U.S. officials say supply-chain threat is ‘very real’ regardless of Bloomberg story accuracy

FBI and Department of Homeland Security officials continued to push back Wednesday against a recent news story that described a devastating supply-chain attack on major U.S. technology companies, but their testimony in a Senate hearing also emphasized that such threats do remain “very real” in general.

“This is a particularly pernicious threat … because it’s very difficult for the average citizen, company or government entity to understand every component that was put into a piece of equipment or network that they’ve purchased,” Homeland Security Secretary Kirstjen Nielsen said in a Homeland Security and Governmental Affairs Committee hearing that also featured FBI Director Christopher Wray.

Bloomberg Businessweek reported last week that Chinese operatives had used rice grain-sized chips to compromise motherboards sold by Super Micro Computer (Supermicro), placing a backdoor into many companies, including Apple and Amazon Web Services. The attack, in theory, entails devastating consequences for information security at those companies and beyond. Companies mentioned in the article have issued strongly worded, highly detailed denials.

Committee Chairman Sen. Ron Johnson, R-Wisc., said it “seems like it’s pretty solid reporting,” but the Wisconsin Republican also acknowledged the tech companies’ denials about having been compromised.

“How come I’m finding out from Bloomberg and not in terms of contact from the federal government?” Johnson asked. “I think we have a huge problem of overclassification and lack of notice.”

“Be careful what you read,” Wray responded.

Johnson then pressed Wray to clearly specify whether the Bloomberg story was accurate. In response, Wray cited the usual FBI practice to neither confirm nor deny an ongoing investigation. Also on Wednesday, National Security Agency official Rob Joyce said that government investigators so far had turned up nothing to support the story.

Nielsen also tried to detract from the Bloomberg story.

“We at DHS do not have any evidence that supports the article. We have no reason to doubt what the companies have said,” Nielsen said. She stressed, however, that the department isn’t dismissing the concept of foreign operatives trying to compromise fundamental pieces of computing technology.

“It is a very real and emerging threat that we are very concerned about,” she said.

Wray said he agreed that increased public awareness of supply-chain threats is necessary.

Sen. James Lankford, R-Okla., also brought up the Bloomberg story, but simply asked Nielsen to comment on DHS’s work on supply-chain security. She pointed to DHS’s recently announced National Risk Management Center as the agency’s way to collaborate with the private sector on supply-chain threats.

“We’re working very closely with the private sector to break down the supply chain and give them much more awareness of companies they’re purchasing from,” she said.

Chinese election interference?

Senators also sought clarity from Nielsen and Wray about confusing comments President Donald Trump recently made at the United Nations about apparent election interference from China. The president did not say whether he was referring to hacking or influence operations, nor did he point to any specific evidence.

“We have not seen to date, any Chinese attempts to compromise election infrastructure,” Nielsen told the panel, but said that the country has been “exerting an unprecedented effort to influence American opinion.”

Wray went a bit further, saying that China is the U.S.’s biggest “perhaps the broadest, most complicated, most long-term counterintelligence threat we face.” The FBI director did not comment directly on the election interference question.

“Russia is in many ways fighting to stay relevant after the fall of the Soviet Union. They’re fighting today’s fight. China is fighting tomorrow’s fight, and the day after tomorrow and the day after that,” Wray said.

The U.S. government has largely put Russia at the center of its repeated warnings of meddling in the 2016 presidential election, as well as warnings about the intent to interfere in future elections.