US hardware supply chain compromised by Chinese spies

Supermicro

Holy moly, this is huge. A unit of the People’s Liberation Army secretly inserted tiny, malicious microchips into motherboards that were manufactured in Chinese factories for the US-based company Supermicro. These motherboards were used in expensive servers supplied to Amazon, Apple, the Department of Defense, the CIA, and the US Navy, among others. From a Bloomberg Businessweek investigation:

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

This is really bad.* Say goodbye to US reliance on Chinese components. It will take time to reorient the global supply chain, but the effort is already underway. This scandal, which has been known (of course) to the Obama and Trump administrations, will only strengthen the case for manufacturing sensitive technologies in the US.

[…] Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

In the meantime, Mike Pence accuses China of a host of sins including interfering in the US democratic process:

Vice President Mike Pence escalated Washington’s pressure campaign against Beijing on Thursday by accusing China of “malign” efforts to undermine President Donald Trump ahead of next month’s congressional elections and reckless military actions in the South China Sea.

In what was billed as a major policy address, Pence sought to build on Trump’s speech at the United Nations last week in which he alleged that China was trying to interfere in the pivotal Nov. 6 midterm elections. Neither Trump nor Pence provided hard evidence of Chinese meddling.

That’s not quite right, as Pence mentions, for example, the widely noted Chinese advertising supplement in Iowa. From the transcript:

And China is also directly appealing to the American voters. Last week, the Chinese government paid to have a multipage supplement inserted into the Des Moines Register –- the paper of record of the home state of our Ambassador to China, and a pivotal state in 2018 and 2020. The supplement, designed to look like the news articles, cast our trade policies as reckless and harmful to Iowans.

I pointed out this bit of propaganda on September 23, referencing a tweet by Bloomberg’s Jennifer Jacobs. Trump then tweeted about on September 26. Read my blog to see the future!

Pence also calls on Google to “immediately end development of the ‘Dragonfly’ app that will strengthen Communist Party censorship and compromise the privacy of Chinese customers.” More about Dragonfly here.

===

*Only fair to link to Supermicro’s response to the Bloomberg piece:

SAN JOSE, Calif., October 4, 2018 — Super Micro Computer, Inc. (SMCI), a global leader in enterprise computing, storage, networking solutions and green computing technology, strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems.

In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found.

Each company mentioned in the article (Supermicro, Apple, Amazon and Elemental) has issued strong statements denying the claims […]

America’s Belt and Road?

The US may be stepping up its game to counter China’s multi-trillion-dollar development strategy known as the Debt Trap Diplomacy–… sorry, the Belt and Road Initiative:

The US is preparing to create an agency that can invest up to $60bn in the developing world in an effort to counter what some in Washington describe as China’s use of debt to wage “economic warfare”.

In what observers say is the biggest shake-up of US commercial lending to developing countries in 50 years, the Overseas Private Investment Corporation will be folded into the new agency and allowed to invest in equity. At present Opic can invest only in debt, putting it at a disadvantage to European development finance institutions (DFIs).

Ray Washburne, president and chief executive of Opic, told the FT that China – by using what he called “loan-to-own programmes” – was “creating countries that have the shackles of debt around them”. That amounted to “economic warfare”, he said.

By more than doubling Opic’s lending ceiling to $60bn and allowing it to invest in equity, he said, it would be put on “an equal footing with other DFIs”.

According to the report, OPIC well be folded into the new agency, called the International Development Finance Corporation, and “The arrangement has been sold to the president.”

Of course, the US has other ways of creating potholes in China’s Belt and Road… This could get very interesting indeed. On a quasi-related note, China is ramping up its PR campaign in the US, according to Bloomberg reporter Jennifer Jacobs:

China Daily advertising supplement

Text of the full thread:

CHINA sends a message to Trump and Ambassador Branstad by taking over 4 pages of Des Moines Register. Advertising supplement has “news” on:

—China buying soybeans from South America due to “trade row”

—Xi Jinping’s “fun days in Iowa”

—“Beijing can set an example for the world.”

The advertisement, labeled as paid for by the “China Daily, and official publication of the People’s Republic of China” is like a 4-page tweet from the Chinese government. It calls the trade war with Trump the “fruit of a president’s folly.”

In 15 years of covering Iowa news, I cannot recall the Chinese making a play like this. Certainly unprecedented for China to take out a four-page advertisement in the DMR. [Emphasis added]

China uses this advertising format regularly—“news” inserts have appeared in Nepal, Australia, U.S., etc. per @kashishds, @lillebuen, @DavidMDrucker and others. Beijing seems to be talking straight to Trump with this Iowa ad on “China-U.S. economic interdependence.”

Newspaper advertorials are a relatively clunky way of getting the message out, and unlike, say, troll armies on social media, they aren’t plausibly deniable. Nevertheless, as much as Americans (and others) may roll their eyes at such obvious and heavy-handed PR efforts, the cumulative impact of China’s vigorous overseas messaging is likely to be non-zero.

Chinasplaining

Confucius Institute logo

From a 2017 article on the increasingly sophisticated global PR efforts of certain authoritarian states:

Consider this: As part of its “Great Leap Outward” in recent years, China has quietly built up a multibillion dollar international media empire transmitting content in a multitude of languages that is making inroads in dozens of countries around the globe. As an indication of its growing sophistication, Xinhua, the state news agency, and CGTN, the Chinese state television global network (until 2016 known as CCTV), cultivate content-sharing agreements in a growing number of countries, especially in young democracies. In countries such as Argentina, Kenya and Peru, the Chinese authorities embed their own entertainment, documentary and news programming into domestic media platforms, enabling CCP-friendly soft propaganda to reach audiences in these settings. […]

The Chinese government has placed enormous resources into relationship and network building, undertaking extensive people-to-people programs in Latin America, sub-Saharan Africa and Central and Eastern Europe. Through such efforts, many hundreds of students, media professionals and policymakers each year are brought to China, often full-freight paid by the Chinese hosts. Emblematic of these wide-ranging efforts are initiatives such as the June 2016 “Forum on China-Africa Media Cooperation” and the December 2013 “High-Level Symposium of Think Tanks of China and Central and Eastern European Countries,” which convened hundreds of media and think tank professionals in China. Chinese state-backed Confucius Institutes operate a vast network of cultural influence embedded in universities and schools—more than 1,000 institutes and classrooms operating worldwide.

Further reading here. Also see my comment yesterday on how the US should deal with foreign state-funded media.

An effective response by the US would include (but not be limited to) banning Confucius Institutes on American soil and restricting Chinese investment in the entertainment and media industries, exactly as China restricts foreign investment in those sectors.

A shift in rhetoric

North Korea propaganda poster

Source: libertyherald.co.kr

Another sign that the move toward a US-North Korea rapprochement may be more than just “a triumph of showbiz over substance,” as some would have it:

Nix the nuclear warheads, cue the doves.

The North Korean government is erasing much of its anti-U.S. propaganda following dictator Kim Jong-un’s forays onto the world stage.

Gone are the posters depicting the U.S. as a “rotten, diseased, pirate nation” and promising “merciless revenge” on American forces for an imagined attack on the totalitarian country.

In their place are cheery messages touting praising the prospects for Korean reunification and the declaration Kim signed in April with South Korean President Moon Jae-in promising “lasting peace,” according to reports.

Too early to tell where this may lead, of course, but it’s certainly a welcome development.