It’s not yet clear how much veracity there is to the recent Bloomberg report claiming that companies, including Apple and Amazon, were sold data servers compromised by Chinese spies. However, a bipartisan pair of U.S. senators want answers from the manufacturer in question.
In a letter addressed to motherboard supplier Supermicro, senators Marco Rubio and Richard Blumenthal request the answers to eight queries. Here’s what they want to know:
In their letter, the senators note that, “as Members of Congress, we are alarmed by any potential threats to national security and have a responsibility to ensure our nation’s sensitive networks are kept safe. We write to request information from Supermicro on these reported attempts to subvert its computer products to spy on the United States.”
They then follow up with these eight questions:
1) When did Supermicro first become aware of reports regarding malicious hardware components and firmware in its computers and hardware? Has Supermicro ever found tampering of components or firmware that targeted its products?
2) Has Supermicro conducted an investigation of its chain of suppliers to identify any possible modifications or security issues with its products? If it has found tampering, has it severed ties with those suppliers?
3) If Supermicro has found or otherwise become aware of unaccounted-for modification on hardware or firmware, has it taken steps to remove the tampered product from the supply chain?
4) When The Information reported in February 2017 that Apple had found compromised firmware, did Supermicro conduct any investigation into the potential infiltration of its supply chain as Mr. Leng had committed to do so? If so, what were the results of this investigation?
5) Has Supermicro cooperated with law enforcement in the United States to address such reports? If tampering is found, will you provide a list of potentially affected customers to U.S. authorities and provide information to customers?
6) Has Supermicro enacted screening measures or audits to assess its supply chain and detect and mitigate any such attempts to tamper with products?
7) If tampering is found, does Supermicro assess that such tampering could be mitigated based on firmware updates, software patches, configuration changes, or operating system defenses?
8) Has the Chinese government ever requested access to Supermicro’s confidential security information or sought to restrict information regarding the security of Supermicro’s products?
Where is the truth in all of this?
As soon as the Bloomberg Businessweek article was published last week, Amazon and Apple — two of the companies named in the piece — sprang into action to deny its veracity.
Amazon blasted the story for allegedly being full of inaccuracies. Apple penned its own denial, and then cemented this by writing a letter to Congress to say as much. Both companies have been backed up by British and U.S. intelligence, who say they have no reason to doubt the denials being made.
Despite this, Bloomberg doubled down on its reportage. In a statement issued yesterday, a Bloomberg spokesperson said that, “Our reporters and editors thoroughly vet every story before publication, and this was no exception.” The publication also published a story claiming a “major U.S. telecom” discovered compromised Supermicro equipment back in August.
What is the truth in all of this? We’re with senators Rubio and Blumenthal on this much: We’ve certainly got some questions we’d like answered.
Source: Business Insider