A bipartisan pair of senators have written to motherboard supplier Supermicro acknowledging that the company has denied the claim, but nonetheless seeking answers to eight questions …
Business Insider saw the letter sent by Sens. Marco Rubio and Richard Blumenthal.
Republican Sen. Marco Rubio and Democratic Sen. Richard Blumenthal sent a letter Tuesday to Supermicro’s CEO, Charles Liang, asking for more information following a Bloomberg story that reported the company sold motherboards to Apple, Amazon, and the US government that contained microchips implanted by Chinese spies.
Supermicro, Apple and Amazon have all issued seemingly definitive statements denying that there is any truth in the spy chip story, but the senators say that the issues raised are too important to accept the denials without more detailed information.
We note that Supermicro, Apple, and Amazon have issued strong denials regarding the Bloomberg report. However, the nature of the claims raised alarms that must be comprehensively addressed. In The Information’s February 2017 article, Mr. Leng disclosed that “thousands of customers” were using the same hardware. These customers deserve answers immediately. While large tech firms may have the financial resources and expertise to mitigate sophisticated cyber security threats or completely remove affected hardware, most companies do not. Nor do they have the information to act.
It goes on the ask eight sets of questions.
1.) When did Supermicro first become aware of reports regarding malicious hardware components and firmware in its computers and hardware? Has Supermicro ever found tampering of components or firmware that targeted its products?
2.) Has Supermicro conducted an investigation of its chain of suppliers to identify any possible modifications or security issues with its products? If it has found tampering, has it severed ties with those suppliers?
3.) If Supermicro has found or otherwise become aware of unaccounted-for modification on hardware or firmware, has it taken steps to remove the tampered product from the supply chain?
4.) When The Information reported in February 2017 that Apple had found compromised firmware, did Supermicro conduct any investigation into the potential infiltration of its supply chain as Mr. Leng had committed to do so? If so, what were the results of this investigation?
5.) Has Supermicro cooperated with law enforcement in the United States to address such reports? If tampering is found, will you provide a list of potentially affected customers to U.S. authorities and provide information to customers?
6.) Has Supermicro enacted screening measures or audits to assess its supply chain and detect and mitigate any such attempts to tamper with products?
7.) If tampering is found, does Supermicro assess that such tampering could be mitigated based on firmware updates, software patches, configuration changes, or operating system defenses?
8.) Has the Chinese government ever requested access to Supermicro’s confidential security information or sought to restrict information regarding the security of Supermicro’s products?
Apple has already written to Congress to deny that there is any truth in the spy chip story, and offering to brief representatives.