What happened to Bloomberg’s Supermicro story?
"The Big Hack," five years later
In October 2018, Bloomberg Businessweek published a major story that claimed the F.B.I. was investigating whether the Chinese military had planted illicit microchips on networking equipment manufactured by an Oregon company called Supermicro. This would have been a huge deal, because the U.S. military, the C.I.A., and companies like Amazon and Apple had been using Supermicro’s hardware for years—and were now apparently vulnerable to a novel form of espionage. Bloomberg packaged the investigation as “The Big Hack.”
With its involvement of microscopic components and international supply chains, the story suggested that China had achieved a degree of technological sophistication unknown to any other government. One expert told the outlet: “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow. Hardware is just so far off the radar, it’s almost treated like black magic.”
If you were a journalist in 2018, you may remember what came next: Both the U.S. and China politely disputed certain parts, while the private companies issued thundering denials of the story’s entire thesis. Part of Apple’s statement reads, “No one at Apple has ever heard of this investigation. [Bloomberg] has refused to provide us with any information to track down the supposed proceedings or findings. … Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed.”
But Bloomberg’s sources seemed legitimate. The original story said:
The companies’ denials are countered by six current and former senior national security officials … one of those officials and two people inside [Amazon] provided extensive information on how the attack played out … the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.
I don’t have special knowledge of Bloomberg’s sources, but it’s very hard to believe that they don’t exist or that Bloomberg deliberately misrepresented their claims about Supermicro. In any normal newsroom, this kind of story would be seen by many editors, including and especially the editor-in-chief; some of those editors would be aware of the sources’ identities. Nobody at Bloomberg, officially or not, has ever claimed otherwise.
Bloomberg runs a fairly normal and successful newsroom. It offers some of the highest salaries in the media industry, and is famous for its thick manual of editorial standards, The Bloomberg Way. Its journalists are poached from, and poached by, other mainstream outlets. The reporters on the Supermicro story, Jordan Robertson and Michael Riley, came from the Denver Post and the Associated Press, respectively. Among journalists, Bloomberg carries a reputation of scrupulousness, not recklessness.
So it wasn’t totally surprising when Bloomberg refused to retract the story, entered “The Big Hack” for consideration by the National Magazine Awards, and later promoted Riley. The outlet issued the same statement, over and over again: “We stand by our story and are confident in our reporting and sources.”
There are reasons to be skeptical of Bloomberg’s confidence. One networking expert, Patrick Kennedy, has argued that the illicit microchips’ alleged capabilities are either implausible or impossible, given the geometric constraints of existing technology at such a small scale. But there are also reasons to extend the benefit of the doubt. One is that Bloomberg editors heavily scrutinize stories that may impugn the government of China, due to the Bloomberg Terminal’s presence in the Chinese market. Bloomberg does not paint China in a negative light unless it has a very good reason to do so.
All of this leaves us with the central mystery: Is Bloomberg’s story true, or not? And is it possible to determine its accuracy to the satisfaction of everyone involved?
This is a one-person newsletter, and I do not belong to a newsroom. I am (probably) incapable of exfiltrating bulletproof evidence of industrial espionage from either the Pentagon or the People’s Liberation Army. But I can write emails to, and ask questions of, most of the people who were involved in the story’s publication and all of the companies who appeared in it. And I’m curious what they might say, or not say, five years after the fact.
I wonder, specifically, about the story’s legacy within Bloomberg. What kind of oral culture developed around “The Big Hack,” before and after its publication? How many Bloomberg journalists believe it’s still true? Mark Gurman, the best Apple reporter in the business, joined Bloomberg in 2016. Brad Stone, who authored the definitive book about former Amazon CEO Jeff Bezos, has worked there since 2015. What do they think about all of this?
Finally, I’m interested in speculation from other journalists about what happened with this story. Speculation has a poor reputation, in both journalism and real estate, but I think the practice is warranted in this case. No other method has established a consensus around the accuracy of “The Big Hack,” so I think it’s worth trying out new techniques.
So: I have some emails to send. In the meantime, if you know anything about “The Big Hack,” or just have a theory about it, you can email me at firstname.lastname@example.org.