The UK’s top national cybersecurity agency GCHQ told Reuters on Friday that it didn’t see any reason to question the validity of Apple and Amazon’s denials that their servers were compromised following a meteoric report from Bloomberg on Thursday. The report claimed that Chinese spies were able to place microchips in the companies’ servers, allegedly giving the Chinese government backdoor access to some of the largest cloud platforms in the world.
The GCHQ, which is the UK’s equivalent to the US National Security Agency (NSA), didn’t call for an investigation into the claims, but it requested that anyone with information about the alleged attack reach out. In its response to Reuters, the GCHQ said, “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” said the National Cyber Security Centre, a unit of GCHQ.
“The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us,” it said.
Despite the unconcerned reaction from the British spy agency, American lawmakers are getting fired up over the reporting; some are even calling for an outright investigation. A spokesperson for Rep. Tom Cotton (R-AR) told Politico on Thursday that, “It’s past time for American companies to wake up and realize that [Chinese President] Xi Jinping and his cronies view private enterprise as ‘fair game’ in their subversive campaign against our nation.”
Sen. Mark Warner (D-VA), who called Chinese hardware companies ZTE and Huawei “national security threats” this summer, told Politico that the report “provides more evidence that China’s pattern of behavior is a serious threat to national security and supply chain risk management.”
Rep. Frank Pallone (D-NJ), the ranking member of the Energy and Commerce Committee, was the most assertive, calling the report “deeply disturbing,” and requesting a congressional investigation in a statement to Bloomberg.
There are a whole bunch of plausible explanations that don't require fraud. There was no fraud involved in #badbios or it's journalistic coverage, and dozens of experts (correctly) confirmed to reporters it was technically plausible.— Tavis Ormandy (@taviso) October 5, 2018
Many in the cybersecurity world have also questioned the report. Tavis Ormandy, a star researcher at Google’s Project Zero, argued on Twitter that the reporting might be overblown, saying, “there are a whole bunch of plausible explanations that don’t require fraud.”