China spy chips report adds pressure on Pentagon cloud security
Technology providers vying for a US$10 billion defence department cloud-computing contract may come under added pressure to prove their systems are secure after a report that China sneaked spy chips onto servers used by US companies including Amazon.com, a top contender for the Pentagon award.
Amazon subsidiary Amazon Web Services (AWS), the market leader in on-demand cloud computing platforms, was among almost 30 companies, including Apple, whose servers were infiltrated, according to a Bloomberg Businessweek report on Thursday that was based on more than a dozen sources in the government and private sector.
Apple, Amazon, server component supplier Super Micro Computer (Supermicro) and the Chinese government denied the report. When asked for comment on the implications for its Pentagon bid, Amazon pointed to its statement denying the report.
Security and procurement experts said Amazon’s prospects for winning the cloud services award may not be affected because it can argue that it was a victim that uncovered the problem. Amazon unearthed the breaches, which happened at factories run by subcontractors in China, alerted authorities and took action to limit the consequences, according to the report.
Still, the revelations increase pressure on the Pentagon as well as on Amazon and the other bidders to step up measures to secure their systems in a global marketplace where integral equipment is manufactured in China.
Representative Adam Schiff of California, the top Democrat on the House Intelligence Committee, said that panel should seek more information from agencies about whether China sought to infiltrate the computer chip supply chain.
“No one is safe,” said Darrell West, director of the Centre for Technology Innovation at the Brookings Institution. “I’m sure Amazon has some of the very best security people. The fact that they had a problem should alarm everybody.”
The deadline for companies including Amazon, Microsoft Corp, International Business Machines Corp (IBM) and Oracle Corp to submit bids for the Pentagon’s project, which involves moving massive amounts of sensitive government data to a commercially operated cloud system, looms in just over a week.
AWS was seen as the front-runner from the start because it had already won a US$600 million cloud contract from the Central Intelligence Agency in 2013. Microsoft is catching up as it expands its work with the intelligence community.
Oracle declined to comment on the implications of the report on its bid for the Pentagon contract. Microsoft and IBM did not respond to requests for comment.
The defence department released in July its final requirements for the project, known as the Joint Enterprise Defence Infrastructure cloud, or JEDI. Bids for the project, which could last as long as 10 years, are due on October 12.
A Pentagon spokeswoman, Heather Babb, responded to questions about addressing the risk of infiltrated equipment to documents detailing the procurement requirements. Under those, the Pentagon is asking companies to meet strict security guidelines, including the ability to obtain top-level security clearances, offer government-approved encryption, provide local data centres and staff them with US citizens.
Senator Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, said the Bloomberg Businessweek report “provides more evidence that China’s pattern of behaviour is a serious threat to national security and supply chain risk management”.
Security experts are grappling with the threat from secret devices being inserted into US networks, in addition to cyberattacks from afar. The weaknesses in the global supply chain require constant vigilance from technology companies to stay ahead of developing threats, said Stan Soloway, president of consulting firm Celero Strategies and a former defence department official under President Bill Clinton.
“You could have the toughest security requirements in place, but downstream you are connected to a global supply chain over which the government does not have direct contract control,” Soloway said.
While Amazon may have uncovered evidence of Chinese infiltration, according to the report, other companies that bought from Supermicro, the company whose subcontractors made the servers that were compromised, are also at risk, said William Carter, deputy director of the Technology Policy Programme at the Centre for Strategic and International Studies in Washington.
“Given their market share, there’s a decent chance that AWS’ competitors use some of their hardware as well,” Carter said. “Many Chinese factories that do this kind of assembly work with multiple big US companies,” meaning the Chinese military could use them “to compromise all sorts of hardware”.
David Wilcox, a cybersecurity expert who spent 37 years at the National Security Agency, said if the reports are correct, Amazon did the right thing. “They took their product and had it scanned by a security company that was doing their job.”
Cybersecurity experts are divided over the question of whether it is safer for the Pentagon to invest in securing a single top cloud provider, as the Pentagon plans despite objections from Amazon’s rivals. Oracle, Microsoft and IBM have all argued that having multiple providers isolates risk, ensuring that a problem in one company’s cloud services would not compromise the entire department.
In a report to the US Congress earlier this year, the defence department said making multiple awards under current acquisition law would be a slow process that “could prevent DOD from rapidly delivering new capabilities and improved effectiveness to the warfighter that enterprise-level cloud computing can enable”.
Security experts pointed to the challenges of securing systems with components made in disparate parts of the world.
“The problem is most of our electronics are made in China,” said West of Brookings. “Even if a file server is made in the United States, it’s still likely to have components from abroad and especially from China. The fact that they are able to insert a microchip into devices is very scary.”
Bloomberg Intelligence analyst James Bach said the problem should spark a discussion about supply chain security that goes far beyond the JEDI contract award and should involve all the large technology companies and Congress.
“Everybody has their hands in this,” Bach said, noting that supply chain vulnerabilities pervade the US government. “It’s not just Amazon or Apple.”