The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Lawmakers press for answers about China's alleged supply chain hack

with Cat Zakrzewski and Bastien Inzaurralde

THE KEY

Lawmakers are prying into a controversial report that Chinese spies installed surveillance microchips in servers used by Apple, Amazon and other American companies. 

On Wednesday, Sens. Marco Rubio (R-Fla.) and Richard Blumenthal (D-Conn.) wrote to Supermicro, the firm that manufactured the allegedly compromised hardware, asking whether it had detected any such tampering in its products. The senators acknowledged that the company, along with Apple and Amazon, had forcefully denied the reporting from Bloomberg Businessweek, but said “the nature of the claims raised alarms that must be comprehensively addressed.” 

“We are alarmed by the dangers posed by back doors, and take any claimed threat to the nation’s networks and supply chain seriously,” they said. “These new allegations require thorough and urgent investigation for customers, law enforcement and Congress.” 

Other lawmakers on the Hill have fired off similar missives. Sen. John Thune (R-S.D.) wrote to Apple, Amazon and Supermicro requesting staff briefings about the Bloomberg article by Friday. And House Oversight Committee Chairman Trey Gowdy (R-S.C.) and Intelligence Committee Chairman Devin Nunes (R-Calif.) called on the heads of the FBI, Department of Homeland Security and the Office of the Director of National Intelligence to provide a classified briefing on the matter by Oct. 22. (Amazon.com founder and chief executive Jeffrey P. Bezos owns The Washington Post.)

The flurry of requests underscores long-standing concerns in Congress about the potential for a foreign adversary to conduct cyber espionage by infiltrating the supply chain. So even though an array of U.S. officials and cybersecurity experts have joined the companies in challenging the Bloomberg story, which came out a week ago today, lawmakers aren’t taking any chances with the allegations raised in it.

“If this news report is accurate, the potential infiltration of Chinese back doors could provide a foothold for adversaries and competitors to engage in commercial espionage and launch destructive cyber attacks,” Rubio and Blumenthal wrote.

Yet senior administration officials continue to cast doubt on the report. Former White House cybersecurity coordinator Rob Joyce joined the chorus of skeptics on Wednesday, saying the article had set off a search for answers in government and industry that had so far turned up no evidence of such a compromise, according to CyberScoop. “I have grave concerns about where this has taken us,” Joyce, now a senior National Security Agency official, said at U.S. Chamber of Commerce cybersecurity event. “I worry that we’re chasing shadows right now.”

The explosive Bloomberg report said that operatives from a unit of the People’s Liberation Army secretly installed the surveillance chips in Supermicro motherboards during the assembly process in China, creating a “stealth doorway” into networks that used the machines. Citing unnamed government and corporate officials, the report described it as the “most significant supply chain attack known to have been carried out against American companies.” 

Immediately after the report was published, Apple said it had “never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server.” Amazon called the story “erroneous” and said the details about Amazon were “untrue.” Supermicro also denied the report, saying it hadn't been contacted by any law enforcement agency or dropped by any customer for “this type of issue." What's more, while the article said a top-secret U.S. investigation involving the FBI remained open, the companies said they were unaware of any such probe and had not been contacted by investigators.

Now lawmakers are left trying to parse out what's true, and it could end up becoming a flash point between some members and the tech companies — or even senior officials. Sen. Ron Johnson (R-Wis.), chairman of the Homeland Security Committee, said in a hearing Wednesday morning that he found the story credible. He asked FBI Director Christopher A. Wray and Homeland Security Secretary Kirstjen Nielsen, who testified in the hearing, whether they were aware of “implantation of chips in the supply chain.”

Wray deflected. “Be careful what you read in this context,” he said, adding that he was barred from commenting on whether the FBI was investigating the matter. Nielsen said DHS doesn’t have “any evidence that supports the article. We have no reason to doubt what the companies have said.” Still, she stressed that supply chain hacks are "a very real and emerging threat that we are very concerned about." 

Indeed, the article seemed to channel some of Washington’s worst anxieties about supply chain security.

Lawmakers and federal officials have long fretted over whether a foreign adversary could carry out such an infiltration, and over the past year they’ve taken steps to try to prevent it. Last fall, DHS directed federal agencies to stop using software made by the Russian cybersecurity contractor Kaspersky over concerns that Moscow’s intelligence services could use the company to conduct cyber espionage. Shortly after, Congress banned federal agencies from using Kaspersky’s products as part of the defense spending bill. Lawmakers and military officials have raised similar fears that Chinese telecom giants ZTE and Huawei could be used as conduits for Beijing to spy on U.S. citizens, companies and government offices. This year, lawmakers abandoned an effort to prohibit federal agencies and contractors from doing business with ZTE at the request of the White House.

Keeping up with the news in President Trump’s Washington is exhausting — whether you live here, work in the nation’s capital, or are just watching from afar. That’s why next Tuesday, we’re launching Power Up by Jacqueline Alemany. It's a new newsletter from The Washington Post that will land in your inbox before you reach for that first cup of coffee. It will bring you Washington, fast.

Click here to sign up.

PINGED, PATCHED, PWNED
FBI Director Christopher A. Wray and Secretary of Homeland Security Kirstjen Nielson spoke about election security and counterintelligence threats Oct. 10. (Video: Reuters)

PINGED: Nielsen also warned senators that China “absolutely” is “exerting unprecedented effort to influence American opinion" in her appearance before the Senate Homeland Security and Governmental Affairs Committee on Wednesday. But she said that federal authorities “have not seen to date any Chinese attempts to compromise election infrastructure.” (She made similar comments during a Washington Post Live Cybersecurity Summit 2018 last week.) Nielsen testified alongside Wray and Russell Travers, the acting director of the National Counterterrorism Center at the Office of the Director of National Intelligence.

Asked by Sen. Jon Kyl (R-Ariz.) to assess the risk that Beijing's cyber activities and disinformation efforts represent in comparison to Russia, Wray replied that he was “reluctant to try to rank threats” but added that “China in many ways represents the broadest, most complicated, most long-term counterintelligence threat we face.” Wray told Kyl that China will remain a threat to the United States in the long run. “Russia is in many ways fighting to stay relevant after the fall of the Soviet Union. They're fighting today's fight,” Wray said. “China is fighting tomorrow's fight, and the day after tomorrow, and the day after that. And it affects every sector of our economy, every state in the country and just about every aspect of what we hold dear.”

PATCHED: Thune, who chairs the Commerce committee, said Google+ and the company's decision to not disclose the data leak along with Facebook's Cambridge Analytica scandal underscored the need for a federal privacy law. “It is increasingly clear that industry self-regulation in this area is not sufficient,” Thune said.

In a hearing with privacy experts, Blumenthal criticized the company for deciding not to disclose the vulnerability. The Wall Street Journal reported the company learned about the vulnerability in the spring and opted not to disclose it, partially because of fears of regulatory repercussions. He said he planned to investigate further and called on European regulators to do so as well.

Andrea Jelinek, the European Data Protection Board chair, said in her testimony at the hearing that authorities in Germany and Ireland will investigate. The breach occurred before the European Union's GDPR rules went into effect on May 25, which likely would have required the company to disclose the compromise early. Jelinek said it would have been easier for consumers and the company if the breach had occurred after GDPR because the company would have faced just one investigation for all of the European Union's member states.

Following the hearing, Blumenthal sent a letter to the Federal Trade Commission, along with Sens. Edward J. Markey (D-Mass.) and Tom Udall (D-N.M.), asking it to investigate the incident.

PWNED: “A California man whose testimony contributed to the indictment of 13 Russian individuals and three companies in special counsel Robert S. Mueller III’s probe of an alleged 2016 U.S. election trolling effort was sentenced Wednesday to six months in prison and six months’ home confinement in a deal with prosecutors,” The Washington Post's Spencer S. Hsu reported. “Richard Pinedo, 28, of Santa Paula, Calif., pleaded guilty Feb. 12 to identity theft in a deal announced the same day Mueller’s office unveiled an indictment accusing the St. Petersburg-based Internet Research Agency. The defendants were charged with running a far-reaching fraud scheme using fake social media accounts to trick Americans online into following Russian-fed propaganda to support then-candidate Donald Trump.”

Spencer reported that U.S. District Judge Dabney L. Friedrich of the District said Pinedo “opened the door for others outside this country,” but the judge also noted that he cooperated with investigators. “Prosecutors acknowledged Pinedo significantly aided the investigation by linking anonymous Internet activity to the charged Russians, who include business executive Yevgeniy Viktorovich Prigozhin, nicknamed ‘Putin’s chef’ because of his ties to Russian President Vladi­mir Putin,” Spencer wrote. Moreover, as my colleague reported, “Pinedo said he is viewed by some as a traitor to his country and has been threatened with harm by others for cooperating with the FBI and warned he will be poisoned if he travels abroad.”

PUBLIC KEY

— “In a motion to dismiss a new lawsuit accusing [Trump’s] campaign team of illegally conspiring with Russian agents to disseminate stolen emails during the election, Trump campaign lawyers have tried out a new defense: free speech,” the Atlantic's Natasha Bertrand reported. “The lawsuit, filed last month by two donors and one former employee of the Democratic National Committee, alleges that the Trump campaign, along with former Trump adviser Roger Stone, worked with Russia and WikiLeaks to publish hacked DNC emails, thereby violating their privacy.” Lawyers for the Trump campaign said in a brief filed on Tuesday that the First Amendment guarantees the campaign's “right to disclose information — even stolen information — so long as (1) the speaker did not participate in the theft and (2) the information deals with matters of public concern,” Bertrand reported.

— “A veteran Republican activist whose quest to obtain Hillary Clinton’s emails from hackers dominated the final months of his life struck up a professional relationship with Lt. Gen. Michael Flynn, the former national security adviser to President Trump, as early as 2015, and told associates during the presidential campaign that he was using the retired general’s connections to help him on the email project,” the Wall Street Journal's Shelby Holliday, Byron Tau and Dustin Volz reported Wednesday. “The late Peter W. Smith, an Illinois financier with a long history in Republican politics, met with Mr. Flynn in 2015, according to people familiar with the matter. At the time, Mr. Flynn had recently left his job as head of the Defense Intelligence Agency and was trying to set up his own consulting firm, while Mr. Smith was looking at investment opportunities in cybersecurity.”

— More cybersecurity news from the public sector:

In a first, a Chinese spy is extradited to the U.S. after stealing technology secrets, Justice Dept. says (Ellen Nakashima)

How the US Forced China to Quit Stealing—Using a Chinese Spy (Wired)

Trump's praise for North Korea complicates cyber deterrence (The Hill)

IBM challenges Pentagon’s $10 billion cloud computing effort days before bids are due (Aaron Gregg)

Rosenstein’s interview with Trump’s congressional allies postponed indefinitely (Karoun Demirjian and Devlin Barrett)

PRIVATE KEY

Facebook's WhatsApp says has fixed video call security bug (Reuters)

Amazon and Walmart Want to Read Your Vital Signs (and Sell You Stuff) (The Daily Beast)

Google Privacy Upgrades Could Jolt Gmail App Developers (The Wall Street Journal)

Cyber Researchers Propose a ‘Smart’ Social Security Card (Nextgov)

SECURITY FAILS

Cryptocurrency theft hits nearly $1 billion in first nine months: report (Reuters)

THE NEW WILD WEST

— “Taiwanese leader Tsai Ing-wen cautioned China against any efforts to interfere in local elections next month, in a toughly worded speech that mirrored U.S. Vice President Mike Pence’s own rebuke to Beijing,” Bloomberg News's Debby Wu reported. “Tsai made the remarks during a National Day address in Taipei, in which she described China as a threat to the international order. The Taiwanese president used the speech to issue a warning about election meddling after her administration accused China, along with Russia and North Korea, of testing cyber-hacking techniques on the democratically run island for use elsewhere.”

— More cybersecurity news from abroad:

A deep dive into the forces driving Russian and Chinese hacker forums (ZDNet)

EU Lawmakers Back Measures to Avoid Repeat of Facebook Scandal (Bloomberg Law)

Exclusive: Vietnam cyber law set for tough enforcement despite Google, Facebook pleas (Reuters)

ZERO DAYBOOK

Today

Coming soon

EASTER EGGS

Jamal Khashoggi supporters urge Trump administration to investigate disappearance:

Supporters of Washington Post contributor Jamal Khashoggi, who disappeared Oct. 2 at a Saudi consulate, urged the federal government to investigate on Oct. 10. (Video: Joyce Koh/The Washington Post, Photo: Matt McClain/The Washington Post)

Hurricane Michael lashes Florida's Gulf Coast:

Hurricane Michael moved northward across the Southeast, bringing high winds and heavy rains. (Video: Joyce Koh, Alice Li, Mark Barcelo/The Washington Post)

Russian town hires cat chief to keep strays happy:

Svetlana Logunova landed the role of Zelenogradsk, Russia’s new cat chief. Her duties include feeding and tending to the town’s approximately 70 stray cats. (Video: Reuters)
Loading...