Trust but verify: Security risks abound in the IT supply chain

 

Connecting state and local government leaders

With one in 10 information technology products on the market considered counterfeit, it is hard to overstate the national security concerns regarding the use of IT products delivered through the global supply chain.

With one in 10 information technology products on the market considered counterfeit, and software products developed across the globe at risk of subversion, it is hard to overstate the national security concerns regarding the use of IT products delivered through the global supply chain.


Editor’s Note: This article was prepared collaboratively by members of the International Information Systems Security Certification Consortium's Government Advisory Board Executive Writers Bureau. The bureau includes federal IT security experts from government and industry. A full list of bureau members is available at www.isc2.org/ewb-usgov.


The cyber security risks inherent in the federal government's procurement of and reliance on IT hardware and software from various non-pedigreed sources have been well reported. Over a decade ago, the Defense Science Board Task Force on Globalization and Security published a telling report on the "Vulnerability of Essential U.S. Systems Incorporating Commercial Software."  In 2002, there were a number of well-publicized investigations of alleged terrorist-funded corporations that followed in the wake of the 9/11 terrorist attacks under the auspices of Operation Green Quest. Due to counterfeit computer components used in warplanes, ships and communication networks, the problem has now essentially come full circle in recent reports highlighting the actual threat to Defense Department and other government systems.

This article explores various cyber risks to the IT supply chain, which include theft of intellectual property, logic bombs and self-modifying code, deliberately hidden back doors and features for unauthorized remote access, as well as risks from fake or counterfeit products.

The fear of non-secure or even harmful foreign software dates back to the late 1990s, when federal agencies hired foreign contractors to rewrite code to keep systems from malfunctioning during the year 2000 date change. A report issued by the Defense Science Board (DSB) in 2007 was the first formal acknowledgement by DOD’s top advisory board that such security risks exist. The 2007 report highlights the seriousness of the problem, concluding: "Malicious code, which would facilitate system intrusion, would be all but impossible to detect through testing, primarily because of software's extreme and ever increasing complexity. ... Increased functionality means increased vulnerability."

The DSB was not alone in its projections. In 2006, the Association of Computing Machinery (ACM) published "Globalization and Off-shoring of Software" enumerating the risks to national security from government's use of foreign software. The number one risk identified in the ACM report was that difficulty understanding code pedigree could allow hostile nations, terrorists, criminals and other miscreants to subvert or sabotage software used in critical government systems.

However, the problem is not limited to risks stemming from software developed overseas or foreign-owned domestically controlled companies. It also extends to hardware and potential risks caused by counterfeit products or foreign-developed computer chips and microprocessors. Similar problems could be caused by home-grown terrorists and criminals.

The supply chain is complex and interwoven, with no clear line between software and hardware pedigree from source to government system. Risk is introduced any time that hardware and software transfer from the country/company of origin to a federal government end-user via a certified domestic distributor, a certified distributor in a second country/company or via a company's Web site or online auction site.

A recent white paper produced by KPMG and the Alliance for Grey Market and Counterfeit Abatement (AGMA) reported that one in 10 IT products currently on the market is counterfeit. Estimates from law enforcement are even higher. The paper also reported that this 10 percent counterfeit market is currently grossing more than $100 billion in annual revenue. The national security implications of these counterfeit and, in some cases, subverted products being used in sensitive government systems are of grave concern. This was substantiated in summer 2008, when the FBI reported that the Chinese government or Chinese hackers -- or both -- had used undetectable backdoors to access highly secure U.S. government and military computer networks by means of counterfeit Cisco routers and switches installed in nearly all government networks over 18 months.

These activities have major implications on the fundamental premise of cyber infiltration and espionage. Why send malicious code over the Internet if one can pre-infect software, computer parts or even consumer devices with logic-bombs, self-modifying code, deliberately hidden backdoors and so on? Further, why continue to follow the traditional, arduous, time-consuming model of recruiting and training thousands of covert operatives when you can hire a few "uber haxors" who can command readily available botnets to infiltrate the systems of target countries and exfiltrate the same (or even more) sensitive information from a broader range of targets?

The extent of cyber espionage and consequent data exfiltration were highlighted in a 2006 Government Computer News report,  in which Major General William Lord, U.S. Air Force chief information officer, stated that China had downloaded 10 to 20 terabytes of data from DOD’s unclassified (NIPRnet) network. This same type of incident was highlighted in a 2008 USA Today report, “Chinese Hacked Capitol Computers,” in which Rep. Frank Wolf (R-Va.) revealed that the FBI had identified four of his government computers that had been hacked by sources working out of China. The Congressman expressed his concern that the problem likely had gone further. "If it's been done in the House, don't you think that they're doing the same thing in the Senate?" he asked.

Analyses of U.S. government contracting processes and the IT supply pipeline expose some of the inherent risks to the supply ecosystem. From the time a purchase order is placed with a DOD/General Services Administration-approved and authorized vendor/reseller until the time the product is delivered to the government's mailrooms, government officials have little or no control over the various levels of sub-contractors or the sub-contractors’ sub-contractors that the DOD/GSA-approved vendor is using to fulfill these purchase orders. Although the following case-study is more germane to risks in the DOD IT Supply Chain, it does an excellent job of illustrating the risks from suppliers of unknown pedigree.

In October 2008, Business Week published a revealing article on “Dangerous Fakes.” One of the case studies featured Mariya Hakimuddin, an uneducated working mother, who owns “IT Enterprise,” a company she ran with her mother out of a modest one-story house in Bakersfield, Calif. Mariya began brokering military chips four years prior after friends told her about the expanding trade. Since 2004, she has won DOD contracts worth a total of $2.7 million. The military acquired microchips and other parts from IT Enterprise for use in radar on the aircraft carrier USS Ronald Reagan and the anti-submarine combat system of Spruance-class destroyers. Mariya said she knew little about the parts she bought and sold. She started her business by signing up on the Internet for a government supplier code. After DOD approved her application, with no inspection, she began scanning online military procurement requests. She plugged part codes into Internet search engines and found Web sites offering low prices. Then she ordered parts and had them shipped directly to military depots. Finding a suspicious transistor shipped by IT Enterprise, the Navy triggered an investigation of the company. In January 2009, the DOD suspended IT Enterprise, Mariya and her mother’s ability to supply to the military for three years. A month after Mariya was suspended, her husband, Mukerram, received his own supplier code, using the same home address with a new company name, Mil Enterprise. This time, DOD caught on more quickly, suspending Mukerram for three years as well.

Even more insidious could be the issue of potentially hostile foreign influence on offshore developers, resulting in malicious code and other intentional vulnerabilities embedded in products. This is perhaps best illustrated in the following a case study of PTech, a Boston-area software company.

In 2002, the FBI launched an investigation of PTech and its possible ties to terrorism during Operation Green Quest, which was a Customs investigation into Yasin al-Qadi and other suspected financiers. At the time, PTech’s risk management software was being used by the FBI, the Air Force, Navy and a host of other DoD and federal government agencies. One of PTech’s central investors was Yasin al-Qadi, who the FBI suspected to be financing terrorist groups. A CBS journalist who was the first to report on PTech, said: “The worst-case scenario is that this is a situation where this was planned for a very long time to establish a company in this country and in the computer software business that would target federal agencies and gain access to key government data to essentially help terrorists launch another attack.” While the FBI’s investigation of PTech was inconclusive and no one associated with PTech was ever charged, the impact of a similar scenario would be devastating to our national security. The company continues to do business with the government, albeit under a new name.

Approaching the solution

The gravity of IT supply chain risks is not lost on national security strategists. In January 2008, to combat the growing cyberspace threats, the White House issued Homeland Security Presidential Directive 23, calling for a national priority and plan for action to combat cyberspace threats. The directive considers the full spectrum of threat vectors -- network, supply chain, vendor, mission and bridge networks -- to address both internal and external threats. In brief, HSPD-23 has 12 initiatives, of which the 11th, “Develop Multi-Pronged Approach for Global Supply Chain Risk Management,” is specifically geared toward tackling risks in the IT supply chain. This is perhaps the most challenging of the initiatives.

The National Institute of Standards and Technology (NIST) is charged with developing guidance for CNCI Initiative 11 and has outlined the following sub-program areas to address as the basis of its multi-pronged approach for this Initiative:

  • Criteria for identifying federal government systems and networks requiring enhanced efforts to ensure supply chain risk management.
  • An approach for enhancing federal government technical expertise, guidance and standards to manage supply chain risk.
  • Lifecycle processes and standards.
  • A strategy to enhance federal government acquisition policy to address supply-chain risk based on a legal and policy evaluation of the potential application of intelligence community processes for supply chain risk management to non-IC departments/agencies, including the use of vendor threat information in acquisition.
  • Acquisition policy and legal analysis.
  • A process for sharing vendor threat analyses across the federal government.

While the CNCI Initiative’s plan for tackling risks in the IT supply chain is still unknown, the work that has already been accomplished by other groups is encouraging. The Customs-Trade Partnership Against Terrorism (C-TPAT),  launched in November 2001 with just seven major corporate importers, has grown to become one of the largest and most successful public-private sector partnerships to emerge from the ashes of 9/11.

It is one of several U.S. Customs and Border Protection (CBP) initiatives implemented after 9/11 to achieve CBP’s twin goals: security and facilitation. C-TPAT’s main vision is to safeguard the trade industry from terrorists and to provide benefits and incentives to private sector companies that meet or exceed C-TPAT supply chain security criteria and best practices. The C-TPAT recommends that industry partners develop minimum security practices (especially applicable to point of origin and point of staffing) , ensuring that contracts and request for proposals include specific security language that stipulates that prior to conducting any business, suppliers must comply with specific security standards, policies and procedures. This includes accountability by federal agencies to focus on foreign manufacturers and a more rigorous clearance process. Many C-TPAT companies are now contractually requiring businesses to improve security in order to meet C-TPAT guidelines. Examples of how C-TPAT companies leverage foreign suppliers to tighten security in the supply chain include:

  • Conducting regular audits of their vendors to ensure compliance with C-TPAT security guidelines.
  • Conditioning contractual business relationships with their service providers and vendors based on C-TPAT participation and/or adherence to security guidelines.
  • Leveraging the existing internal inspection team.
  • Obtaining cargo security training for quality assurance personnel or non-security related auditors who visit foreign vendors and factories on a regular basis.
  • Partnering with individual customs administrators to improve the coordination of mutual anti-terrorism efforts.

The work of the public–private sector partnership of the Software Assurance Forum for Excellence in Code (SAFECode) is also noteworthy. SAFECode was founded by EMC, Juniper Networks, Microsoft, SAP and Symantec. as a non-profit organization dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

Our national reliance on IT hardware and software from various non-pedigreed sources is a foundation for major cybersecurity risks having national security implications. The incident reports cited in this article further highlight potential risks ranging from logic bombs and self-modifying code, deliberately hidden back-doors to potentially fatal equipment failure and even foreign espionage. Although the U.S. government has only scratched the surface in developing an approach to the solution, federal chief information security officers can take some comfort in the fact that one of the many CNCI initiatives is intended to meet this challenge head-on. As NIST advises, organizations must add “defense-in-breadth” to their strategy mix. While Defense-in-depth focuses on the operations phase of the systems development lifecycle, defense-in-breadth covers the entire lifecycle.


X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.