Apple Inc. on Monday issued a strong denial to Congress after a news report that said its products have been compromised by the Chinese government.
Apple's top security officer told lawmakers that the company has found no evidence that backs up the claims made in the report published last week by Bloomberg Businessweek. The magazine reported that the Chinese government planted surveillance microchips in servers used by U.S. tech giants.
The Department of Homeland Security and Britain's national cybersecurity agency both have said they believe the denials issued by Apple, Amazon and others.
The chips were reportedly inserted into motherboards for servers made by a San Jose, Calif.-based company, Supermicro, which also denies the Bloomberg Businessweek story. The magazine said the chips included code that caused the products to accept changes to their software and to connect to outside computers.
The extent of the data China could have collected from such chips was not made clear in the report. The magazine said no consumer information was known to have been stolen.
"We are eager to share the facts in this matter because, were this story true, it would rightly raise grave concerns," George Stathakopoulos, vice president of information security at Apple, wrote to the leaders of the House and Senate commerce committees on Monday. "A compromise of this magnitude, and the effective deployment of malicious chips like the one described by Bloomberg, would represent a serious threat to the security of systems at Apple and elsewhere."
Stathakopoulos' comments echoed the company's denial to the news media last week and was in line with Amazon's response, too.
"At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems," Amazon said last week. "Nor have we engaged in an investigation with the government."
The Bloomberg Businessweek report, published Thursday, also claims that there is an ongoing FBI investigation into the issue. Supermicro said last week that it was not aware of any such investigation and that it had not been contacted by the government.
Besides raising concerns among consumers, any perceived insecurity of the products or services of U.S. technology giants could affect their ability to land government contracts. The U.S. government has been suspicious of Chinese-made technology and this year forbade its agencies from using products made by companies such as Huawei and ZTE.
"Concern for supply chain security is absolutely central to the way we run our business," Stathakopoulos said in his letter, a copy of which was provided to The Mercury News of San Jose, Calif. The letter was sent to Sens. John Thune, R-S.D., and Ben Nelson, D-Neb., on the Senate's Commerce, Science and Transportation Committee; and to Reps. Greg Walden, R-Ore., and Frank Pallone, D-N.J., on the House Energy and Commerce Committee.
Stathakopoulos said he would be available this week to brief the lawmakers' staff members on the matter, which he said the company has been investigating since it was contacted by Bloomberg Businessweek in October 2017.
One lawmaker, Rep. Chris Stewart, R-Utah, told Bloomberg TV last week that if the report were true, it would represent the "holy grail of hacking." Bloomberg said it stands by its article, which it told other media outlets is based on more than a year's worth of work, 100 interviews and 17 anonymous sources that confirmed the reporting.
But government agencies do not appear to be convinced.
"At this time we have no reason to doubt the statements from the companies named in the story," the U.S. Department of Homeland Security said Saturday.
"We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS [Amazon Web Services] and Apple," the National Cyber Security Center, a unit of Britain's GCHQ intelligence agency, said Friday.
A Chinese government spokesman on Monday sidestepped questions about the report.
The spokesman, Lu Kang, responded to questions from reporters Monday by directing them to statements by the equipment supplier and customers including Apple and Amazon.
"Do you feel that you still need China to respond to these statements?" Lu said.
In the U.S., tech providers vying for a $10 billion Defense Department cloud-computing contract may come under added pressure to prove their systems are secure.
Security and procurement experts said Amazon can argue that it was a victim that uncovered the problem and perhaps could improve its prospects for winning the cloud-services award. According to the report, Amazon unearthed the breaches, which happened at factories run by subcontractors in China. Amazon then alerted authorities and took action to limit the consequences, the report said.
Still, the report increases pressure on the Pentagon as well as on Amazon and the other bidders to step up measures to secure their systems in a global marketplace where integral equipment is manufactured in China.
A deadline looms this month for companies including Amazon, Microsoft, IBM and Oracle to submit bids for the Pentagon's project, which involves moving huge amounts of sensitive government data to a commercially operated cloud system.
Amazon Web Services was seen as the front-runner from the start because it had already won a $600 million cloud contract from the Central Intelligence Agency in 2013.
Security experts pointed to the challenges of securing systems with components made in different parts of the world.
"The problem is most of our electronics are made in China," said Darrell West, director of the Center for Technology Innovation at the Brookings Institution. "Even if a file server is made in the United States, it's still likely to have components from abroad and especially from China."
Information for this article was contributed by Levi Sumagaysay of The Mercury News, by Naomi Nix and Ben Brody of Bloomberg News and by staff members of The Associated Press.
Business on 10/09/2018