Supply chain security – DHS finds imported software and hardware contain attack tools

Malware has become a common everyday occurrence that we all have to deal with but compared to the problem facing the government and its security agencies our problems are a walk in the park.

In a recent appearance before the House Oversight and Government Reform Committee the acting deputy undersecretary of the DHS National Protection and Programs Directorate Greg Schaffer informed Rep. Jason Chaffetz that both the White House and DHS were very aware of imported electronics being sold in the US that came preloaded with spyware, malware, and other security-compromising parts by foreign parties.

The American supply chain, especially for electronics, has changed drastically during our technological revolution. Where we once could be sure of where the components came from and exactly who made them now it is a case sub-contracting to sub-contracts half a world away and by people who have no allegiance to the US.

Rep. Darrell Issa (R-CA) also specifically asked witnesses about the risk of electronics being sold stateside being purposely-designed for cyberattacks. In his words, “software infrastructure, hardware, [and] other things are built overseas that come to the United States with items that are embedded already in them by the time they get here to the United States.”

Buried in the White House’s Cyberspace Policy Review is a small acknowledgment that the Executive Branch knows something weird is happening in imported tech:

The emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions.

A broad, holistic approach to risk management is required rather than a wholesale condemnation of foreign products and services. The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities.

(Emphasis added)

The Cyberspace Policy Review was written several months ago. Apparently, Homeland Security has found documented examples in the meantime.

via Fast Company

This really should come as no surprise to anyone. In our desire to have the newest and best at the cheapest possible price we have given up any control of components that go into making our cool gadgets and this is a perfect opening for all kinds of misuse.

Comments