No CFO thinks that his signature approving a purchase order for a new five-figure piece of hardware could ultimately cost his company seven-figures, or maybe force them to shut their doors forever. But that’s the reality many companies need to face when it comes to supply chain security and risk management. Core IT equipment used inside most American companies is likely to be purchased from an American vendor. But most of the gear is built overseas, likely in Asia, where little oversight is offered into its construction and shipping.
Naturally, most executives base their decisions on the final cost. And that’s often the only consideration given.
But when you hear about branches of the military buying computers compromised with counterfeit gear somewhere along the supply chain, or financials buying networking devices with malware-infested chips, it begins to hit home—often far too late—that real money and sometimes real lives can be at stake.
It’s far too easy to dismiss the scenario of Chinese motherboard manufacturers embedding malicious chips into the equipment of certain customers as James Bond-type scenarios. But this type of disregard is fatal, some experts caution.
High-value companies are being compromised this way, losing data and intellectual property by the terabyte. Software and manufacturing products on a 12-month timetable here, are showing up in foreign markets in half the time, putting a dent in that enterprise’s future, as well as one in the American economy.
This is one area where American companies cannot afford to be reactive for much longer. This isn’t like conventional malware looking for credit card numbers or customer information. These aren’t criminals looking to turn a quick buck in an identity theft scam. We have organized, well-funded groups behind these incursions. By inserting themselves somewhere along the supply chain, they’ve managed to get in on the ground floor. Talk about the ultimate rootkit.
“Awareness from a customer point of view is almost non-existent,” said Dave Amsler, president and CIO of Foreground Security. “Some of them realized the risk, but it’s clear to me that most have not even thought about this and we need to. Think about all you’re doing and spending against external attackers. If they’re able to introduce equipment into an environment, they’re past all those controls.”
Most, to nearly all, companies have no supply chain security policy, governance or education in place about the potential risks.
“No one knows, or thinks about, where this equipment is coming from or where they’re ordering it from,” Amsler said. “When making these decisions, they should be looking at manufacturers with a policy in place and standards, versus just the price.”
Cisco, for one, has a supply chain risk management process in place where it does spot checks with its vendors and sets similar recommendations for customers, such as purchasing only through Cisco certified partners. NIST, meanwhile, established 10 supply chain risk management practices earlier this year that recommends federal purchasers identify those in their respective supply chains, maintain provenance of tools and data, perform awareness training, strengthen delivery mechanisms, and manage the disposal of equipment, among others.
What exacerbates the problem is that detection is so difficult and costly. The Department of Defense, Amsler said, will open boxes and physically inspect motherboards against a known uncompromised board, comparing the circuitry for something that should be there.
“You have to do electronic testing based on different algorithms,” Amsler said. “If the board has an extra chip, the results would not come out the same way. This type of testing before production is not cheap, but it’s the only realistic way for critical infrastructure.”
And then there’s Huawei. The Chinese manufacturer of networking equipment has a presence in several large American corporate and Internet service provider networks. A recent House Permanent Select Committee on Intelligence report on Huawei and ZTE was scathing and recommended that U.S. interests should not trust their equipment and services inside U.S. telecommunications networks.
“To the extent these companies are influenced by the state, or provide Chinese intelligence services access to telecommunication networks, the opportunity exists for further economic and foreign espionage by a foreign nation-state already known to be a major perpetrator of cyber espionage,” the committee’s final report said.
The committee recommended U.S. organizations should be suspicious of companies such as Huawei having a presence in U.S. networks; that private sector companies need to consider the security risks of doing business with these companies and should seek other vendors; and put out a call for these companies to be more transparent about their operations among other recommendations.
Huawei has been on the defensive. Just this week, its CSO, former acting director of U.S. CERT’s national cyber division, Andy Purdy said Huawei is willing to work with the U.S. to help address supply chain security challenges. Whether they’re hollow words remains to be seen, but regardless, the risk is real and any awareness the U.S.’s report on Huawei brings cannot hurt—if American companies look away from the bottom line for a few seconds.
“I don’t know if anyone is paying attention,” Amsler said. “I think in a year or two, something bad is going to happen. Then it will get the attention it deserves.”