No CFO thinks that his signature approving a purchase order for a new five-figure piece of hardware could ultimately cost his company seven-figures, or maybe force them to shut their doors forever. But that’s the reality many companies need to face when it comes to supply chain security and risk management. Core IT equipment used inside most American companies is likely to be purchased from an American vendor. But most of the gear is built overseas, likely in Asia, where little oversight is offered into its construction and shipping.

Naturally, most executives base their decisions on the final cost. And that’s often the only consideration given.

But when you hear about branches of the military buying computers compromised with counterfeit gear somewhere along the supply chain, or financials buying networking devices with malware-infested chips, it begins to hit home—often far too late—that real money and sometimes real lives can be at stake.

It’s far too easy to dismiss the scenario of Chinese motherboard manufacturers embedding malicious chips into the equipment of certain customers as James Bond-type scenarios. But this type of disregard is fatal, some experts caution.

High-value companies are being compromised this way, losing data and intellectual property by the terabyte. Software and manufacturing products on a 12-month timetable here, are showing up in foreign markets in half the time, putting a dent in that enterprise’s future, as well as one in the American economy.

This is one area where American companies cannot afford to be reactive for much longer. This isn’t like conventional malware looking for credit card numbers or customer information. These aren’t criminals looking to turn a quick buck in an identity theft scam. We have organized, well-funded groups behind these incursions. By inserting themselves somewhere along the supply chain, they’ve managed to get in on the ground floor. Talk about the ultimate rootkit.

“Awareness from a customer point of view is almost non-existent,” said Dave Amsler, president and CIO of Foreground Security. “Some of them realized the risk, but it’s clear to me that most have not even thought about this and we need to. Think about all you’re doing and spending against external attackers. If they’re able to introduce equipment into an environment, they’re past all those controls.”

Most, to nearly all, companies have no supply chain security policy, governance or education in place about the potential risks.

“No one knows, or thinks about, where this equipment is coming from or where they’re ordering it from,” Amsler said. “When making these decisions, they should be looking at manufacturers with a policy in place and standards, versus just the price.”

Cisco, for one, has a supply chain risk management process in place where it does spot checks with its vendors and sets similar recommendations for customers, such as purchasing only through Cisco certified partners. NIST, meanwhile, established 10 supply chain risk management practices earlier this year that recommends federal purchasers identify those in their respective supply chains, maintain provenance of tools and data, perform awareness training, strengthen delivery mechanisms, and manage the disposal of equipment, among others.

What exacerbates the problem is that detection is so difficult and costly. The Department of Defense, Amsler said, will open boxes and physically inspect motherboards against a known uncompromised board, comparing the circuitry for something that should be there.

“You have to do electronic testing based on different algorithms,” Amsler said. “If the board has an extra chip, the results would not come out the same way. This type of testing before production is not cheap, but it’s the only realistic way for critical infrastructure.”

And then there’s Huawei. The Chinese manufacturer of networking equipment has a presence in several large American corporate and Internet service provider networks. A recent House Permanent Select Committee on Intelligence report on Huawei and ZTE was scathing and recommended that U.S. interests should not trust their equipment and services inside U.S. telecommunications networks.

“To the extent these companies are influenced by the state, or provide Chinese intelligence services access to telecommunication networks, the opportunity exists for further economic and foreign espionage by a foreign nation-state already known to be a major perpetrator of cyber espionage,” the committee’s final report said.

The committee recommended U.S. organizations should be suspicious of companies such as Huawei having a presence in U.S. networks; that private sector companies need to consider the security risks of doing business with these companies and should seek other vendors; and put out a call for these companies to be more transparent about their operations among other recommendations.

Huawei has been on the defensive. Just this week, its CSO, former acting director of U.S. CERT’s national cyber division, Andy Purdy said Huawei is willing to work with the U.S. to help address supply chain security challenges. Whether they’re hollow words remains to be seen, but regardless, the risk is real and any awareness the U.S.’s report on Huawei brings cannot hurt—if American companies look away from the bottom line for a few seconds.

“I don’t know if anyone is paying attention,” Amsler said. “I think in a year or two, something bad is going to happen. Then it will get the attention it deserves.”

Categories: Critical Infrastructure

Comments (3)

  1. Deramin

    Amsler’s quote at the end is only half right.  Something bad will happen, it will get the attention it deserves, and then people will go back to ignoring it.  There was a Safeway store built in Oregon that everyone knew was in a flood plain.  This was repeatedly told to Safeway, but they built it anyway because the land was cheap.  Within five years they were forced to close the store down because it flooded every year.

    Poor risk management decisions are not isolated to cyber security.  We don’t make good decisions even in circumstance where we can predict exactly what will happen, about how frequently, and have reasonably good methods to easily and cheaply mitigate the risk.  Throw in unknown-ish perpetrators doing complicated things and people will absolutely write the whole thing off.  Frankly, I don’t even think we as humans are capable of addressing this problem in any real way.

  2. Anonymous

    We’re cutting our own throats… and the Chinese (and other perps) are laughing up their sleeves.  Like the commentor above, most of us have NO way to deal with this from a practical standpoint.  We’re sitting, friggin’ ducks!!

  3. Anonymous

    It would appear to me the United States government and/or private sector should implement the manufacturing of environmentally sensitive equipment here in the US.  We need a company here at home that can manufacture these components with supply chain assurances.  Anything made in China is subject to the Chinese government or other government supported entities.  It’s not science fiction any more!! When we find compromised components in the equipment our own government is purchasing it’s a wake up call.  Government and big business pull your heads out of your collective behinds and do something about this before it’s too late.  Are we really that ignorant we can’t manufacture this equipment here at home?  Even if regulations are too strict and COSTS too prohibitive the government should subsidize or reward any manufacturer who sets up production here at home. Certainly there is profit to be made manufacturing and selling these components here at home.  WAKE UP CONGRESS and BIG BUSINESS!  The Chinese do NOT play by our rules so quit being so naive and apathetic.  They have figured out how to control this country by compromising the systems we are purchasing from them.

Comments are closed.