The global information technology (IT) supply chain has been on the forefront of cyber security concerns for several years. First initiated by the Bush administration’s 2008 Comprehensive National Cybersecurity Initative (CNCI), the U.S. government identified the need to develop a multi-pronged approach for global supply chain risk management, a theme that has since been underscored by the White House’s January 2012 National Strategy for Global Supply Chain Security. Both documents agree that the globalization of the IT marketplace has created opportunities for hostile actors to compromise the confidentiality, integrity, and availability of IT products and services. The global IT marketplace is composed of multiple businesses, vendors, and relationships that span countries, regions, and time zones. Federal government agencies must rely on these vendors and commercial-off-the-shelf products to satisfy their IT requirements, which have politicians and security experts clamoring for supply chain oversight. As evidenced by the recent House of Representative report on the Chinese telecommunications companies Huawei and ZTE, the U.S. government fears the possibilities of IT supply chain exploitation by foreign IT companies although it cannot attribute acts of espionage or intentional compromise. This raises two important questions: 1) Is the supply chain threat blown out of proportion as the U.S. government continues to purchase commercial products; and 2) If not, is it too late to mitigate the threats to fragmented global enterprise? Ultimately, securing the global supply chain is as difficult as trying to secure the global Internet and for many of the same reasons. More attention should be spent on ensuring the quality of products being integrated into networks rather than trying to find out if an adversary is going to use this cumbersome global supply chain monolith as a viable means to commit espionage.
White House Releases a Strategy
In January 2012, the White House’s National Strategy for Global Supply Chain Security bolstered assertions made in the 2008 Comprehensive National Cybersecurity Initiative and those made later in a March 2012 General Accountability Office report that the U.S. is vulnerable to exploitation in the global IT supply chain primarily because the global supply chain is large, unmonitored, and vulnerable to hostile acts at any point of a product or device’s life cycle.
What’s interesting about the Strategy is that it calls for an integrated domestic effort, as well as an international approach, toward addressing supply chain weaknesses and vulnerabilities as the best way forward to solving this problem. This is disconcerting because it does not offer an alternative to the status quo but tries to operate within its constraints. The Strategy does not encourage domestic development of indigenously produced IT goods and services as a viable means to counter the supply chain threat, suggesting that the U.S. has no intention of returning to a time when it was a leading developer and manufacturer of IT products. If the U.S. government doesn’t cultivate this type of IT production renaissance, then it is doomed to be dependent on what the global marketplace offers. Other countries such as China, India, Iran, and Russia are in the process of trying to develop indigenous computer software and hardware to reduce their dependence on foreign manufactured equipment, and in turn, increase their cyber security posture in the process. The fact that China, Iran, and Russia specifically are suspected of conducting hostile cyber activities against U.S. and foreign targets should serve as a wake-up call to the U.S. government. After all, suspicions of U.S. involvement in the Stuxnet, Duqu, and Flame attacks against Iran were catalysts for Iran to increase its cyber defense apparatus. If our suspected cyber adversaries are seeking to reduce their vulnerability by building in-house, why wouldn’t the United States do likewise? However, this is not even a consideration for the United States, which at one time was a technological leader and innovator for computer hardware production, suggesting that profits and global commerce have replaced simple security considerations.
What Is the Supply Chain Threat?
Because of its size and the amount of potential companies involved (depending on the product/service), the global IT supply chain offers numerous potential access points for exploitation at any stage of the development, manufacturing, assembly, and distribution process. Moreover, these threats can appear at each phase of the system development life cycle to include initiation, development, dissemination, implementation, maintenance of an information system. As a result, the compromise of an agency’s IT supply chain can degrade the confidentiality, integrity, and availability of its critical and sensitive networks, IT-enabled equipment, and data. According to a 2010 report from Carnegie Mellon’s Software Engineering Institute, the identity of a product or a provider may not be discernible to the organization acquiring the product, nor does it have visibility into a supplier’s subcontractors. Equipment, parts, or devices to be included into the overall product may be obtained from outsourced companies in other countries, not to mention vendors selling commercial-off-the-shelf products who may outsource their own production.
According to the Government Accountability Office (GAO), an independent, nonpartisan agency that investigates how the federal government spends taxpayer dollars, reliance on a global supply chain introduces multiples risks to federal information systems and underscores the importance of threat assessments and risk mitigation. In a March 2012 report, the GAO identified five major threats to the IT supply chain:
- Installation of hardware or software containing malicious logic
- Installation of counterfeit hardware or software
- Failure or disruption in the production or distribution of critical products
- Reliance on malicious or unqualified service provider for the performance of technical services
- Installation of hardware or software that contains unintentional vulnerabilities
The picture that the GAO paints is bleak; the U.S. government lacks the necessary policies, procedures, standards, and monitoring capabilities to take on this threat, despite having steadily enacted acts empowering agencies for this very purpose. So what we are left to conclude is that any current policies are ineffective; agencies are ignoring their mandates; or no one knows what exactly the next steps that should be taken. In short, federal agencies and related departments will continue to rely on inadequate measures to address the supply chain threat, which begs the question – is it too late to mitigate these threats?
Can Supply Chain Threat be Mitigated?
The supply chain threat is difficult to detect, monitor, and mitigate. A report from the Georgia Tech Information Security Center and Georgia Tech Research Institute characterized such threats as “…expensive to fix, and a policy nightmare.” Whether it’s the purposeful insertion of malware, the presence of vulnerabilities, or other flawed hardware/software, the IT supply chain presents ample opportunity for intentional or unintentional malfeasance. Below highlights some of the challenges of supply chain mitigation:
- The Supply Chain Encompasses the World. The United States surrendered its leadership position in the development and manufacturing of IT equipment in favor of increased profits raised through globalization. Presently, it is rare that a company does all of the manufacturing and assembly of IT goods in one location. An IT product lifecycle that encompasses research and development to product implementation and service, and includes packaging, shipping, and delivery, may occur in several locations throughout the world. Figure 1 taken from General Accountability Office March 2012 report GAO-12-361 illustrates the possible combinations of countries involved in the manufacturing of components assembled into one laptop computer. The number of countries potentially involved in this process represents opportunities for hostile actors to introduce malware into a computer. Even if you purchase a computer from a U.S. or European computer company, the components in the computer will have been made somewhere else.
- Outsourcing. An IT customer often does not know if the trusted vendor company he has purchased a product from has outsourced or sub-outsourced any of the production to other companies, and therefore, has no insight into what quality assurance or security standards are used. Asia has been a prime location for outsourcing of global computer components since many of the leading computer manufacturers established research and development centers in China. According to a 2008 report published by the Alfred P. Sloan Foundation, philanthropic, a nonprofit grantmaking institution, “by 2005 China was the single largest producer of personal computers and computer equipment overall in the world.”