Blog

Your Motherboard: Did Bloomberg Businessweek Cry Wolf About Tech Giants’ Supply Chains?

This post is authored by Kacey Jennings, a second-year law student at Villanova University’s Charles Widger School of Law. Ms. Jennings is a legal-intern with the XPAN Law Group.

China has allegedly used tiny microchips to hack the most valuable publicly traded company in the world. No, this is not a description of a one-star movie on Netflix with a trite plotline; Bloomberg Businessweek reported last week that China infiltrated servers of Apple through its supply chain.

Bloomberg identified a few key players: Amazon.com Inc., Elemental Technologies, and Super Micro Computer Inc. (hereinafter Supermicro). According to the report, in 2015, Amazon began an acquisition process of Elemental Technologies by investigating any potential security vulnerabilities. Elemental Technologies provides compression and formatting services for large video files for various uses including streaming the Olympics and communicating with the International Space Station. Amazon’s probe found that Elemental’s servers were created by one of the world’s largest suppliers of servers: Supermicro. Small microchips were found on the motherboards of these servers which belonged to manufacturing contractors in China. The Bloomberg report says that Amazon immediately contacted the FBI about the malicious hardware, which reacted by initiating an investigation. Supermicro servers are used by many multinational corporations, including Apple (Bloomberg did report that Apple severed ties with Supermicro in 2016 for undisclosed reasons).

In their report, Bloomberg cited seventeen anonymous sources, referring to them throughout the article as government officials, national security officials, and employees involved in Amazon’s acquisition of Elemental. In response to the article, Amazon stated that

“[i]t’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.”

Apple, too, has issued a statement which is available on their website: “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident.” Supermicro issued a news release saying that “Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found,” and “Supermicro has never been contacted by any government agencies either domestic or foreign regarding the alleged claims.”

Despite these strong denials, a few days later, Bloomberg reported that a security expert, Yossi Appleboum, at a major telecommunications company, provided documents and other evidence that detailed “unusual communications” from a Supermicro server and after investigation, revealed manipulation of its hardware. The telecommunications company was not revealed due to a non-disclosure agreement. In light of Bloomberg’s article, AT&T and Sprint have issued statements to reporters disassociating themselves from Supermicro servers.

The United States Senate held a hearing on Wednesday, October 10, 2018 to investigate the claims made by Bloomberg. Senators asked the Director of the FBI, Christopher Wray, about any investigations into the malicious manipulation of hardware by China. Wray cited the policy of not confirming or denying any active FBI investigations, but urged Senators to “be careful what you read.” The Secretary of the Department of Homeland Security (DHS) said the DHS had “no reason to doubt what the companies have said” but expressed concern about the threat of malicious manipulation in the supply chain of major companies. Bloomberg continues to support its story, claiming that the report was the result of one year of investigation and over 100 interviews.

Regardless of whether Bloomberg’s report was true or whether it was an attempt to plunge Supermicro’s stock, this should remind companies to review the cybersecurity policies and practices of third party suppliers with a fine-tooth comb. With fledgling federal cybersecurity laws in the United States, it is unclear how much bite the criminal justice system would have in the event of a true incident of malicious hardware manipulation when prosecuting a company because of their third-party supplier. However, no company wants to face the wrath of the economic market: on the day before Bloomberg’s article, October 3, Nasdaq reported Supermicro’s stock closed at 21.4 and today, October 10, it closed at 12.8. Regardless of whether Bloomberg’s allegations are true, it seems clear that people are easily scared when they hear a whisper that China has been involved in anything remotely resembling a cybersecurity incident.

While it’s easy to say that companies should take it upon themselves to evaluate third party suppliers, it’s not as simple as it sounds. The supply chain of major companies like Apple are massive. For the iPhone 7 for example, suppliers included Intel, Toshiba, Broadcam, Texas Instruments, and Lumentum. Additionally, Apple’s biggest factory for iPhones is located in–you guessed it–China. The factory is run by a Taiwanese manufacturing partner called Foxconn.

The fact is that creating electronics requires outsourcing which creates a web of suppliers globally. The David vs. Goliath battles in the technology industry are very apparent in supplier relationships: companies like Apple have the resources to push their weight around to force their suppliers to adhere to strict cybersecurity policies. For example, Apple suppliers have historically lost significant value or face bankruptcy when their relationships are terminated (See this Financial Times Article: The blessing and curse of being an Apple supplier). This may not be the case for smaller companies which have suppliers with higher value than their own; does this impose a duty on consumers to stay informed of cybersecurity breaches and make economic decisions accordingly?

Although Apple and Amazon have discredited Bloomberg’s reports, it is important for potential vulnerabilities and threats to be made known to the public. Even without buzzwords like China and microchips and hacking, people deserve to know whether the products they buy (and store sensitive data on) were made by companies with improper cybersecurity practices. The key is to be informed and be prepared — start by understanding your own supply-chain and vulnerabilities.

*****

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.