Vulnerabilities / Threats
3/3/2014
11:25 AM
Connect Directly
RSS
E-Mail
50%
50%

Supply-Chain Threats Still An Uncertain Danger

With a global manufacturing economy muddying the definition of a foreign product, nations are still hashing out strategies to secure their supply chains

Governments need to take a more active approach in helping companies secure their IT supply chains -- an expensive proposition that holds little economic incentive for most businesses, a panel at the RSA Conference said in San Francisco last week.

RSA Conference 2014
Click here for more articles about the RSA Conference.

While supply-chain risks have historically seemed theoretical, the leaked documents by former National Security Agency contractor Edward Snowden illustrated the broad capabilities of a skilled national intelligence agency's ability to compromise hardware and devices. The NSA's intelligence toolbox includes firmware backdoors that can be remotely installed on Huawei and Juniper routers, but many other so-called "implants" require the hardware to be intercepted during shipment and compromised, according to a December 2013 article in Der Spiegel.

Securing against national intelligence agencies and other actors is difficult, but each company needs to start with an analysis of its risk, James Barnett, partner, co-chair of the telecom and cybersecurity practice at Venable LLP Attorneys at Large, told attendees.

"The main thing with risk management is making sure that you understand this risk," he said.

In 2008, the Bush administration began a Comprehensive National Cybersecurity Initiative (CNCI), which aimed to give agencies a framework to better secure their systems. As one of the dozen initiatives, the CNCI called for federal agencies to secure their supply chains by developing tools, policies, and partnerships with industry to manage the risk.

Yet dealing with the security of products is difficult when it is no longer clear what could be considered a foreign product, said Curtis Duke, deputy director of the Information Assurance Directorate at the U.S. National Security Agency. The IAD is the defensive side of the NSA, with a mission to secure the nation's communications infrastructure.

"In today's global economy, most products are globally sourced. They may be manufactured in the U.S., but the actual components are made offshore," Duke told attendees. "Unfortunately, companies around the world may operate under different rules and uneven oversight, and the practical reality is that raises concerns on the quality, safety, and security of the products."

[Los Alamos National Laboratory's move to oust Chinese hardware without any evidence of backdoors highlights how supply-chain insecurities are difficult to manage. See Supply Chain Uncertainties Complicate Security.]

Locking down a development environment is a large expense, but a necessary one to deal with a national government, Nigel Jones, chief financial officer of mobile-security firm Koolspan, told attendees. The company has created a secure development facility and engineered its systems with an airgap to make it extremely difficult for attackers to penetrate.

"It is not possible, to our knowledge, to extract our intellectual property in any usable form," he said. "It is an ongoing process, which we have to do every day, and we have to keep at it."

Such measures have a significant cost attached to them, Jones said. While such measures are there to assure the U.S. government that the products are secure, convincing other nations that the products do not have U.S. implants is a significant battle as well.

"We have to spend a lot of time assuring some of our non-U.S. customers that their data and communications systems are sufficiently safe against U.S. surveillance," Jones said. "It is the inverse of the supply-chain issue."

While classified government agencies will need to carve out strict standards for suppliers and their products, the commercial sector can use technical standards and certifications to help maintain a secure supply chain, said Roar Thorn, a senior adviser to the Norwegian National Security Authority. Norway and other countries in the European Union have created a common set of standards so that a supplier certified by one country is considered to be vetted by the others, he said.

"We have partnered up with a lot of NATO countries and gained trust over time," he said. "It would be hard to sell any kind of products if we had 350 different standards and rules that different companies had to follow in the product itself."

The Open Group has established the Open Trusted Technology Provider Standard (O-TTPS), for example, so that companies can demonstrate their adherence to best practices.

While the actual threat remains unclear, nations should not seek to block technology because that does not solve the problem, Venable's Barnett said.

"There is a role for government in dealing with this issue, but we need to make sure that we don't clamp down on trade," he said. "There should be a national investment in finding a solution."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
3/4/2014 | 1:52:58 PM
re: Supply-Chain Threats Still An Uncertain Danger
be proud of your work and sign for it
check out the UEFI initiative: kernel software components have to be signed with a valid digital signature or the boot loader rejects them. this is a good practice we should all adopt. it's part of a ZERO DEFECTS process. which needs to be combined with Product Liability.
it's a 'sea change'; a different approach to software.
that is badly needed
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.