I wrote an opinion piece on Friday outlining the five reasons I believe Apple, not Bloomberg, about the Chinese spy chip story.
It’s a friend-of-a-friend story. The technical arguments suggest it didn’t happen in the way Bloomberg says it did. Apple’s denial appears unequivocal. The company has ruled out the gag order theory. And, if it were true, there would be no reason now not to come clean about it.
Since then, four further reasons to believe Apple have emerged …
First, GCHQ – the UK equivalent of the NSA – issued a statement later the same day saying it had no reason to doubt Apple’s denial.
We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” said the National Cyber Security Center, a unit of Britain’s eavesdropping agency, GCHQ.
Second, the Department of Homeland Security yesterday echoed this stance.
The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.
Both organizations are, of course, perfectly willing to bend the truth if they believe it necessary in the interests of national security. As I wrote before, I could well believe they might have done so before the claim was made public – but would be no reason to maintain any fiction today.
The value of keeping quiet about any Chinese spy chip was completely lost once Bloomberg posted its story. If it was true, the Chinese government would know that the gig was up, and there would be no value in Apple, Amazon or the US government maintaining their silence. Apple could simply issue a statement saying something like ‘yes, this happened; we detected it; we were asked to keep quiet about it; we took steps to ensure no genuine customer data was leaked.’
By stating now that they have no evidence of the attack – when this is the sort of thing they are paid to detect – they are effectively staking their reputations on the fact that Apple is telling the truth. They would be stupid to do so unless they had in fact looked into the matter very carefully indeed.
Third, Reuters reports that Apple has written a letter to Congress stating once again that it repeatedly investigated Bloomberg’s claims and found no evidence to support them.
Apple Vice President for Information Security George Stathakopoulos wrote in a letter to the Senate and House commerce committees that the company had repeatedly investigated and found no evidence for the main points in a Bloomberg Businessweek article published on Thursday, including that chips inside servers sold to Apple by Super Micro Computer allowed for backdoor transmissions to China.
“Apple’s proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found,” he wrote in the letter provided to Reuters.
Stathakopoulos […] said he would be available to brief Congressional staff on the issue this week.
Apple would be insane to write such a letter – and to offer to make further statements in person – were it lying.
Fourth, security researcher Brian Krebs has weighed-in. Understandably, he focuses on the risk that this sort of thing could happen – rather than expressing a strong view as to whether this particular story is true. However, he does say that he heard the same stories and was, for whatever it may be worth, unable to verify them.
I heard similar allegations earlier this year about Supermicro and tried mightily to verify them but could not. That in itself should be zero gauge of the story’s potential merit. After all, I am just one guy, whereas this is the type of scoop that usually takes entire portions of a newsroom to research, report and vet.
He goes on to suggest that the US government conducts ongoing checks for this type of attack, and hints that the claimed Chinese spy chip is unlikely to have made it through the net.
The U.S. Government isn’t eager to admit it, but there has long been an unofficial inventory of tech components and vendors that are forbidden to buy from if you’re in charge of procuring products or services on behalf of the U.S. Government. Call it the “brown list, “black list,” “entity list” or what have you, but it’s basically an indelible index of companies that are on the permanent Shit List of Uncle Sam for having been caught pulling some kind of supply chain shenanigans.
So that’s now nine reasons to believe Apple – and no reasons at all to disbelieve them. I absolutely accept that Bloomberg reported in good faith a story it believed to be true. But it’s my view that the evidence is now unassailable that it got the Chinese spy chip story very wrong.