The four departments with national security responsibilities haven't identified the threats or developed mitigation policies and procedures, a report states.
Weaknesses in the global technology supply chain present a direct threat to government networks, and agencies haven’t done enough to protect against counterfeit and compromised products, a Government Accountability Office report states.
GAO’s study found that the government relies heavily on commercial IT products produced around the world, which opens a variety of vulnerabilities to malware, viruses and other cyberattack methods that can be introduced through commercial devices that have been tampered with.
The ability of foreign actors, from counterfeiters to national intelligence agencies, to interfere with the international supply chain and the security of the networks and systems that such products would interact with has kept analysts awake at night for years. To get a better handle on these threats, the government commissioned the GAO to identify the main risks associated with the IT supply chain.
GAO examined the extent to which agencies rely on foreign-produced equipment in their networks and what agencies responsible for national security have done to address the issues.
According to the report, four agencies with national security responsibilities have acknowledged the supply chain risk: the Defense, Energy, Justice and Homeland Security departments. But two of them, Energy and DHS, have not yet defined methods to protect their supply chains or to monitor or verify any related compliance efforts.
Justice has identified supply chain protection measures, but it has not come up with procedures for implementing or complying with them.
“Until comprehensive policies, procedures, and monitoring capabilities are developed, documented and implemented, it is more likely that these national security-related departments will rely on security measures that are inadequate, ineffective or inefficient to manage emergent information technology supply chain risks,” the report states.
Of the four departments, DOD has done the most to protect its supply chain through an incremental approach that has defined the steps necessary to implement and monitor these security measures, the report states. But the document also notes that officials in all four departments have not determined how much foreign-made equipment, software or services are in their networks.
“Federal agencies are not required to track this information, and officials from four components of the U.S. national security community believe that doing so would provide minimal security value relative to cost,” the report states.
The GAO report indicated five threats to the IT supply chain:
- Installation of malicious code on hardware or in software.
- Use of counterfeit hardware or software.
- Failure or disruption in the production or distribution of a critical product or service.
- Reliance on malicious or unqualified service providers for technical services.
- Installation of unintentional vulnerabilities on hardware or software.
The report recommended that the four departments take the necessary steps to develop and document policies, procedures and monitoring capabilities to address the IT supply chain risk.