Speaking at a U.S. Chamber of Commerce event, NSA Senior Advisor Rob Joyce was put on the spot about the allegations the Chinese government tampered with servers produced by Supermicro, which were allegedly used by Apple, other major tech companies, and various government organizations. Joyce’s comments suggest he disbelieves the entirety of the report, through checking via his own sources.
In response to Wall Street Journal reporter Dustin Volz’s query on the allegations, Joyce advised “What I can’t find are any ties to the claims in the article,” adding “We’re befuddled.” While noting he has considerable access to intelligence, he has yet to find any corroboration on either the initial story’s allegations, nor with a second connected story pertaining to a major telecommunications provider in the U.S.
The lack of connected evidence to the events led Joyce to plea to others to bring clarity, asking “If somebody has first-degree knowledge, can hand us a board, and point to somebody in a company that was involved in this as claimed, we want to talk to them.”
Reporting on the same meeting, Politico’s Eric Geller quotes Joyce stating “I have a pretty good understanding about what we’re worried about and what we’re working on from my position. I don’t see it. There’s not there there yet. I have grave concerns about where this has taken us. I worry that we’re chasing shadows right now.”
Joyce then admits he has no confidence that there’s something to the story. “I worry about the distraction that it is causing.”
The comments are not the first to be made by members of the security community connected to a government agency. The UK’s National Cyber Security Centre, part of GCHQ, put out a similar plea for people with “credible intelligence” about the report to make contact, commenting “at this stage we have no reason to doubt the detailed assessments made by AWS (Amazon Web Services) and Apple.”
Both companies issued strong denials to the story shortly after its publication, with Apple characterizing it as “wrong and misinformed.” Apple has also performed a “massive, granular, and siloed investigation” into the claims, but did not discover any evidence of hardware tampering, nor any unrelated incidents that could have contributed to the report’s claims.
The Department of Homeland Security also issued a statement on Saturday, again siding with Apple and Amazon, but without delving into detail as to why it doesn’t believe the Bloomberg report.
One of the few named sources in the original report, security researcher Joe Fitzpatrick, has revealed his own doubts about the report, including dealings with one of its authors. Fitzpatrick advised he had previously spoken to the reporter about proof-of-concept devices demonstrated at Black Hat 2016, but found it strange that the ideas he mentioned were confirmed by other sources of the publication.
A number of U.S. officials contacted by one report advised they were uncertain about its accuracy, with one official changing their mind from their initial assertion the “thrust of the article” was true.
Two U.S. senators have written to Supermicro demanding answers over the reports, issuing questions for response by October 17. The questions, asked by Senators Marco Rubio and Richard Blumenthal, query when Supermicro became aware of the malicious hardware reports, if it had investigated the supply chain, and if the Chinese government ever requested access to confidential security information, among other areas.