Vulnerabilities / Threats
3/3/2014
11:25 AM
Connect Directly
RSS
E-Mail
50%
50%

Supply-Chain Threats Still An Uncertain Danger

With a global manufacturing economy muddying the definition of a foreign product, nations are still hashing out strategies to secure their supply chains

Governments need to take a more active approach in helping companies secure their IT supply chains -- an expensive proposition that holds little economic incentive for most businesses, a panel at the RSA Conference said in San Francisco last week.

RSA Conference 2014
Click here for more articles about the RSA Conference.

While supply-chain risks have historically seemed theoretical, the leaked documents by former National Security Agency contractor Edward Snowden illustrated the broad capabilities of a skilled national intelligence agency's ability to compromise hardware and devices. The NSA's intelligence toolbox includes firmware backdoors that can be remotely installed on Huawei and Juniper routers, but many other so-called "implants" require the hardware to be intercepted during shipment and compromised, according to a December 2013 article in Der Spiegel.

Securing against national intelligence agencies and other actors is difficult, but each company needs to start with an analysis of its risk, James Barnett, partner, co-chair of the telecom and cybersecurity practice at Venable LLP Attorneys at Large, told attendees.

"The main thing with risk management is making sure that you understand this risk," he said.

In 2008, the Bush administration began a Comprehensive National Cybersecurity Initiative (CNCI), which aimed to give agencies a framework to better secure their systems. As one of the dozen initiatives, the CNCI called for federal agencies to secure their supply chains by developing tools, policies, and partnerships with industry to manage the risk.

Yet dealing with the security of products is difficult when it is no longer clear what could be considered a foreign product, said Curtis Duke, deputy director of the Information Assurance Directorate at the U.S. National Security Agency. The IAD is the defensive side of the NSA, with a mission to secure the nation's communications infrastructure.

"In today's global economy, most products are globally sourced. They may be manufactured in the U.S., but the actual components are made offshore," Duke told attendees. "Unfortunately, companies around the world may operate under different rules and uneven oversight, and the practical reality is that raises concerns on the quality, safety, and security of the products."

[Los Alamos National Laboratory's move to oust Chinese hardware without any evidence of backdoors highlights how supply-chain insecurities are difficult to manage. See Supply Chain Uncertainties Complicate Security.]

Locking down a development environment is a large expense, but a necessary one to deal with a national government, Nigel Jones, chief financial officer of mobile-security firm Koolspan, told attendees. The company has created a secure development facility and engineered its systems with an airgap to make it extremely difficult for attackers to penetrate.

"It is not possible, to our knowledge, to extract our intellectual property in any usable form," he said. "It is an ongoing process, which we have to do every day, and we have to keep at it."

Such measures have a significant cost attached to them, Jones said. While such measures are there to assure the U.S. government that the products are secure, convincing other nations that the products do not have U.S. implants is a significant battle as well.

"We have to spend a lot of time assuring some of our non-U.S. customers that their data and communications systems are sufficiently safe against U.S. surveillance," Jones said. "It is the inverse of the supply-chain issue."

While classified government agencies will need to carve out strict standards for suppliers and their products, the commercial sector can use technical standards and certifications to help maintain a secure supply chain, said Roar Thorn, a senior adviser to the Norwegian National Security Authority. Norway and other countries in the European Union have created a common set of standards so that a supplier certified by one country is considered to be vetted by the others, he said.

"We have partnered up with a lot of NATO countries and gained trust over time," he said. "It would be hard to sell any kind of products if we had 350 different standards and rules that different companies had to follow in the product itself."

The Open Group has established the Open Trusted Technology Provider Standard (O-TTPS), for example, so that companies can demonstrate their adherence to best practices.

While the actual threat remains unclear, nations should not seek to block technology because that does not solve the problem, Venable's Barnett said.

"There is a role for government in dealing with this issue, but we need to make sure that we don't clamp down on trade," he said. "There should be a national investment in finding a solution."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
3/4/2014 | 1:52:58 PM
re: Supply-Chain Threats Still An Uncertain Danger
be proud of your work and sign for it
check out the UEFI initiative: kernel software components have to be signed with a valid digital signature or the boot loader rejects them. this is a good practice we should all adopt. it's part of a ZERO DEFECTS process. which needs to be combined with Product Liability.
it's a 'sea change'; a different approach to software.
that is badly needed
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.