Disbelieving Bloomberg’s Chinese spy chip report
China can and has stolen the information it wants from US companies without using secretly embedded hardware, so why would it jeopardise its massive semiconductor industry? Asks Roger A Grimes
10 October 2018 | 0
I am very dubious of the recent Bloomberg report stating that several American companies were compromised by spy chips inserted secretly by the Chinese on US-used computer motherboards. The Bloomberg article should be used as a starting point for a very real, serious, and long overdue discussion of supply chain risks, but I would rather start with the facts supported by evidence instead of anonymous claims that have been unsupported for over three decades.
We know for sure that the Chinese government has broken into thousands of US companies, both over the Internet and using human spies, and stolen nearly every secret that was worth stealing. If China wanted to learn about something, they did. It is a national tragedy from which we will never be made whole again.
“The existing narrative is that we are compromised all the time, often by foreign adversaries. How would one more announcement of a data beach harm that narrative? If the Chinese spy chip story were true, it would shock no one”
I am not saying that Bloomberg did not do a good job of researching the claims. I love Bloomberg and read its web site every day. However, I am dubious of these particular claims involving secretly installed Chinese chips. Here is why.
A brief history of Chinese digital espionage
I have been hearing some form of the “Chinese are spying on us using computer chips” for decades. Early on, the story was that the White House had found secret Chinese spying chips in its computers and had confidentially been telling government contractors not to buy Chinese-made computers. In some cases, Chinese-made computers were not allowed into government contractor businesses.
I consulted at several US government contactors that would not allow me to bring my Lenovo laptop into their facilities. I had to leave it in my car. In a few cases, the threat was deemed so risky that I could not even have it in my rental car on the company’s property. I had to leave it at home or in my hotel.
Each person telling me that I could not use my Chinese-made laptop claimed to have a friend who had seen the top-secret White House document with the “evidence” to back up the claim. After decades of trying to see a copy of that document, I never talked to a person whom I trusted had seen a real document. It was always a “friend-of-a-friend” story.
I first wrote about, and discounted, this dubious accusation against the Chinese almost 10 years ago in an article entitled China is not selling bugged hardware. That article was written only after a decade of hearing private accusations against the Chinese. At the time, I was frustrated with the seriousness of the claims without any real evidence to back them up. I have seen nothing to change my mind in the intervening 10 years.
Why keep Chinese spying quiet?
Maybe it happened, but if so, where is the real evidence? What possible reason could the White House or any government entity have for hiding that they have found a spy chip on computers sold in the US? Are we supposed to believe that American computers are full of Chinese spy chips, but for reasons we cannot explain, it is better not to let the rest of American businesses know? It strains credulity.
Purportedly compromised companies deny claims
Every company mentioned in the Bloomberg article is saying it did not happen. Apple went so far to say that not only did not it happen, but that it is not under a national gag order preventing it from telling the truth.
Again, what is the benefit of those companies lying to us? Many would have you believe that these companies are worried about customer and consumer trust if they were to reveal the breach. Please!
All of these companies have been compromised by foreign adversaries over and over. Billions of our records are stolen each year. There is not a man or woman (and increasingly, a child) that has not had their personal information compromised dozens of times in the last 10 years.
The existing narrative is that we are compromised all the time, often by foreign adversaries. How would one more announcement of a data beach harm that narrative? If the Chinese spy chip story were true, it would shock no one. Heck, most of America already believes it.
Most chips are foreign (non US)-made
Underlying all this likely nonsense is the obvious fact that almost every computer chip in the world is made outside of the US, often in Asian locations. I used to laugh when I was told that I could not bring my Lenovo laptop in, but I could bring in my Dell laptop, which itself was full of nothing but Asian-made chips.
If you are worried about supply chain threats, and you should be, it is not just one little purported spy chip you should be worried about. You cannot find a computerised device in the US that does not have foreign-made chips. There is not some secret US government agency that goes around inspecting all those chips for security holes or backdoors before they get put into all our computers.
To me it is a hilarious idea that the Chinese would have to insert a specialised, tiny spy chip when it would be far easier to put an intentional weakness or backdoor into any of the hundreds of chips that are used in every computer on the planet. It would be far easier to hide in the weeds than to create a dedicated spy chip that any hardware expert would notice and question.
The US has done it
I do know of a powerful nation that has implanted spy chips and software backdoors into domestically produced computer equipment that was then shipped to other countries. Yep, the good ole USA. I love America. I’m a patriot in every sense of the word, but it would be hypocritical to discuss this topic without mentioning the fact that the only country that I know of that has implanted spying hardware or software into computers destined for foreign lands is ours — not once, but many times, and that is just what we know of.
America’s intelligence agencies and law enforcement routinely compromise encryption hardware headed to foreign counties to enable spying on groups who think they are using the world’s best cryptography to protect their digital communications. This type of cyberwarfare was used by the US and its allies against Middle East terrorists and South American drug cartels.
The US intercepts encryption cards and cell phones headed toward groups it is monitoring, to either record the included secret keys to decrypt their encrypted communications or disable the protection altogether. It’s also hard to turn a blind eye to the time that the US and UK broke into Gemalto, the world’s largest producer of cell phone SIM cards and stole the basic encryption codes used by cell phones around the world. It probably includes your cell phone’s SIM card.
In the most famous recent case, the National Security Agency (NSA) implanted Cisco equipment with surveillance programs and backdoors. Cisco says it was not involved in or aware of this intrusion, and I trust that’s true. Let us not even bring up the several cases where the US government intentionally weakens our own recommended and required cryptography (e.g., DES and Dual_EC_DRBG) to let it spy on its own people.
The supreme irony of what is being claimed is that while the US government is warning all the world to avoid using Chinese-made phones, especially those made by Huawei and ZTE, the NSA was caught implanting backdoor software in Huawei servers with a goal of spying on Huawei and its customers.
Allowing spy chips in products would be corporate suicide
When it was announced that the NSA implanted backdoors into Cisco network equipment, Cisco said it was unaware of the unauthorised modifications and condemned the NSA. It had to. Like most network and computer companies, Cisco is a global supplier. It relies on foreign companies for much of its revenues.
If it was determined that Cisco knew of the NSA scheme, it would severely damage Cisco’s reputation abroad. I am sure some foreign customers will not buy Cisco products because of the revelation. It could take Cisco decades to reclaim those lost customers. No company wants this type of bad press.
The same is true of China. If Chinese companies were found to have placed chips on equipment bound for the US, it would devastate the Chinese economy. The world would stop buying Asian chips, and any ascension into ranks of the world’s top financial leaders would be over in an instant.
It would be incredibly foolish to spy using hardware chips, because it would be more easily discoverable and be real evidence. It would be even crazier to do it when the Chinese have broken into every company they need to break into using traditional methods that will not compromise its dominant chip industries. Chinese hackers are already as successful as they need to be without risking the financial stability of their country.
A security columnist for more than 10 years, Roger A Grimes holds more than 40 computer certifications and has authored 10 books on the subject
IDG News Service