Editorial: A year later, Bloomberg silently stands by its 'Big Hack' iCloud spy chip story
Bloomberg Businessweek's claims of Chinese spy chips hidden in Apple and Amazon servers has been refuted, debunked, and ridiculed. You just wouldn't know that from what Bloomberg has said or, most recently, done.
There's been a lot of smoke, but no firings. Quite the opposite. It's been a year since Bloomberg Businessweek published an extensively debunked story claiming that companies including Apple and Amazon had been hacked. Yet since then, all of Bloomberg's few responses and actions have only doubled down on how this publication lacks credibility on the topic.
The story from 2018 claimed that many firms were compromised by how they had bought servers from a company called Super Micro. Secretly embedded in the motherboards of these servers were Chinese spy chips.
If it were true, then "The Big Hack" by reporters Jordan Robertson and Michael Riley, would've been the Watergate of technology stories. It would mean that the very core of America's entire technology infrastructure had been secretly and extensively infiltrated by another nation — a nation that the US has since become embroiled in a trade dispute with that will cost American businesses and consumers literally billions of dollars.
Mind you, if it were true, there would also be proof.
This was the one thing lacking from the Bloomberg piece, though you would think it would be the first thing that this or any publication would have insisted on. You would at least, at the utter least, expect Bloomberg to have one of these motherboards and show us this spy chip. Instead, we got an illustration by artist Scott Gelber.
It's not as if the company would have had to go far — the Bloomberg company itself owns some Super Micro servers.
At the very end of its original October 4, 2018, piece, Bloomberg Businessweek wrote that "Bloomberg LP has been a Supermicro customer. According to a Bloomberg LP spokesperson, the company has found no evidence to suggest that it has been affected by the hardware issues raised in the article."
Notably, neither did any other firm named in the piece.
Apple was particularly vehement about the accusation. Usually it tends not to comment on stories like it, but in this case Tim Cook even called out Bloomberg on it.
Apple had already issued a statement refuting the story plus detailing both how it had investigated the claims now and during months of prior discussions with the publication's reporters.
But then Cook just directly said that the story was "100 percent a lie." The CEO of a multi-billion dollar corporation does not casually use the word "lie."
But by the time he said this, a couple of weeks after the story broke, every organization or type of investigator you can think of, was saying the same thing. Industry experts established that the allegations were technically impossible.
Intelligence agencies in the US said the same thing. If you're thinking that such a breach would be so catastrophically bad that of course the government would deny it, so did overseas intelligence agencies.
All companies named in the story denied there was any accuracy in the reporting whatsoever. With one exception, all other investigations into the piece subsequently agreed that it was entirely wrong.
There is this one exception, but it's not that anyone agrees with the story, it's that we do not know the outcome of this other investigation. That's because it was done by Bloomberg itself, after publication, and its findings have not been published.
According to Erik Wemple of The Washington Post, reporter Ben Elgin was assigned by Bloomberg to investigate the publication's own story.
"In emails to employees at Apple," said Wemple, "Bloomberg's Ben Elgin has requested 'discreet' input on the alleged hack."
Again, you would expect this to be done prior to publication. And according to Apple's statement, it had already been providing extensively detailed input throughout the original investigation.
More, Wemple reports being told that Elgin if enough sources refuted the piece, he would "send that message up his chain of command."
It's hard to believe that Elgin didn't get enough sources refuting it, since every source was doing that publicly already, but if he did get enough and he did pass the news up the chain, Bloomberg appears to have done nothing.
What's happened since
Or at least, it's done nothing about proving or retracting the story.
Some time between the October 4, 2018, publication date and a December 11, 2018 competition closing date, Bloomberg entered the "Big Hack" article into the American Society of Magazine Editors Awards (ASME). It didn't make the shortlist.
Bloomberg did not enter the same piece into the Pwnies, but it won one anyway. The Pwnies are a series of awards made by the security community and awarded at the BlackHat USA conference. Most of the awards are serious and celebrate genuine achievements, but Bloomberg won one for "Most Over-Hyped Bug."
"The story had every buzzword that make any CISO [Chief Information Security Officer] want to retire: supply chain interdiction, state sponsored, China, Snowden," say the Pwnie organizers.
"It was said to affect major banks, government contractors, and even the company they all aspire to be, Apple," they continued. "This was definitely the computer security story of the year, maybe the decade, except for one small detail. It seems it was all bullshit."
Bloomberg did not acknowledge its Pwnie win.
The only public comment the company has made on the topic since publication was a statement that it was standing by the story. It said this to Buzzfeed later in October 2018. Then in December 2018, in a Bloomberg story about Super Micro denying all allegations, the reporter said that the company had "previously said it stands by its story."
The company then completely ignored repeated requests for comment by AppleInsider until September 2019. Asked directly about his investigation into the story, reporter Ben Elgin refused to comment on any specific stories or reporting, but did reveal one detail.
"I've been working full-time on some pharma industry stories for the past several months, so I'm out of the loop on this," he said in an email. "I really don't know."
Similarly, a Bloomberg spokesperson declined to comment, but did provide confirmation on issues concerning the "Big Hack" writers, Jordan Robertson and Michael Riley.
Michael Riley gets promoted
Words fail us. Co-author Michael Riley was promoted in September 2019 to oversee all of Bloomberg's technology security coverage.
A spokesperson from the company sent AppleInsider an extract from a note sent by Bloomberg News editor in chief John Micklethwait, to editorial and research staff on September 16.
"Mike Riley has become our cybersecurity czar," it says, before listing other members of a new group devoted to the topic. "The team will write about the various attempts to hack companies, governments and elections, as well as the thriving marketplace for cybersecurity tools, both legal and otherwise. But it is also intended to be a resource for the whole newsroom: if there is a cyber-incident in your coverage area, call our team."
The same note includes the phrase "sometimes a subject affects more than one part of the newsroom." If the existence of a seemingly bogus story of this scale isn't enough to undermine credibility, then the company's refusal to retract is.
And the rewarding of its co-author with this position of oversight on all technology security issues affects more than one part of the newsroom.
This is also not the only reward that has been given to Riley or co-author Jordan Robertson.
According to Bloomberg's own catalog, Michael Riley wrote nothing whatsoever for the publication from October 9, 2018 to August 31, 2019. He is since credited as co-author on four stories, all dated on the weekend of August 31 and September 1, 2019.
@J_J_E_ @karaswisher— Michael Riley (@MichaelRileyDC) October 5, 2018
That's the unique thing about this attack. Although details have been very tightly held, there is physical evidence out there in the world. Now that details are out, it will be hard to keep more from emerging.
Similarly, Jordan Robertson had no published bylines on Bloomberg between October 9, 2018 and September 2, 2019. He is now credited as co-author on a single article on that latter date.
Nonetheless, a Bloomberg spokesperson confirmed to AppleInsider that Robertson remains employed by the company.
It is possible that both writers continued to be on the payroll despite writing no articles, because they were investigating this "Big Hack" story.
This would be a commendable thing for Bloomberg to do, to invest so much time and money in its reporters to make sure a story is correct. But of course that's what it should have been doing before publication.
And of course it's hard to justify 11 months of salaries for two journalists when all they needed to do to prove this story was produce one motherboard with the alleged spy chip.
Activity and no activity
Unless Bloomberg does publish either some proof or a retraction, we're unlikely to know what has really gone on in the year since its story was published.
Certainly, if Robertson is investigating it then he has chosen to close himself off to potential sources. As well as ignoring AppleInsider emails, he has stayed off Twitter since October 9, 2018, and can't be directly messaged. Michael Riley ceased tweeting on October 5, 2018 and can't be reached there nor replies to emails.
Having claimed Amazon's AWS cloud services were compromised by this "Big Hack", Bloomberg has now nonetheless moved its own online trading data system to exactly that service this September.
Back in May 2019, the company published an ill-informed opinion piece about end to end encryption, which AppleInsider debunked and the Pwnies called "fan fiction."
Even prior to that high-profile example, AppleInsider examined just how peculiarly poor Bloomberg's coverage of Apple tends to be.
We did reach out to Apple about what's been happening in the year since the article was published. A spokesperson said that they simply had nothing to add to their original statements refuting the allegations.
Apple has nothing more to say, and presumably neither it nor any of the other companies mentioned in the article, have anything more they can do, until Bloomberg proves or retracts the claims.
That could be why Bloomberg remains silent. It could be because reopening the story publicly could further damage the company either in terms of reputation or, conceivably, legal issues.
But then nothing puts worms back into a can better than promoting one of the openers.
We live in an age when for political advantage, the whole of the media regularly gets labelled as fake news. Bloomberg may have believed its story, and so initially was just woefully incompetent, but its actions since are letting us all down.