The Implications Of Bloomberg's China Hacking Report
SCOTT SIMON, HOST:
This week, a report by Bloomberg said that Chinese government operatives planted microchips, especially micro microchips, into servers created by an American company called Supermicro. Big names use Supermicro's products, including Apple and NPR funder Amazon. The Chinese government strenuously denies the allegations. NPR's Jasmine Garsd tells us how worried American companies and users ought to be.
JASMINE GARSD, BYLINE: One thing is for sure - it was tiny as a pencil tip. But it sent fear through big tech's spine and national security communities. Adam Segal is a director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, a foreign policy think tank. He says if the Bloomberg story is true...
ADAM SEGAL: ...Then it's a major deal.
GARSD: It's not the first time Chinese tech companies with suspected ties to the Chinese government have been called into question. Earlier this year, the Pentagon prohibited phones manufactured by Chinese companies Huawei and ZTE on military bases. And Congress has been scrutinizing Google and Facebook over their data-sharing relationship with Huawei. In both cases, national security was the concern.
SEGAL: There's been reports from the Defense Science Board and others from at least the beginning of the 2000s that placing some type of chip would be a useful way for the Chinese intelligence services to gain access to information.
GARSD: What's worrisome about the allegations in the Bloomberg story is that an overwhelming amount of our technology uses components manufactured in China. The recent alleged attack didn't just compromise Apple and Amazon but also a major bank and U.S. government contractors. It's scary because, if it's true, we're stuck. The U.S. supply chain is linked to China inextricably.
KATIE MOUSSOURIS: I think we've already kind of passed the point where we can, for national security, just insource everything. I think we've passed that point at least 30 years ago.
GARSD: Katie Moussouris is the founder and CEO of Luta Security. It helps governments and large organizations deal with cyberattacks. Moving manufacturing from China to the U.S. is a centerpiece of the Trump administration's trade policy. But she says it's just not feasible.
MOUSSOURIS: The alternative of, let's say, insourcing instead of outsourcing and trying to manufacture every single part for all of our electronics domestically here in the United States - we simply would lack the capacity.
GARSD: After the story published earlier this week, investors fled Supermicro, the manufacturer accused of having the implanted Chinese microchips. Shares took a nosedive. Amazon and Apple have called the reports untrue. Moussouris is wary of taking the Bloomberg report at its word. She says these types of attacks - hardware attacks - are very hard to pull off. Even the Bloomberg report compares them to black magic - so unusual, companies are not very good at detecting or even combating it.
MOUSSOURIS: Companies like Apple and Microsoft and Amazon and Google, especially, have all done a lot of work to harden their software. So it makes it actually harder to exploit software vulnerabilities today than it is to exploit some hardware or hardware design flaws.
GARSD: Moussouris says hardware hacking is difficult to pull off. But...
MOUSSOURIS: Actually, when hardware hacking does happen, it's incredibly effective because you can bypass all of the software security in layers above.
GARSD: Like black magic, if it does exist, it's pretty scary. Jasmine Garsd, NPR News, New York. Transcript provided by NPR, Copyright NPR.