Cortez Masto, Markey, Brown Demand Answers from Administration Over Reports of Chinese Manipulation of U.S. Technology

Washington, D.C. – Senators Catherine Cortez Masto (D-Nev.), Edward J. Markey (D-Mass.), and Sherrod Brown (D-Ohio) called on the Trump Administration to look into reports of Chinese government efforts to secretly manipulate U.S. technology. According to a October 4 Bloomberg Businessweek report, the Chinese People’s Liberation Army (PLA) “designed and manufactured” microchips to be surreptitiously planted within the motherboards of servers assembled by Super Micro Computer Inc. (also known as Supermicro). Elemental Technologies, which has contracts to sell technology to U.S. national security agencies, installed these motherboards in servers eventually used by the Central Intelligence Agency and the Department of Defense. This Chinese government effort also is alleged to have affected at least 30 companies.

Noting the severity of the reports, the senators stated, “If true, the U.S. government servers, networks, and the sensitive information they contain could be compromised by a country that poses a significant strategic challenge to the United States. Additionally, any malicious PLA effort could have severe implications for the privacy of data for American consumers purchasing products from American technology firms.” 

In their letter, the senators ask the Trump Administration to provide timely answers on the extent of U.S. government ownership of technology with Chinese government microchips, whether such devices are still in use, and any information concerning these microchips being implanted in technology that is utilized by U.S. companies.

A copy of the letter can be found here and below:

President Donald J. Trump

The White House

1600 Pennsylvania Avenue, N.W.

Washington, D.C. 20500

Dear President Trump:

We write to express our serious concern regarding recent reports of Chinese government efforts to physically manipulate computer servers used in the United States to allow illicit access. Given the seriousness of the alleged activities, it is the responsibility of the administration to ensure that hardware in use throughout the U.S. government does not contain devices capable of infiltrating networks containing sensitive information. If the problems raised in this report are true, this raises important questions about what steps the government should take to protect commercial servers used by American companies.  When reviewed in light of the full range of Chinese government activities to compromise U.S. national security, these reports demand a strong response by the administration.

According to Bloomberg Businessweek, the People’s Liberation Army (PLA) “designed and manufactured” microchips to be surreptitiously planted within the motherboards of servers assembled by Super Micro Computer Inc. (also known as Supermicro).^[1] Elemental technologies, which has contracts to sell technology to U.S. national security agencies, installed these motherboards in servers eventually used by the Central Intelligence Agency and the Department of Defense. This Chinese government effort also is alleged to have affected at least 30 companies.

We are concerned that the PLA tampering could have effects more extensive than has been reported. According to the media report, a former U.S. intelligence official familiar with the Supermicro case said that “attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”^[2] If true, the U.S. government servers, networks, and the sensitive information they contain could be compromised by a country that poses a significant strategic challenge to the United States. Additionally, any malicious PLA effort could have severe implications for the privacy of data for American consumers purchasing products from American technology firms.

To better understand this ongoing issue, we respectfully request your response to the following questions by November 2, 2018.

1. Does the U.S. government own and operate any computers, servers, or other information technology hardware or systems that contain Supermicro motherboards?
   1. As the Bloomberg report named the Central Intelligence Agency and the Department of Defense as government agencies that conducted business with Supermicro and Elemental, do those organizations continue to operate equipment from these companies?  If so, what steps have been taken or are being taken to identify risk posed by hardware implants, and ultimately mitigating risk, including by removing affected equipment?
   2. Are there other agencies that have purchased, or are planning to purchase, equipment that contain servers with Supermicro motherboards?  If so, do the agencies continue to either use this equipment or proceed with the purchases?

1. If equipment from those companies are operating within U.S. agencies and private technology firms, what efforts has the U.S. government taken to ensure that they do not contain illicit microchips capable of compromising sensitive information about either the government, companies, or citizens?
   1. When did the government become aware of the illicit microchips, and what steps did the government take to alert U.S. agencies and private technology firms?
   2. Has the U.S. government conducted thorough investigations of motherboards and hardware from other companies that could also contain illicit microchips or other technologies designed to penetrate networks?
   3. If not, what steps is the government taking to ensure that such devices do not make it into U.S. agencies, offices, or other official locations?
   4. Recognizing the difficulty of detecting “hardware hacks,” what is the U.S. government’s long-term strategy to protect hardware from being penetrated by illicit microchips or similar technologies?

1. Do you know of other similar instances of the Chinese government infiltrating technology manufactured for end users in the United States? 
   1. If so, and given the implications this might have on hundreds of millions of Americans, what steps is the U.S. government taking regarding the findings of previous investigations – or plans for investigations responding to this report – and what effect this would have on private citizens’ data?

Thank you in advance for your attention to this matter.