have a responsibility to ensure our nation’s sensitive networks are kept safe. We write to request information from Supermicro on these reported attempts to subvert its computer products to spy on the United States.”
Both Apple and Amazon strongly denied the report, which Rubio and Blumenthal acknowledged. But they said the issues raised in the report were too important to simply accept the companies’ statements.
“In The Information’s February 2017 article, Mr. Leng disclosed that ‘thousands of customers’ were using the same hardware. These customers deserve answers immediately,” the letter said. “While large tech firms may have the financial resources and expertise to mitigate sophisticated cyber security threats or completely remove affected hardware, most companies do not. Nor do they have the information to act.”
Bloomberg also reported Tuesday that a “major US telecom” also discovered compromised Supermicro equipment in August.
The letter from the senators follows concern from both sides of the aisle about the Bloomberg report. Rep. Adam Schiff, the top-ranking Democrat on the House Intelligence Committee, told Business Insider on Thursday that the Bloomberg report was another example of China’s long-standing attempts to infiltrate the information structures of the US.
“The report that China sought to infiltrate the computer chip supply chain, if true, is deeply disturbing and the latest example of the lengths that Beijing will go to in order to steal America’s official and commercial secrets,” Schiff said in a statement.
Dear Mr. Liang,
On October 4, 2018, Bloomberg Businessweek published stunning allegations of sophisticated cyber espionage operations by the Chinese government purported to involve the tampering of computer hardware manufactured and distributed by Supermicro. If this news report is accurate, the potential infiltration of Chinese backdoors could provide a foothold for adversaries and competitors to engage in commercial espionage and launch destructive cyber attacks. As Members of Congress, we are alarmed by any potential threats to national security and have a responsibility to ensure our nation’s sensitive networks are kept safe. We write to request information from Supermicro on these reported attempts to subvert its computer products to spy on the United States.
Bloomberg reported that the Chinese People’s Liberation Army engaged in a sophisticated operation to insert malicious surveillance and data manipulation components onto server motherboards. Chinese intelligence agents reportedly deceived, bribed, and coerced Supermicro’s third-party manufacturers and subcontractors to alter motherboard designs. These added components—while appearing to be innocuous, common chips to an observer—would have been complex backdoors, and could quietly provide the Chinese government the ability to exfiltrate confidential data and bypass security controls on the nation’s most sensitive systems.
According to Bloomberg‘s report, the infected servers were found in almost 30 companies, including important financial institutions, government contractors, and technology companies. Moreover, the operation was reportedly not found until Apple and Amazon detected abnormal network traffic and undocumented hardware components in audits of their networks and systems. When The Information reported in February 2017 on Apple’s decision to end its contract with your company, Supermicro’s senior vice-president of technology, Tau Leng, told the publication that malicious firmware from an outside manufacturer was found and committed to an independent investigation.
We note that Supermicro, Apple, and Amazon have issued strong denials regarding the Bloomberg report. However, the nature of the claims raised alarms that must be comprehensively addressed. In The Information‘s February 2017 article, Mr. Leng disclosed that “thousands of customers” were using the same hardware. These customers deserve answers immediately. While large tech firms may have the financial resources and expertise to mitigate sophisticated cyber security threats or completely remove affected hardware, most companies do not. Nor do they have the information to act.
We are alarmed about the dangers posed by backdoors, and take any claimed threat to the nation’s networks and supply chain seriously. These new allegations require thorough answers and urgent investigation for customers, law enforcement, and Congress. We ask that you provide responses to following questions by October 17, 2018:
1.) When did Supermicro first become aware of reports regarding malicious hardware components and firmware in its computers and hardware? Has Supermicro ever found tampering of components or firmware that targeted its products?
2.) Has Supermicro conducted an investigation of its chain of suppliers to identify any possible modifications or security issues with its products? If it has found tampering, has it severed ties with those suppliers?
3.) If Supermicro has found or otherwise become aware of unaccounted-for modification on hardware or firmware, has it taken steps to remove the tampered product from the supply chain?
4.) When The Information reported in February 2017 that Apple had found compromised firmware, did Supermicro conduct any investigation into the potential infiltration of its supply chain as Mr. Leng had committed to do so? If so, what were the results of this investigation?
5.) Has Supermicro cooperated with law enforcement in the United States to address such reports? If tampering is found, will you provide a list of potentially affected customers to U.S. authorities and provide information to customers?
6.) Has Supermicro enacted screening measures or audits to assess its supply chain and detect and mitigate any such attempts to tamper with products?
7.) If tampering is found, does Supermicro assess that such tampering could be mitigated based on firmware updates, software patches, configuration changes, or operating system defenses?
8.) Has the Chinese government ever requested access to Supermicro’s confidential security information or sought to restrict information regarding the security of Supermicro’s products?
Thank you for your attention to these important issues. We look forward to your response.
The National Highway Traffic Safety Administration (NHTSA) said in a statement on Tuesday that it does not evaluate vehicle safety beyond its star rating system — an apparent response to Tesla’s claim that its Model 3 sedan gives occupants a lower probability of receiving a serious injury in a crash than any other vehicle tested...