Owen Churchill – South China Morning Post
The senators want closed-door hearings to verify a media report about ‘the potential cybersecurity and supply chain threat’ The FBI and US Homeland Security are ‘processing the request’
US senators have called on the Federal Bureau of Investigation and Department of Homeland Security (DHS) to conduct classified hearings to investigate the alleged Chinese hacking of American tech firms’ supply chains, according to a letter obtained by the South China Morning Post.
An October 4 investigative report by Bloomberg BusinessWeek said dozens of tech companies, including Apple and Amazon, were victims of a hacking campaign by Chinese spies to install chips the size of a grain of rice on motherboards used in the companies’ servers.
Those chips could then be used to give third parties in China access to confidential information, the report said. Apple and Amazon, along with the motherboard maker Supermicro, have vociferously denied the reports and requested a retraction of the story.
In a letter dated October 16, Senators Ron Johnson (a Wisconsin Republican) and Claire McCaskill (a Democrat representing Missouri), who head the Committee on Homeland Security and Governmental Affairs, formally asked US Homeland Security Secretary Kirstjen Nielsen and FBI Director Christopher Wray to pursue the matter behind closed doors.
Aaren Johnson, Ron Johnson’s deputy press secretary, said on Thursday that the FBI and DHS had received the letter and were processing the request, but that the committee had not yet received a briefing.
A spokeswoman for the DHS said: “As a matter of policy we don’t comment on Congressional correspondence.” The FBI did not respond to a request for comment.
In a previous hearing conducted by the Senate Committee on Homeland Security and Governmental Affairs, Wray and Nielsen had both suggested that there was no proof that American technology had been compromised by Chinese espionage.
“We at DHS do not have any evidence that supports the [Bloomberg] article,” said Nielsen at the October 10 hearing on “threats to homeland”. Echoing those remarks, Wray told the committee: “As to the newspaper article or the magazine article, I would just say be careful what you read in this context.”
Senators on the committee, of which the late John McCain was a member, appear not to have been assuaged by those comments, instead formally requesting further investigation into the matter.
The letter from Johnson and McCaskill said: “This committee is tasked with legislative and oversight responsibility over federal information technology and supply chain risk management.”
“To fully understand the accuracy of public reports about the potential cybersecurity and supply chain threat, we respectfully request that DHS and FBI provide a classified briefing with the appropriate subject-matter experts as soon as possible, but no later than October 25, 2018.”
Quoting Senate rules, the letter went on to state that the committee was authorised to investigate the efficiency and economy of all government departments and agencies with particular reference to “the effectiveness of present national security methods, staffing, and processes”.
The senators’ appeal adds to previous calls from Congress for further investigations into the matter.
Soon after the publication of Bloomberg Businessweek’s “Big Hack” story, Senator John Thune (a Republican from South Dakota) of the Senate Commerce Committee wrote to the CEOs of Apple, Amazon and Supermicro requesting that they attend a briefing to tell committee members about the companies’ “broader efforts” to secure their supply chains, The Hill reported.
A commerce committee staff member told the Post that no investigation was currently scheduled, despite Thune’s request that the briefing take place no later than October 12.
Apple’s vice-president of information security, George Stathakopoulos, told Thune in an October 8 letter that the Bloomberg BusinessWeek report “alleging the compromise of our servers is not true.” Internal investigations carried out by Apple “directly contradict every consequential assertion made in the article,” he said.
Responding to a request from Senators Marco Rubio and Richard Blumenthal, Supermicro said in a letter – a copy of which was seen by the Post – that it was “impossible as a practical matter to insert unauthorised malicious chips onto our boards during the manufacturing process”.
Bloomberg has stood by its reporting since the publication of its initial report. “Bloomberg Businessweek‘s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a Bloomberg News spokesperson said. “We stand by our story and are confident in our reporting and sources.”
Multiple members of the intelligence community have expressed doubt about China’s ability to pull off the technological espionage detailed in Bloomberg Businessweek’s story.
“I think the reporters got the story wrong,” said Dennis Wilder, a former China and East Asian specialist on the National Security Council. “If you look at that microprocessor that was pictured, a lot of people say it couldn’t do the things they claimed it could do.”
Speaking at a conference on Chinese defence and security at the Washington-based Jamestown Foundation in October, Wilder, who served under former president George W Bush and briefly under Barack Obama, said: “Does it mean the Chinese are not trying to do things like this? Of course they are trying to. But this one may have been an exaggeration on this part of this report.”
Additional reporting by Jodi Xu Klein and Jun Mai.