A news report claiming a compromise of U.S. companies’ supply chains by Chinese spies has triggered a thorough search in government and industry for evidence of the breach that has so far turned up nothing, according to a senior National Security Agency official, who expressed concern that the search was a distraction and potentially a waste of resources.
“I have grave concerns about where this has taken us,” Rob Joyce said Wednesday at the U.S. Chamber of Commerce. “I worry that we’re chasing shadows right now.”
The story in question is an explosive, anonymously-sourced report published last week by Bloomberg Businessweek. The report alleges Chinese intelligence agents placed malicious microchips on server motherboards supplied by Super Micro Computing Inc., setting up a backdoor to some 30 companies, including Apple and Amazon Web Services.
While supply-chain threats emanating from China are certainly a concern, Joyce said, “what I can’t find are any ties to the claims that are in the article.” Joyce, a respected cybersecurity hand with over two decades of experience at the NSA, said that his pursuit for evidence to substantiate the news report has so far been fruitless. “I have pretty great access, [and yet] I don’t have a lead to pull from the government side. We’re just befuddled.”
Apple, AWS, and Supermicro all gave strenuous, detailed denials of key elements of the story – denials that the Department of Homeland Security has backed. Bloomberg says it stands by its reporting.
Joyce, the former top cybersecurity official in the White House, described “great frustration” at the upheaval and confusion caused by the report.
Companies have scoured their networks for the malicious chips depicted in the Bloomberg story and have not found anything of the sort, he said. “I’ve got all sorts of commercial industry [contacts] freaking out and just losing their mind about this concern. Their [executive] boards are poking at them, their managers are poking at them, and nobody’s found anything.”
Joyce appealed to anyone with knowledge of the alleged hardware tampering to contact officials in the NSA, DHS, or FBI.
Like Joyce, Jeanette Manfra, DHS’s top cybersecurity official, said Wednesday that the department still hasn’t found any information that corroborates the Bloomberg report.