Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/3/2014
11:25 AM
50%
50%

Supply-Chain Threats Still An Uncertain Danger

With a global manufacturing economy muddying the definition of a foreign product, nations are still hashing out strategies to secure their supply chains

Governments need to take a more active approach in helping companies secure their IT supply chains -- an expensive proposition that holds little economic incentive for most businesses, a panel at the RSA Conference said in San Francisco last week.

RSA Conference 2014
Click here for more articles about the RSA Conference.

While supply-chain risks have historically seemed theoretical, the leaked documents by former National Security Agency contractor Edward Snowden illustrated the broad capabilities of a skilled national intelligence agency's ability to compromise hardware and devices. The NSA's intelligence toolbox includes firmware backdoors that can be remotely installed on Huawei and Juniper routers, but many other so-called "implants" require the hardware to be intercepted during shipment and compromised, according to a December 2013 article in Der Spiegel.

Securing against national intelligence agencies and other actors is difficult, but each company needs to start with an analysis of its risk, James Barnett, partner, co-chair of the telecom and cybersecurity practice at Venable LLP Attorneys at Large, told attendees.

"The main thing with risk management is making sure that you understand this risk," he said.

In 2008, the Bush administration began a Comprehensive National Cybersecurity Initiative (CNCI), which aimed to give agencies a framework to better secure their systems. As one of the dozen initiatives, the CNCI called for federal agencies to secure their supply chains by developing tools, policies, and partnerships with industry to manage the risk.

Yet dealing with the security of products is difficult when it is no longer clear what could be considered a foreign product, said Curtis Duke, deputy director of the Information Assurance Directorate at the U.S. National Security Agency. The IAD is the defensive side of the NSA, with a mission to secure the nation's communications infrastructure.

"In today's global economy, most products are globally sourced. They may be manufactured in the U.S., but the actual components are made offshore," Duke told attendees. "Unfortunately, companies around the world may operate under different rules and uneven oversight, and the practical reality is that raises concerns on the quality, safety, and security of the products."

[Los Alamos National Laboratory's move to oust Chinese hardware without any evidence of backdoors highlights how supply-chain insecurities are difficult to manage. See Supply Chain Uncertainties Complicate Security.]

Locking down a development environment is a large expense, but a necessary one to deal with a national government, Nigel Jones, chief financial officer of mobile-security firm Koolspan, told attendees. The company has created a secure development facility and engineered its systems with an airgap to make it extremely difficult for attackers to penetrate.

"It is not possible, to our knowledge, to extract our intellectual property in any usable form," he said. "It is an ongoing process, which we have to do every day, and we have to keep at it."

Such measures have a significant cost attached to them, Jones said. While such measures are there to assure the U.S. government that the products are secure, convincing other nations that the products do not have U.S. implants is a significant battle as well.

"We have to spend a lot of time assuring some of our non-U.S. customers that their data and communications systems are sufficiently safe against U.S. surveillance," Jones said. "It is the inverse of the supply-chain issue."

While classified government agencies will need to carve out strict standards for suppliers and their products, the commercial sector can use technical standards and certifications to help maintain a secure supply chain, said Roar Thorn, a senior adviser to the Norwegian National Security Authority. Norway and other countries in the European Union have created a common set of standards so that a supplier certified by one country is considered to be vetted by the others, he said.

"We have partnered up with a lot of NATO countries and gained trust over time," he said. "It would be hard to sell any kind of products if we had 350 different standards and rules that different companies had to follow in the product itself."

The Open Group has established the Open Trusted Technology Provider Standard (O-TTPS), for example, so that companies can demonstrate their adherence to best practices.

While the actual threat remains unclear, nations should not seek to block technology because that does not solve the problem, Venable's Barnett said.

"There is a role for government in dealing with this issue, but we need to make sure that we don't clamp down on trade," he said. "There should be a national investment in finding a solution."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
3/4/2014 | 1:52:58 PM
re: Supply-Chain Threats Still An Uncertain Danger
be proud of your work and sign for it
check out the UEFI initiative: kernel software components have to be signed with a valid digital signature or the boot loader rejects them. this is a good practice we should all adopt. it's part of a ZERO DEFECTS process. which needs to be combined with Product Liability.
it's a 'sea change'; a different approach to software.
that is badly needed
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.