In a House committee hearing on cybersecurity threats Thursday, a DHS official said he was aware of some cases in which software and hardware manufactured overseas had arrived in the U.S. pre-loaded with security bugs. However, the official did not say that those cases involved vulnerabilities or backdoors planted intentionally.
In response to a question from Rep. Jason Chaffetz of Utah, Greg Schaffer, the acting deputy undersecretary of the National Protections and Programs directorate at the Department of Homeland Security, said that he knew of instances in which PC components and software had come to the U.S. with security vulnerabilities in them. The hearing of the House Committee on Oversight and Government Reform was mainly focused on information sharing between the government and the private sector, but Chaffetz began to press Schaffer on the issue of compromised foreign components entering the supply chain of U.S. companies.
“Are you aware of components, software or hardware, coming to the United States of America that have security risks already embedded into those components?” Chaffetz asked.
Schaffer had already balked at answering the question a minute before and seemed hesitant, but after asking Chaffetz eventually to rephrase it, he did answer.
“I am aware that there have been instances where that has happened,” he said.
Identifying a vulnerability in an application that was planted specifically and intentionally by a foreign supplier or third party would be a difficult task, to say the least. It’s generally accepted that every piece of software that hits the shelves contains security flaws, and while a lot of development is outsourced now, tying a specific bug to an intentional operation would be problematic.
There have been plenty of examples in recent years of hardware devices such as USB flash drives and even digital picture frames being pre-loaded with malware.
Chaffetz did not press Schaffer any further on the issue or ask him whether he meant that there had been examples of software and hardware found to have been rigged with intentional vulnerabilities in an effort to weaken defenses at U.S.-based companies and government agencies. Chaffetz instead moved on to the information-sharing topic again.
Schaffer said that the DHS and Department of Defense have a joint task force that is charged with looking at ways to ensure the strength and integrity of the U.S. supply chain over the long term. Schaffer, a former computer crime prosecutor at the Department of Justice and security officer in the private sector, said that the lack of control of the supply chain and threats to its security is one of the more difficult challenges facing the country at this moment.