Vulnerabilities / Threats
3/3/2014
11:25 AM
50%
50%

Supply-Chain Threats Still An Uncertain Danger

With a global manufacturing economy muddying the definition of a foreign product, nations are still hashing out strategies to secure their supply chains

Governments need to take a more active approach in helping companies secure their IT supply chains -- an expensive proposition that holds little economic incentive for most businesses, a panel at the RSA Conference said in San Francisco last week.

RSA Conference 2014
Click here for more articles about the RSA Conference.

While supply-chain risks have historically seemed theoretical, the leaked documents by former National Security Agency contractor Edward Snowden illustrated the broad capabilities of a skilled national intelligence agency's ability to compromise hardware and devices. The NSA's intelligence toolbox includes firmware backdoors that can be remotely installed on Huawei and Juniper routers, but many other so-called "implants" require the hardware to be intercepted during shipment and compromised, according to a December 2013 article in Der Spiegel.

Securing against national intelligence agencies and other actors is difficult, but each company needs to start with an analysis of its risk, James Barnett, partner, co-chair of the telecom and cybersecurity practice at Venable LLP Attorneys at Large, told attendees.

"The main thing with risk management is making sure that you understand this risk," he said.

In 2008, the Bush administration began a Comprehensive National Cybersecurity Initiative (CNCI), which aimed to give agencies a framework to better secure their systems. As one of the dozen initiatives, the CNCI called for federal agencies to secure their supply chains by developing tools, policies, and partnerships with industry to manage the risk.

Yet dealing with the security of products is difficult when it is no longer clear what could be considered a foreign product, said Curtis Duke, deputy director of the Information Assurance Directorate at the U.S. National Security Agency. The IAD is the defensive side of the NSA, with a mission to secure the nation's communications infrastructure.

"In today's global economy, most products are globally sourced. They may be manufactured in the U.S., but the actual components are made offshore," Duke told attendees. "Unfortunately, companies around the world may operate under different rules and uneven oversight, and the practical reality is that raises concerns on the quality, safety, and security of the products."

[Los Alamos National Laboratory's move to oust Chinese hardware without any evidence of backdoors highlights how supply-chain insecurities are difficult to manage. See Supply Chain Uncertainties Complicate Security.]

Locking down a development environment is a large expense, but a necessary one to deal with a national government, Nigel Jones, chief financial officer of mobile-security firm Koolspan, told attendees. The company has created a secure development facility and engineered its systems with an airgap to make it extremely difficult for attackers to penetrate.

"It is not possible, to our knowledge, to extract our intellectual property in any usable form," he said. "It is an ongoing process, which we have to do every day, and we have to keep at it."

Such measures have a significant cost attached to them, Jones said. While such measures are there to assure the U.S. government that the products are secure, convincing other nations that the products do not have U.S. implants is a significant battle as well.

"We have to spend a lot of time assuring some of our non-U.S. customers that their data and communications systems are sufficiently safe against U.S. surveillance," Jones said. "It is the inverse of the supply-chain issue."

While classified government agencies will need to carve out strict standards for suppliers and their products, the commercial sector can use technical standards and certifications to help maintain a secure supply chain, said Roar Thorn, a senior adviser to the Norwegian National Security Authority. Norway and other countries in the European Union have created a common set of standards so that a supplier certified by one country is considered to be vetted by the others, he said.

"We have partnered up with a lot of NATO countries and gained trust over time," he said. "It would be hard to sell any kind of products if we had 350 different standards and rules that different companies had to follow in the product itself."

The Open Group has established the Open Trusted Technology Provider Standard (O-TTPS), for example, so that companies can demonstrate their adherence to best practices.

While the actual threat remains unclear, nations should not seek to block technology because that does not solve the problem, Venable's Barnett said.

"There is a role for government in dealing with this issue, but we need to make sure that we don't clamp down on trade," he said. "There should be a national investment in finding a solution."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
3/4/2014 | 1:52:58 PM
re: Supply-Chain Threats Still An Uncertain Danger
be proud of your work and sign for it
check out the UEFI initiative: kernel software components have to be signed with a valid digital signature or the boot loader rejects them. this is a good practice we should all adopt. it's part of a ZERO DEFECTS process. which needs to be combined with Product Liability.
it's a 'sea change'; a different approach to software.
that is badly needed
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7266
Published: 2015-02-01
Algorithmic complexity vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x through 3.1.2 allows remote attackers to cause a denial of service (CPU consumption) via vectors that trigger colliding hash-table keys. NOTE: this vulnerability exists because of an incomplete fix for CVE-2...

CVE-2014-7269
Published: 2015-02-01
ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earlier, and RT-N56U routers with firmware 3.0.0.4.376....

CVE-2014-7270
Published: 2015-02-01
Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earl...

CVE-2014-8630
Published: 2015-02-01
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shel...

CVE-2014-9200
Published: 2015-02-01
Stack-based buffer overflow in an unspecified DLL file in a DTM development kit in Schneider Electric Unity Pro, SoMachine, SoMove, SoMove Lite, Modbus Communication Library 2.2.6 and earlier, CANopen Communication Library 1.0.2 and earlier, EtherNet/IP Communication Library 1.0.0 and earlier, EM X8...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.