CISO PERSPECTIVES by ISC(2) — Commentary
Trust but verify: Security risks abound in the IT supply chain
With one in 10 information technology products on the market
considered counterfeit, and software products developed across the
globe at risk of subversion, it is hard to overstate the national
security concerns regarding the use of IT products delivered through
the global supply chain.
Editor’s Note: This article was prepared
collaboratively by members of the International Information Systems
Security Certification Consortium's Government Advisory Board Executive
Writers Bureau. The bureau includes federal IT security experts from
government and industry. A full list of bureau members is available at www.isc2.org/ewb-usgov.
The cyber security risks inherent in the federal government's
procurement of and reliance on IT hardware and software from various
non-pedigreed sources have been well reported. Over a decade ago, the
Defense Science Board Task Force on Globalization and Security
published a telling report on the "Vulnerability of Essential U.S. Systems Incorporating Commercial Software." In
2002, there were a number of well-publicized investigations of alleged
terrorist-funded corporations that followed in the wake of the 9/11
terrorist attacks under the auspices of Operation Green Quest. Due to
counterfeit computer components used in warplanes, ships and
communication networks, the problem has now essentially come full
circle in recent reports highlighting the actual threat to Defense
Department and other government systems.
This article explores various cyber risks to the IT supply chain,
which include theft of intellectual property, logic bombs and
self-modifying code, deliberately hidden back doors and features for
unauthorized remote access, as well as risks from fake or counterfeit
The fear of non-secure or even harmful foreign software dates back
to the late 1990s, when federal agencies hired foreign contractors to
rewrite code to keep systems from malfunctioning during the year 2000
date change. A report issued by the Defense Science Board (DSB) in 2007
was the first formal acknowledgement by DOD’s top advisory board that
such security risks exist. The 2007 report highlights the seriousness
of the problem, concluding: "Malicious code, which would facilitate
system intrusion, would be all but impossible to detect through
testing, primarily because of software's extreme and ever increasing
complexity. ... Increased functionality means increased vulnerability."
The DSB was not alone in its projections. In 2006, the Association
of Computing Machinery (ACM) published "Globalization and Off-shoring
of Software" enumerating the risks to national security from
government's use of foreign software. The number one risk identified in
the ACM report was that difficulty understanding code pedigree could
allow hostile nations, terrorists, criminals and other miscreants to
subvert or sabotage software used in critical government systems.
However, the problem is not limited to risks stemming from software
developed overseas or foreign-owned domestically controlled companies.
It also extends to hardware and potential risks caused by counterfeit
products or foreign-developed computer chips and microprocessors.
Similar problems could be caused by home-grown terrorists and criminals.
The supply chain is complex and interwoven, with no clear line
between software and hardware pedigree from source to government
system. Risk is introduced any time that hardware and software transfer
from the country/company of origin to a federal government end-user via
a certified domestic distributor, a certified distributor in a second
country/company or via a company's Web site or online auction site.
A recent white paper produced by KPMG and the Alliance for Grey Market and Counterfeit Abatement (AGMA) reported
that one in 10 IT products currently on the market is counterfeit.
Estimates from law enforcement are even higher. The paper also reported
that this 10 percent counterfeit market is currently grossing more than
$100 billion in annual revenue. The national security implications of
these counterfeit and, in some cases, subverted products being used in
sensitive government systems are of grave concern. This was
substantiated in summer 2008, when the FBI reported that the Chinese
government or Chinese hackers -- or both -- had used undetectable
backdoors to access highly secure U.S. government and military computer
networks by means of counterfeit Cisco routers and switches installed
in nearly all government networks over 18 months.
These activities have major implications on the fundamental premise
of cyber infiltration and espionage. Why send malicious code over the
Internet if one can pre-infect software, computer parts or even
consumer devices with logic-bombs, self-modifying code, deliberately
hidden backdoors and so on? Further, why continue to follow the
traditional, arduous, time-consuming model of recruiting and training
thousands of covert operatives when you can hire a few "uber haxors"
who can command readily available botnets to infiltrate the systems of
target countries and exfiltrate the same (or even more) sensitive
information from a broader range of targets?
The extent of cyber espionage and consequent data exfiltration were highlighted in a 2006 Government Computer News report,
in which Major General William Lord, U.S. Air Force chief information
officer, stated that China had downloaded 10 to 20 terabytes of data
from DOD’s unclassified (NIPRnet) network. This same type of incident
was highlighted in a 2008 USA Today report, “Chinese Hacked Capitol Computers,” in
which Rep. Frank Wolf (R-Va.) revealed that the FBI had identified four
of his government computers that had been hacked by sources working out
of China. The Congressman expressed his concern that the problem likely
had gone further. "If it's been done in the House, don't you think that
they're doing the same thing in the Senate?" he asked.
Analyses of U.S. government contracting processes and the IT supply
pipeline expose some of the inherent risks to the supply ecosystem.
From the time a purchase order is placed with a DOD/General Services
Administration-approved and authorized vendor/reseller until the time
the product is delivered to the government's mailrooms, government
officials have little or no control over the various levels of
sub-contractors or the sub-contractors’ sub-contractors that the
DOD/GSA-approved vendor is using to fulfill these purchase orders.
Although the following case-study is more germane to risks in the DOD
IT Supply Chain, it does an excellent job of illustrating the risks
from suppliers of unknown pedigree.
In October 2008, Business Week published a revealing article on “Dangerous Fakes.” One
of the case studies featured Mariya Hakimuddin, an uneducated working
mother, who owns “IT Enterprise,” a company she ran with her mother out
of a modest one-story house in Bakersfield, Calif. Mariya began
brokering military chips four years prior after friends told her about
the expanding trade. Since 2004, she has won DOD contracts worth a
total of $2.7 million. The military acquired microchips and other parts
from IT Enterprise for use in radar on the aircraft carrier USS Ronald
Reagan and the anti-submarine combat system of Spruance-class
destroyers. Mariya said she knew little about the parts she bought and
sold. She started her business by signing up on the Internet for a
government supplier code. After DOD approved her application, with no
inspection, she began scanning online military procurement requests.
She plugged part codes into Internet search engines and found Web sites
offering low prices. Then she ordered parts and had them shipped
directly to military depots. Finding a suspicious transistor shipped by
IT Enterprise, the Navy triggered an investigation of the company. In
January 2009, the DOD suspended IT Enterprise, Mariya and her mother’s
ability to supply to the military for three years. A month after Mariya
was suspended, her husband, Mukerram, received his own supplier code,
using the same home address with a new company name, Mil Enterprise.
This time, DOD caught on more quickly, suspending Mukerram for three
years as well.
Even more insidious could be the issue of potentially hostile
foreign influence on offshore developers, resulting in malicious code
and other intentional vulnerabilities embedded in products. This is
perhaps best illustrated in the following a case study of PTech, a
Boston-area software company.
In 2002, the FBI launched an investigation of PTech and its possible
ties to terrorism during Operation Green Quest, which was a Customs
investigation into Yasin al-Qadi and other suspected financiers. At the
time, PTech’s risk management software was being used by the FBI, the
Air Force, Navy and a host of other DoD and federal government
agencies. One of PTech’s central investors was Yasin al-Qadi, who the
FBI suspected to be financing terrorist groups. A CBS journalist who
was the first to report on PTech, said: “The worst-case scenario is
that this is a situation where this was planned for a very long time to
establish a company in this country and in the computer software
business that would target federal agencies and gain access to key
government data to essentially help terrorists launch another attack.”
While the FBI’s investigation of PTech was inconclusive and no one
associated with PTech was ever charged, the impact of a similar
scenario would be devastating to our national security. The company
continues to do business with the government, albeit under a new name.
Approaching the solution
The gravity of IT supply chain risks is not lost on national
security strategists. In January 2008, to combat the growing cyberspace
threats, the White House issued Homeland Security Presidential
Directive 23, calling for a national priority and plan for action to
combat cyberspace threats. The directive considers the full spectrum of
threat vectors -- network, supply chain, vendor, mission and bridge
networks -- to address both internal and external threats. In brief,
HSPD-23 has 12 initiatives, of which the 11th, “Develop Multi-Pronged
Approach for Global Supply Chain Risk Management,” is specifically
geared toward tackling risks in the IT supply chain. This is perhaps
the most challenging of the initiatives.
The National Institute of Standards and Technology (NIST) is charged with developing guidance for CNCI Initiative 11 and has outlined the following sub-program areas to address as the basis of its multi-pronged approach for this Initiative:
- Criteria for identifying federal government systems and networks
requiring enhanced efforts to ensure supply chain risk management.
- An approach for enhancing federal government technical expertise, guidance and standards to manage supply chain risk.
- Lifecycle processes and standards.
- A strategy to enhance federal government acquisition policy to
address supply-chain risk based on a legal and policy evaluation of the
potential application of intelligence community processes for supply
chain risk management to non-IC departments/agencies, including the use
of vendor threat information in acquisition.
- Acquisition policy and legal analysis.
- A process for sharing vendor threat analyses across the federal government.
While the CNCI Initiative’s plan for tackling risks in the IT
supply chain is still unknown, the work that has already been
accomplished by other groups is encouraging. The Customs-Trade Partnership Against Terrorism
(C-TPAT), launched in November 2001 with just seven major corporate
importers, has grown to become one of the largest and most successful
public-private sector partnerships to emerge from the ashes of 9/11.
It is one of several U.S. Customs and Border Protection (CBP)
initiatives implemented after 9/11 to achieve CBP’s twin goals:
security and facilitation. C-TPAT’s main vision is to safeguard the
trade industry from terrorists and to provide benefits and incentives
to private sector companies that meet or exceed C-TPAT supply chain
security criteria and best practices. The C-TPAT recommends that
industry partners develop minimum security practices (especially
applicable to point of origin and point of staffing) , ensuring that
contracts and request for proposals include specific security language
that stipulates that prior to conducting any business, suppliers must
comply with specific security standards, policies and procedures. This
includes accountability by federal agencies to focus on foreign
manufacturers and a more rigorous clearance process. Many C-TPAT
companies are now contractually requiring businesses to improve
security in order to meet C-TPAT guidelines. Examples of how C-TPAT
companies leverage foreign suppliers to tighten security in the supply
- Conducting regular audits of their vendors to ensure compliance with C-TPAT security guidelines.
- Conditioning contractual business relationships with their service
providers and vendors based on C-TPAT participation and/or adherence to
- Leveraging the existing internal inspection team.
- Obtaining cargo security training for quality assurance personnel
or non-security related auditors who visit foreign vendors and
factories on a regular basis.
- Partnering with individual customs administrators to improve the coordination of mutual anti-terrorism efforts.
The work of the public–private sector partnership of the Software Assurance Forum for Excellence in Code
(SAFECode) is also noteworthy. SAFECode was founded by EMC, Juniper
Networks, Microsoft, SAP and Symantec. as a non-profit organization
dedicated to increasing trust in information and communications
technology products and services through the advancement of proven
software assurance methods. SAFECode works to identify and promote best
practices for developing and delivering more secure and reliable
software, hardware and services.
Our national reliance on IT hardware and software from various
non-pedigreed sources is a foundation for major cybersecurity risks
having national security implications. The incident reports cited in
this article further highlight potential risks ranging from logic bombs
and self-modifying code, deliberately hidden back-doors to potentially
fatal equipment failure and even foreign espionage. Although the U.S.
government has only scratched the surface in developing an approach to
the solution, federal chief information security officers can take some
comfort in the fact that one of the many CNCI initiatives is intended
to meet this challenge head-on. As NIST advises, organizations must add
“defense-in-breadth” to their strategy mix. While Defense-in-depth
focuses on the operations phase of the systems development lifecycle,
defense-in-breadth covers the entire lifecycle.