Fake tech: What can agencies do to protect themselves?
- By John Breeden II
- Nov 13, 2012
It’s a safe bet that one factor that makes the United States so powerful in the world at every level is its technology. It was true when the nation was growing, and it’s still true today. It’s not only the raw tech that matters, but what it’s used for.
NASA’s Iron Man initiative, for example, is helping injured people to walk again. The Energy Department’s Titan supercomputer will help to model and unravel the secrets of the universe. And of course the nation’s military technology is the envy of the world, increasing the effectiveness of individual soldiers while reducing the risk to troops with every new innovation.
But it’s also true that reliance on technology also creates risk. Henry David Thoreau was not far off when he said that men had become the tools of their tools. When a device fails to work property, it can really ruin our day. When a whole swath of devices fail at the same time, depending on the situation, it can be a bad day for a lot of people. Let’s be frank: it can be doomsday.
One reason this technology dependence is a potential problem is that, as CNN Money reports, fake technology gear is infiltrating the federal government at an alarming rate. When people think about counterfeit goods, they probably envision a guy selling fake Rolex watches or knockoff handbags. But the U.S. Customs and Border Protection agency is seizing more and more counterfeit and compromised electronics, some of which is bound for important government programs. These are non-functional processors and memory chips that are slated to be installed inside some of the country’s most critical systems. Some of the fakes are even making it into our gear.
Last year, GCN reported that fake parts were being found inside government technology, including more than 800 non-functional memory chips that had been installed inside various missile defense systems. From fighter jets to laptops to communications gear, the problem of counterfeit technology is a huge one because, unlike a knockoff handbag, the fake tech won’t function when it’s needed most.
There is also the possibility that the people behind the fake gear could be after more than just a quick buck. The Justice Department several years ago confiscated more than 400 counterfeit Cisco routers before they could be installed in government offices. That gear could have been programmed to open up backdoors for offshore hackers to monitor U.S. communications. It seems like the plot of a James Bond movie, but in this case, it almost became real.
Both fake gear and devices that have been deliberately programmed with nefarious intent are a serious threat to a nation that relies so heavily on emerging technology to give it an edge. NASA is taking the lead with the creation of a ratings system that scores suppliers based on trustworthiness, so its buyers can pick the most reliable source. Even then, every part NASA buys is inspected.
Agencies could also require that technology be rated with an Evaluation Assurance Level of at least 2. Anything that is certified to EAL 2 has to have each component checked and certified prior to assembly. Investigations have found that, in some cases, products are “clean” when they leave a manufacturer but can be compromised somewhere along the supply chain.
One product, the ServSwitch Secure KVM from Black Box, goes a step further than that, to EAL 4. At that level, the entire supply chain is controlled, to the point that assembled switches are kept in cages until they are ready to be shipped. Devices can only be removed from their cage by select people, and any device that comes out of the secure area for anything other than shipping to a client can’t ever go back in.
EAL 4 is a lot to ask of a company, but if it is supplying gear to the government, it might be time agencies begin to insist on it. Those looking to make a quick buck with counterfeit gear won’t stop if there is still money to be made, and hackers won’t quit either. Agencies that protect their technology from both groups would likely be taking a good step toward protecting their missions.
John Breeden II is a freelance technology writer for GCN.