NSA Senior Advisor Latest to Question Report Claiming China Hacked Apple's Former Server Supplier

Rob Joyce, Senior Advisor for Cybersecurity Strategy at the NSA, is the latest official to question the accuracy of Bloomberg Businessweek's bombshell "The Big Hack" report about Chinese spies compromising the U.S. tech supply chain.

"I have pretty good understanding about what we're worried about and what we're working on from my position. I don't see it," said Joyce, speaking at a U.S. Chamber of Commerce cyber summit in Washington, D.C. today, according to a subscriber-only Politico report viewed by MacRumors.

"I've got all sorts of commercial industry freaking out and just losing their minds about this concern, and nobody's found anything," Joyce added.

Joyce, a former White House cybersecurity coordinator, noted that all of the companies named in the Bloomberg Businessweek report have issued strong denials, including Apple, Amazon, and Supermicro. He said those companies would "suffer a world of hurt" if regulators later determine that they lied.

An unnamed government official cited in the report said China's goal was "long-term access to high-value corporate secrets and sensitive government networks," but no customer data is known to have been stolen.

The report claimed that Apple discovered the suspicious chips on the motherboards around May 2015, after detecting odd network activity and firmware problems. Two senior Apple insiders were cited as saying the company reported the incident to the FBI, but kept details about what it had detected tightly held.

Apple dropped Supermicro as a supplier in 2016, a decision the company said it made for reasons unrelated to "The Big Hack" story.

"We're just befuddled," said Joyce. He added that he had "grave concerns about where this has taken us," according to Politico. "I worry that we're chasing shadows right now. I worry about the distraction that it is causing."

In related news, Reuters reports that U.S. Senator John Thune has sent letters to the CEOs of Apple, Amazon, and Supermicro with questions about the allegations. U.S. Senators Marco Rubio and Richard Blumenthal also sent a joint letter to Supermicro CEO Charles Liang with similar questions.

I have challenged this with a list of seventeen reasons why I think Bloomberg's article is bogus. . . and more and more experts in the field are chiming in to also state the same thing. Bloomberg has not provided ANY evidence beyond statements from ANONYMOUS sources. . . and the photos they have provided claiming they are the spurious chips are NOT what they claim they are but rather common electronic parts normally found on circuit boards for years. . . and not at all something surreptitiously added or suspicious. Some of the experts they quoted in their original article have come forward CHALLENGING Bloomberg's quotations as NOT being representative of what they told their reporters, saying they were quoted out of context or incompletely. In some cases omitting qualifying statements that made it plain they were talking THEORETICALLY that it was possible to do these things, but not that they WERE BEING DONE, and one saying "This doesn't make sense."

One, when asked about a specific type of part, provided the Bloomberg reporters with a catalog photo of said part, and was shocked to see that part being touted in the article and pictured AS THE spurious added IC, when it was anything but what Bloomberg were characterizing it as, but a common electronic part.

This all is FAKE NEWS and Bloomberg doubled down on it with another article about a completely DIFFERENT story, also slamming Supermicro, about an unnamed "major telecom company" which supposedly brought in a consultant, one Yossi Appleboum, Co-CEO of Sepio Systems, a 2016 startup security company which publishes software to "mitigate the inclusion of surreptitious chips on motherboards" to scan their servers, and found ONE Supermicro server (out of THOUSANDS OF INSTALLED SERVERS) with a supposed addition in the Ethernet connector. Not the same thing at all as the previous claim.

Appleboum and Sepio claim they can't reveal the name of the "major telecom company" due to a nondisclosure agreement (NDA), but they go on to reveal everything else about their visit, scanning, and findings, to Bloomberg's reporters. I've NEVER heard of an NDA that would only prevent the exposure of the name of the primary company involved. I've signed NDAs and EVERYTHING is under the NDA.

We then find that Appleboum and Sepio have been feeding Bloomberg this line of information for long before either article came out. . . and that Bloomberg has been touting this company. This is what Bloomberg has been criticized before on FAKE NEWS. . . touting stories to bolster companies they are pushing. This is what is going on here. They are trying to increase the sales of Sepio's products.

Yeah, I trust the Chinese government and the big tech companies. I am sure neither would lie to us.

Look, ChinaGotTheGoodsOnClinton, use your head. There are FAR EASIER, CHEAPER, and SMARTER WAYS to accomplish this than sticking a big red FLAG extra IC on a motherboard that would be spotted by the Quality Control checks of the guys who DESIGNED THE MOTHERBOARD in San Jose, CA! That is not how these things are done! Bloomberg's article is BOGUS. Multiple computer security EXPERTS have come out and stated that the NON-EXPERT BLOOMBERT reporters with their ANONYMOUS sources are not telling the truth and are publishing FAKE NEWS . . . including some who were cited in Bloomberg's article who are saying they were misquoted and taken out of context!

Had Bloomberg's reporters written that the Chinese were altering the FIRMWARE software codes to force the PROCESSORS or the firmware of the IO ports to do something nefarious, then it would be far more believable and much easier for them to do and HIDE than sticking an extra chip on a multi-layer motherboard. . . which requires them to RE-ENGINEER THE BOARD from the ground up to accommodate the traces, solder pads, power lines, and a whole host of things that MUST be considered for just ONE MORE IC to be added. It's not just soldering it on there and expecting it to work properly with all the other components. Hardware design ain't that easy. Motherboards aren't kludged like they once were, with parts simply hand soldered across the legs of ICs in sockets. Mother boards may have as many as six and eight layers of circuit traces.

Another approach that would be much harder to find is to build your component into the IC chips that already exist, adding that new, surreptitious functionality you want to phone home, after spying and collecting the data, onto a chip that ALREADY EXISTS on the board. The only way to find that is to pull the chip, sand it down to reveal the various multiple levels of circuitry under a scanning electron microscope and ANALYZE exactly what circuitry there is on there, and what is ALSO programmed in it and what it will do. With circuits that can have BILLIONS of transistors on a chip, one can hide a LOT in a chip. . . and no one would be the wiser. . .

Yet these "oh so smart Chinese Spy engineers," Bloomberg would have us believe "just soldered on a Grain of Rice Sized IC chip onto a mother board—a board designed by an expert American Company in San Jose, California—and then expect that NO ONE WOULD NOTICE the major changes that would have to made to their custom designed motherboard to ADD a spurious chip during Quality Control Inspection?" This, keep in mind, is a product that would undergo computer assisted QUALITY CONTROL EXAMINATION—not just someone picking it up and eyeballing it at— at every step of product build. That means the board would be compared with a reference board BY A COMPUTER to assure it MATCHES IN EVERY DETAIL, and that EVERY CIRCUIT also matches and passes muster.

OOPS. It won't match if it's been altered. Oh, there a grain of rice size chip added??? Oh, that's ok. . . let it go. Must have been authorized by someone. DO YOU REALLY THINK THAT HAPPENED? I don't.

My question is considering the difficulty in detecting this supply chain hack, why WOULD’NT the Chinese government be doing this?

I have absolutely no doubt that they ARE doing this. What they are NOT doing is what Bloomberg's idiotic argument is claiming. That is a smokescreen that obscures the REAL thread which YOUR linked article TRUTHFULLY describes. Using a stupid chip on a motherboard is an EASILY FOUND stupid way to do it. The article above is the way they are REALLY doing it.

Bloomberg is talking about the Chinese as if they and we ARE STUPID. . . It is as if we could tell the Chinese Spies in our industrial and military systems because they are wearing signs, saying "I am a Chinese Commie Spy!" and go around like the bad guys in Mad Magazine's "Spy vs. Spy" cartoons. They aren't that stupid and (I hope) we aren't that stupid either.

Bloomberg seems to think we all are. That is why I am POINTING THE STUPID FAKE NEWS blame at Bloomberg because they are aiming our attention at the WRONG TARGETS!!!!

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.