Naomi Nix and Ben Brody (Bloomberg) -- Tech providers vying for a $10 billion Defense Department cloud-computing contract may come under added pressure to prove their systems are secure after a report that China sneaked spy chips onto servers used by U.S. companies including Amazon.com Inc., a top contender for the Pentagon award.
Amazon, the market leader in cloud-computing services, was among almost 30 companies including Apple Inc. whose servers were infiltrated according to a Bloomberg Businessweek report based on more than a dozen sources in the government and private sector.
Apple, Amazon, server component seller Super Micro Computer Inc. and the Chinese government denied the report. When asked for comment on the implications for its Pentagon bid, Amazon pointed to its statement denying the report.
Security and procurement experts said Amazon’s prospects for winning the cloud services award may not be affected because it can argue that it was a victim that uncovered the problem. According to the report, Amazon unearthed the breaches, which happened at factories run by subcontractors in China, alerted authorities and took action to limit the consequences.
Still, the revelations increase pressure on the Pentagon as well as on Amazon and the other bidders to step up measures to secure their systems in a global marketplace where integral equipment is manufactured in China.
Representative Adam Schiff of California, the top Democrat on the House Intelligence Committee, said that panel should seek more information from agencies about whether China sought to infiltrate the computer-chip supply chain.
“No one is safe,” said Darrell West, director of the Center for Technology Innovation at the Brookings Institution. “I’m sure Amazon has some of the very best security people. The fact that they had a problem should alarm everybody.”
The deadline for companies including Amazon, Microsoft, IBM, and Oracle to submit bids for the Pentagon’s project, which involves moving massive amounts of sensitive government data to a commercially operated cloud system, looms in just over a week.
Amazon Web Services was seen as the front-runner from the start because it had already won a $600 million cloud contract from the Central Intelligence Agency in 2013. Microsoft Corp. is catching up as it expands its work with the intelligence community.
Oracle Corp. declined to comment on the implications of the report on its bid for the Pentagon contract. Microsoft and International Business Machines Corp. didn’t respond to requests for comment.
The Defense Department released in July its final requirements for the project, known as the Joint Enterprise Defense Infrastructure cloud, or JEDI. Bids for the project, which could last as long as 10 years, are due on October 12th.
A Pentagon spokeswoman, Heather Babb, responded to questions about addressing the risk of infiltrated equipment by referring to documents detailing the procurement requirements. Under those, the Pentagon is asking companies to meet strict security guidelines, including the ability to obtain top-level security clearances, offer government-approved encryption, provide local data centers and staff them with U.S. citizens.
Senator Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, said the Bloomberg Businessweek report “provides more evidence that China’s pattern of behavior is a serious threat to national security and supply chain risk management.”
Security experts are grappling with the threat from secret devices being inserted into U.S. networks, in addition to cyberattacks from afar. The weaknesses in the global supply chain require constant vigilance from tech companies to stay ahead of developing threats, said Stan Soloway, president of consulting firm Celero Strategies and a former Defense Department official under President Bill Clinton.
“You could have the toughest security requirements in place but downstream you are connected to a global supply chain over which the government does not have direct contract control,” Soloway said.
While Amazon may have uncovered evidence of Chinese infiltration, according to the report, other companies that bought from Supermicro, the company whose subcontractors made the servers that were compromised, are also at risk, said William Carter, deputy director of the Technology Policy Program at the Center for Strategic and International Studies in Washington.
“Given their market share, there’s a decent chance that AWS’s competitors use some of their hardware as well,” Carter said, referring to Amazon’s cloud division. “Many Chinese factories that do this kind of assembly work with multiple big U.S. companies," meaning the Chinese military could use them “to compromise all sorts of hardware.”
David Wilcox, a cybersecurity expert who spent 37 years at the National Security Agency, said if the reports are correct, Amazon did the right thing. “They took their product and had it scanned by a security company that was doing their job."
Cybersecurity experts are divided over the question of whether it’s safer for the Pentagon to invest in securing a single top cloud provider, as the Pentagon plans despite objections from Amazon’s rivals. Oracle, Microsoft and IBM have all argued that having multiple providers isolates risk, ensuring that a problem in one company’s cloud services wouldn’t compromise the entire department.
In a report to Congress earlier this year, the Defense Department said making multiple awards under current acquisition law would be a slow process that “could prevent DoD from rapidly delivering new capabilities and improved effectiveness to the warfighter that enterprise-level cloud computing can enable.”
Security experts pointed to the challenges of securing systems with components made in disparate parts of the world.
“The problem is most of our electronics are made in China,” said West of Brookings. “Even if a file server is made in the United States, it’s still likely to have components from abroad and especially from China. The fact that they are able to insert a microchip into devices is very scary.”
Bloomberg Intelligence analyst James Bach said the problem should spark a discussion about supply chain security that goes far beyond the JEDI contract award and should involve all the large tech companies and Congress.
"Everybody has their hands in this," Bach said, noting that supply chain vulnerabilities pervade the U.S. government. "It’s not just Amazon or Apple."