THE KEY

Lawmakers are prying into a controversial report that Chinese spies installed surveillance microchips in servers used by Apple, Amazon and other American companies. 

On Wednesday, Sens. Marco Rubio (R-Fla.) and Richard Blumenthal (D-Conn.) wrote to Supermicro, the firm that manufactured the allegedly compromised hardware, asking whether it had detected any such tampering in its products. The senators acknowledged that the company, along with Apple and Amazon, had forcefully denied the reporting from Bloomberg Businessweek, but said “the nature of the claims raised alarms that must be comprehensively addressed.” 

“We are alarmed by the dangers posed by back doors, and take any claimed threat to the nation’s networks and supply chain seriously,” they said. “These new allegations require thorough and urgent investigation for customers, law enforcement and Congress.” 

Other lawmakers on the Hill have fired off similar missives. Sen. John Thune (R-S.D.) wrote to Apple, Amazon and Supermicro requesting staff briefings about the Bloomberg article by Friday. And House Oversight Committee Chairman Trey Gowdy (R-S.C.) and Intelligence Committee Chairman Devin Nunes (R-Calif.) called on the heads of the FBI, Department of Homeland Security and the Office of the Director of National Intelligence to provide a classified briefing on the matter by Oct. 22. (Amazon.com founder and chief executive Jeffrey P. Bezos owns The Washington Post.)

The flurry of requests underscores long-standing concerns in Congress about the potential for a foreign adversary to conduct cyber espionage by infiltrating the supply chain. So even though an array of U.S. officials and cybersecurity experts have joined the companies in challenging the Bloomberg story, which came out a week ago today, lawmakers aren’t taking any chances with the allegations raised in it.

“If this news report is accurate, the potential infiltration of Chinese back doors could provide a foothold for adversaries and competitors to engage in commercial espionage and launch destructive cyber attacks,” Rubio and Blumenthal wrote.

Yet senior administration officials continue to cast doubt on the report. Former White House cybersecurity coordinator Rob Joyce joined the chorus of skeptics on Wednesday, saying the article had set off a search for answers in government and industry that had so far turned up no evidence of such a compromise, according to CyberScoop. “I have grave concerns about where this has taken us,” Joyce, now a senior National Security Agency official, said at U.S. Chamber of Commerce cybersecurity event. “I worry that we’re chasing shadows right now.”

The explosive Bloomberg report said that operatives from a unit of the People’s Liberation Army secretly installed the surveillance chips in Supermicro motherboards during the assembly process in China, creating a “stealth doorway” into networks that used the machines. Citing unnamed government and corporate officials, the report described it as the “most significant supply chain attack known to have been carried out against American companies.” 

Immediately after the report was published, Apple said it had “never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server.” Amazon called the story “erroneous” and said the details about Amazon were “untrue.” Supermicro also denied the report, saying it hadn't been contacted by any law enforcement agency or dropped by any customer for “this type of issue." What's more, while the article said a top-secret U.S. investigation involving the FBI remained open, the companies said they were unaware of any such probe and had not been contacted by investigators.

Now lawmakers are left trying to parse out what's true, and it could end up becoming a flash point between some members and the tech companies — or even senior officials. Sen. Ron Johnson (R-Wis.), chairman of the Homeland Security Committee, said in a hearing Wednesday morning that he found the story credible. He asked FBI Director Christopher A. Wray and Homeland Security Secretary Kirstjen Nielsen, who testified in the hearing, whether they were aware of “implantation of chips in the supply chain.”

Wray deflected. “Be careful what you read in this context,” he said, adding that he was barred from commenting on whether the FBI was investigating the matter. Nielsen said DHS doesn’t have “any evidence that supports the article. We have no reason to doubt what the companies have said.” Still, she stressed that supply chain hacks are "a very real and emerging threat that we are very concerned about." 

Indeed, the article seemed to channel some of Washington’s worst anxieties about supply chain security.

Lawmakers and federal officials have long fretted over whether a foreign adversary could carry out such an infiltration, and over the past year they’ve taken steps to try to prevent it. Last fall, DHS directed federal agencies to stop using software made by the Russian cybersecurity contractor Kaspersky over concerns that Moscow’s intelligence services could use the company to conduct cyber espionage. Shortly after, Congress banned federal agencies from using Kaspersky’s products as part of the defense spending bill. Lawmakers and military officials have raised similar fears that Chinese telecom giants ZTE and Huawei could be used as conduits for Beijing to spy on U.S. citizens, companies and government offices. This year, lawmakers abandoned an effort to prohibit federal agencies and contractors from doing business with ZTE at the request of the White House.

Keeping up with the news in President Trump’s Washington is exhausting — whether you live here, work in the nation’s capital, or are just watching from afar. That’s why next Tuesday, we’re launching Power Up by Jacqueline Alemany. It's a new newsletter from The Washington Post that will land in your inbox before you reach for that first cup of coffee. It will bring you Washington, fast.

Click here to sign up.

PINGED, PATCHED, PWNED

PINGED: Nielsen also warned senators that China “absolutely” is “exerting unprecedented effort to influence American opinion" in her appearance before the Senate Homeland Security and Governmental Affairs Committee on Wednesday. But she said that federal authorities “have not seen to date any Chinese attempts to compromise election infrastructure.” (She made similar comments during a Washington Post Live Cybersecurity Summit 2018 last week.) Nielsen testified alongside Wray and Russell Travers, the acting director of the National Counterterrorism Center at the Office of the Director of National Intelligence.

Asked by Sen. Jon Kyl (R-Ariz.) to assess the risk that Beijing's cyber activities and disinformation efforts represent in comparison to Russia, Wray replied that he was “reluctant to try to rank threats” but added that “China in many ways represents the broadest, most complicated, most long-term counterintelligence threat we face.” Wray told Kyl that China will remain a threat to the United States in the long run. “Russia is in many ways fighting to stay relevant after the fall of the Soviet Union. They're fighting today's fight,” Wray said. “China is fighting tomorrow's fight, and the day after tomorrow, and the day after that. And it affects every sector of our economy, every state in the country and just about every aspect of what we hold dear.”

PATCHED: Thune, who chairs the Commerce committee, said Google and the company's decision to not disclose the data leak along with Facebook's Cambridge Analytica scandal underscored the need for a federal privacy law. “It is increasingly clear that industry self-regulation in this area is not sufficient,” Thune said.

In a hearing with privacy experts, Blumenthal criticized the company for deciding not to disclose the vulnerability. The Wall Street Journal reported the company learned about the vulnerability in the spring and opted not to disclose it, partially because of fears of regulatory repercussions. He said he planned to investigate further and called on European regulators to do so as well.

Andrea Jelinek, the European Data Protection Board chair, said in her testimony at the hearing that authorities in Germany and Ireland will investigate. The breach occurred before the European Union's GDPR rules went into effect on May 25, which likely would have required the company to disclose the compromise early. Jelinek said it would have been easier for consumers and the company if the breach had occurred after GDPR because the company would have faced just one investigation for all of the European Union's member states.

Following the hearing, Blumenthal sent a letter to the Federal Trade Commission, along with Sens. Edward J. Markey (D-Mass.) and Tom Udall (D-N.M.), asking it to investigate the incident.

PWNED: “A California man whose testimony contributed to the indictment of 13 Russian individuals and three companies in special counsel Robert S. Mueller III’s probe of an alleged 2016 U.S. election trolling effort was sentenced Wednesday to six months in prison and six months’ home confinement in a deal with prosecutors,” The Washington Post's Spencer S. Hsu reported. “Richard Pinedo, 28, of Santa Paula, Calif., pleaded guilty Feb. 12 to identity theft in a deal announced the same day Mueller’s office unveiled an indictment accusing the St. Petersburg-based Internet Research Agency. The defendants were charged with running a far-reaching fraud scheme using fake social media accounts to trick Americans online into following Russian-fed propaganda to support then-candidate Donald Trump.”

Spencer reported that U.S. District Judge Dabney L. Friedrich of the District said Pinedo “opened the door for others outside this country,” but the judge also noted that he cooperated with investigators. “Prosecutors acknowledged Pinedo significantly aided the investigation by linking anonymous Internet activity to the charged Russians, who include business executive Yevgeniy Viktorovich Prigozhin, nicknamed ‘Putin’s chef’ because of his ties to Russian President Vladi­mir Putin,” Spencer wrote. Moreover, as my colleague reported, “Pinedo said he is viewed by some as a traitor to his country and has been threatened with harm by others for cooperating with the FBI and warned he will be poisoned if he travels abroad.”

PUBLIC KEY

— “In a motion to dismiss a new lawsuit accusing [Trump’s] campaign team of illegally conspiring with Russian agents to disseminate stolen emails during the election, Trump campaign lawyers have tried out a new defense: free speech,” the Atlantic's Natasha Bertrand reported. “The lawsuit, filed last month by two donors and one former employee of the Democratic National Committee, alleges that the Trump campaign, along with former Trump adviser Roger Stone, worked with Russia and WikiLeaks to publish hacked DNC emails, thereby violating their privacy.” Lawyers for the Trump campaign said in a brief filed on Tuesday that the First Amendment guarantees the campaign's “right to disclose information — even stolen information — so long as (1) the speaker did not participate in the theft and (2) the information deals with matters of public concern,” Bertrand reported.

— “A veteran Republican activist whose quest to obtain Hillary Clinton’s emails from hackers dominated the final months of his life struck up a professional relationship with Lt. Gen. Michael Flynn, the former national security adviser to President Trump, as early as 2015, and told associates during the presidential campaign that he was using the retired general’s connections to help him on the email project,” the Wall Street Journal's Shelby Holliday, Byron Tau and Dustin Volz reported Wednesday. “The late Peter W. Smith, an Illinois financier with a long history in Republican politics, met with Mr. Flynn in 2015, according to people familiar with the matter. At the time, Mr. Flynn had recently left his job as head of the Defense Intelligence Agency and was trying to set up his own consulting firm, while Mr. Smith was looking at investment opportunities in cybersecurity.”

— More cybersecurity news from the public sector:

National Security
An officer with China’s Ministry of State Security appeared in federal court in Cincinnati to face charges he sought to commit economic espionage and steal aviation secrets.
Ellen Nakashima
For years, China has systematically looted American trade secrets. Here's the messy inside story of how DC got Beijing to clean up its act for a while.
Wired
President Trump’s recent goodwill toward North Korea is at odds with his administration’s attempts to crack down on the country’s cyberattacks, and experts say the president’s plaudits could hinder U.S.-led efforts.
The Hill
Business
An IBM executive said Wednesday that the company has submitted a pre-award bid protest with the Government Accountability Office, challenging the government's decision to turn to a single cloud provider for its biggest IT procurement in years.
Aaron Gregg
PowerPost
Lawmakers and the Justice Department never reached an agreement on holding the meeting.
Karoun Demirjian and Devlin Barrett
PRIVATE KEY
Facebook Inc’s WhatsApp messenger service said on Wednesday it has fixed the latest bug on its platform that allowed hackers to take over users’ applications when they answered an incoming video call.
Reuters
The retail giants just secured patents that will help them determine how you’re feeling and what you might buy.
The Daily Beast
Google’s plan to put more limits on access to Gmail user data is likely to disrupt business for scores of app developers whose services are based on the world’s most popular email service.
The Wall Street Journal
Instead of ditching the SSN as an identifier, the government could take steps to modernize it.
Nextgov
SECURITY FAILS
Theft of cryptocurrencies through hacking of exchanges and trading platforms soared to $927 million in the first nine months of the year, up nearly 250 percent from the level seen in 2017, according to a report from U.S.-based cyber security firm CipherTrace released on Wednesday.
Reuters
THE NEW WILD WEST

— “Taiwanese leader Tsai Ing-wen cautioned China against any efforts to interfere in local elections next month, in a toughly worded speech that mirrored U.S. Vice President Mike Pence’s own rebuke to Beijing,” Bloomberg News's Debby Wu reported. “Tsai made the remarks during a National Day address in Taipei, in which she described China as a threat to the international order. The Taiwanese president used the speech to issue a warning about election meddling after her administration accused China, along with Russia and North Korea, of testing cyber-hacking techniques on the democratically run island for use elsewhere.”

— More cybersecurity news from abroad:

Profit, hacktivism, and politics are only some of the differences between Russia and China's hacking communities.
ZDNet
A European Parliament committee backed draft proposals aimed at avoiding a repetition of the scandal in which the data of millions of Facebook users ended up in the hands of the political consultancy Cambridge Analytica.
Bloomberg Law
Vietnam is preparing to strictly enforce a new cybersecurity law requiring global technology companies to set up local offices and store data locally despite pleas from Facebook, Google and other firms, a government document showed.
Reuters

ZERO DAYBOOK

Today

Coming soon

EASTER EGGS

Jamal Khashoggi supporters urge Trump administration to investigate disappearance:

Hurricane Michael lashes Florida's Gulf Coast:

Russian town hires cat chief to keep strays happy: