CISO PERSPECTIVES by ISC(2) — Commentary

Trust but verify: Security risks abound in the IT supply chain

With one in 10 information technology products on the market considered counterfeit, and software products developed across the globe at risk of subversion, it is hard to overstate the national security concerns regarding the use of IT products delivered through the global supply chain.


Editor’s Note: This article was prepared collaboratively by members of the International Information Systems Security Certification Consortium's Government Advisory Board Executive Writers Bureau. The bureau includes federal IT security experts from government and industry. A full list of bureau members is available at www.isc2.org/ewb-usgov.


The cyber security risks inherent in the federal government's procurement of and reliance on IT hardware and software from various non-pedigreed sources have been well reported. Over a decade ago, the Defense Science Board Task Force on Globalization and Security published a telling report on the "Vulnerability of Essential U.S. Systems Incorporating Commercial Software."  In 2002, there were a number of well-publicized investigations of alleged terrorist-funded corporations that followed in the wake of the 9/11 terrorist attacks under the auspices of Operation Green Quest. Due to counterfeit computer components used in warplanes, ships and communication networks, the problem has now essentially come full circle in recent reports highlighting the actual threat to Defense Department and other government systems.

This article explores various cyber risks to the IT supply chain, which include theft of intellectual property, logic bombs and self-modifying code, deliberately hidden back doors and features for unauthorized remote access, as well as risks from fake or counterfeit products.

The fear of non-secure or even harmful foreign software dates back to the late 1990s, when federal agencies hired foreign contractors to rewrite code to keep systems from malfunctioning during the year 2000 date change. A report issued by the Defense Science Board (DSB) in 2007 was the first formal acknowledgement by DOD’s top advisory board that such security risks exist. The 2007 report highlights the seriousness of the problem, concluding: "Malicious code, which would facilitate system intrusion, would be all but impossible to detect through testing, primarily because of software's extreme and ever increasing complexity. ... Increased functionality means increased vulnerability."

The DSB was not alone in its projections. In 2006, the Association of Computing Machinery (ACM) published "Globalization and Off-shoring of Software" enumerating the risks to national security from government's use of foreign software. The number one risk identified in the ACM report was that difficulty understanding code pedigree could allow hostile nations, terrorists, criminals and other miscreants to subvert or sabotage software used in critical government systems.

However, the problem is not limited to risks stemming from software developed overseas or foreign-owned domestically controlled companies. It also extends to hardware and potential risks caused by counterfeit products or foreign-developed computer chips and microprocessors. Similar problems could be caused by home-grown terrorists and criminals.

The supply chain is complex and interwoven, with no clear line between software and hardware pedigree from source to government system. Risk is introduced any time that hardware and software transfer from the country/company of origin to a federal government end-user via a certified domestic distributor, a certified distributor in a second country/company or via a company's Web site or online auction site.

A recent white paper produced by KPMG and the Alliance for Grey Market and Counterfeit Abatement (AGMA) reported that one in 10 IT products currently on the market is counterfeit. Estimates from law enforcement are even higher. The paper also reported that this 10 percent counterfeit market is currently grossing more than $100 billion in annual revenue. The national security implications of these counterfeit and, in some cases, subverted products being used in sensitive government systems are of grave concern. This was substantiated in summer 2008, when the FBI reported that the Chinese government or Chinese hackers -- or both -- had used undetectable backdoors to access highly secure U.S. government and military computer networks by means of counterfeit Cisco routers and switches installed in nearly all government networks over 18 months.

These activities have major implications on the fundamental premise of cyber infiltration and espionage. Why send malicious code over the Internet if one can pre-infect software, computer parts or even consumer devices with logic-bombs, self-modifying code, deliberately hidden backdoors and so on? Further, why continue to follow the traditional, arduous, time-consuming model of recruiting and training thousands of covert operatives when you can hire a few "uber haxors" who can command readily available botnets to infiltrate the systems of target countries and exfiltrate the same (or even more) sensitive information from a broader range of targets?

The extent of cyber espionage and consequent data exfiltration were highlighted in a 2006 Government Computer News report,  in which Major General William Lord, U.S. Air Force chief information officer, stated that China had downloaded 10 to 20 terabytes of data from DOD’s unclassified (NIPRnet) network. This same type of incident was highlighted in a 2008 USA Today report, “Chinese Hacked Capitol Computers,” in which Rep. Frank Wolf (R-Va.) revealed that the FBI had identified four of his government computers that had been hacked by sources working out of China. The Congressman expressed his concern that the problem likely had gone further. "If it's been done in the House, don't you think that they're doing the same thing in the Senate?" he asked.

Analyses of U.S. government contracting processes and the IT supply pipeline expose some of the inherent risks to the supply ecosystem. From the time a purchase order is placed with a DOD/General Services Administration-approved and authorized vendor/reseller until the time the product is delivered to the government's mailrooms, government officials have little or no control over the various levels of sub-contractors or the sub-contractors’ sub-contractors that the DOD/GSA-approved vendor is using to fulfill these purchase orders. Although the following case-study is more germane to risks in the DOD IT Supply Chain, it does an excellent job of illustrating the risks from suppliers of unknown pedigree.

In October 2008, Business Week published a revealing article on “Dangerous Fakes.” One of the case studies featured Mariya Hakimuddin, an uneducated working mother, who owns “IT Enterprise,” a company she ran with her mother out of a modest one-story house in Bakersfield, Calif. Mariya began brokering military chips four years prior after friends told her about the expanding trade. Since 2004, she has won DOD contracts worth a total of $2.7 million. The military acquired microchips and other parts from IT Enterprise for use in radar on the aircraft carrier USS Ronald Reagan and the anti-submarine combat system of Spruance-class destroyers. Mariya said she knew little about the parts she bought and sold. She started her business by signing up on the Internet for a government supplier code. After DOD approved her application, with no inspection, she began scanning online military procurement requests. She plugged part codes into Internet search engines and found Web sites offering low prices. Then she ordered parts and had them shipped directly to military depots. Finding a suspicious transistor shipped by IT Enterprise, the Navy triggered an investigation of the company. In January 2009, the DOD suspended IT Enterprise, Mariya and her mother’s ability to supply to the military for three years. A month after Mariya was suspended, her husband, Mukerram, received his own supplier code, using the same home address with a new company name, Mil Enterprise. This time, DOD caught on more quickly, suspending Mukerram for three years as well.

Even more insidious could be the issue of potentially hostile foreign influence on offshore developers, resulting in malicious code and other intentional vulnerabilities embedded in products. This is perhaps best illustrated in the following a case study of PTech, a Boston-area software company.

In 2002, the FBI launched an investigation of PTech and its possible ties to terrorism during Operation Green Quest, which was a Customs investigation into Yasin al-Qadi and other suspected financiers. At the time, PTech’s risk management software was being used by the FBI, the Air Force, Navy and a host of other DoD and federal government agencies. One of PTech’s central investors was Yasin al-Qadi, who the FBI suspected to be financing terrorist groups. A CBS journalist who was the first to report on PTech, said: “The worst-case scenario is that this is a situation where this was planned for a very long time to establish a company in this country and in the computer software business that would target federal agencies and gain access to key government data to essentially help terrorists launch another attack.” While the FBI’s investigation of PTech was inconclusive and no one associated with PTech was ever charged, the impact of a similar scenario would be devastating to our national security. The company continues to do business with the government, albeit under a new name.

Approaching the solution

The gravity of IT supply chain risks is not lost on national security strategists. In January 2008, to combat the growing cyberspace threats, the White House issued Homeland Security Presidential Directive 23, calling for a national priority and plan for action to combat cyberspace threats. The directive considers the full spectrum of threat vectors -- network, supply chain, vendor, mission and bridge networks -- to address both internal and external threats. In brief, HSPD-23 has 12 initiatives, of which the 11th, “Develop Multi-Pronged Approach for Global Supply Chain Risk Management,” is specifically geared toward tackling risks in the IT supply chain. This is perhaps the most challenging of the initiatives.

The National Institute of Standards and Technology (NIST) is charged with developing guidance for CNCI Initiative 11 and has outlined the following sub-program areas to address as the basis of its multi-pronged approach for this Initiative:

  • Criteria for identifying federal government systems and networks requiring enhanced efforts to ensure supply chain risk management.
  • An approach for enhancing federal government technical expertise, guidance and standards to manage supply chain risk.
  • Lifecycle processes and standards.
  • A strategy to enhance federal government acquisition policy to address supply-chain risk based on a legal and policy evaluation of the potential application of intelligence community processes for supply chain risk management to non-IC departments/agencies, including the use of vendor threat information in acquisition.
  • Acquisition policy and legal analysis.
  • A process for sharing vendor threat analyses across the federal government.

While the CNCI Initiative’s plan for tackling risks in the IT supply chain is still unknown, the work that has already been accomplished by other groups is encouraging. The Customs-Trade Partnership Against Terrorism (C-TPAT),  launched in November 2001 with just seven major corporate importers, has grown to become one of the largest and most successful public-private sector partnerships to emerge from the ashes of 9/11.

It is one of several U.S. Customs and Border Protection (CBP) initiatives implemented after 9/11 to achieve CBP’s twin goals: security and facilitation. C-TPAT’s main vision is to safeguard the trade industry from terrorists and to provide benefits and incentives to private sector companies that meet or exceed C-TPAT supply chain security criteria and best practices. The C-TPAT recommends that industry partners develop minimum security practices (especially applicable to point of origin and point of staffing) , ensuring that contracts and request for proposals include specific security language that stipulates that prior to conducting any business, suppliers must comply with specific security standards, policies and procedures. This includes accountability by federal agencies to focus on foreign manufacturers and a more rigorous clearance process. Many C-TPAT companies are now contractually requiring businesses to improve security in order to meet C-TPAT guidelines. Examples of how C-TPAT companies leverage foreign suppliers to tighten security in the supply chain include:

  • Conducting regular audits of their vendors to ensure compliance with C-TPAT security guidelines.
  • Conditioning contractual business relationships with their service providers and vendors based on C-TPAT participation and/or adherence to security guidelines.
  • Leveraging the existing internal inspection team.
  • Obtaining cargo security training for quality assurance personnel or non-security related auditors who visit foreign vendors and factories on a regular basis.
  • Partnering with individual customs administrators to improve the coordination of mutual anti-terrorism efforts.

The work of the public–private sector partnership of the Software Assurance Forum for Excellence in Code (SAFECode) is also noteworthy. SAFECode was founded by EMC, Juniper Networks, Microsoft, SAP and Symantec. as a non-profit organization dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

Our national reliance on IT hardware and software from various non-pedigreed sources is a foundation for major cybersecurity risks having national security implications. The incident reports cited in this article further highlight potential risks ranging from logic bombs and self-modifying code, deliberately hidden back-doors to potentially fatal equipment failure and even foreign espionage. Although the U.S. government has only scratched the surface in developing an approach to the solution, federal chief information security officers can take some comfort in the fact that one of the many CNCI initiatives is intended to meet this challenge head-on. As NIST advises, organizations must add “defense-in-breadth” to their strategy mix. While Defense-in-depth focuses on the operations phase of the systems development lifecycle, defense-in-breadth covers the entire lifecycle.


Reader Comments

Tue, Jul 21, 2009 Bob Karl Houston

Today, vulnerabilities in information systems can threaten thousands, if not millions of people’s physical or financial safety and security.
There is not enough terrorism liability insurance available to assure any organization’s financial survival following a serious event. However, groundbreaking liability protections are available under a little known and often-misunderstood Federal statute called the Support Anti-terrorism by Fostering Effective Technologies Act of 2002 or, the “SAFETY Act”.
SAFETY Act automatically grants immunities, liability caps, affirmative defenses and other incentives for using or providing approved anti-terrorism products, technologies, facilities, software, procedures and/or services including those used in cyber or network protection. The very nature of IT security makes the users, developers, providers or consultants ideal candidates for the sweeping liability protections and benefits provided under the SAFETY Act. In addition, entities who provide approved anti-terrorism / e-terrorism goods or services to others enjoy a significant marketing advantage and higher demand for their products, technologies or services over competitors’ offerings that are not SAFETY Act protected.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above