Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/3/2014
11:25 AM
50%
50%

Supply-Chain Threats Still An Uncertain Danger

With a global manufacturing economy muddying the definition of a foreign product, nations are still hashing out strategies to secure their supply chains

Governments need to take a more active approach in helping companies secure their IT supply chains -- an expensive proposition that holds little economic incentive for most businesses, a panel at the RSA Conference said in San Francisco last week.

RSA Conference 2014
Click here for more articles about the RSA Conference.

While supply-chain risks have historically seemed theoretical, the leaked documents by former National Security Agency contractor Edward Snowden illustrated the broad capabilities of a skilled national intelligence agency's ability to compromise hardware and devices. The NSA's intelligence toolbox includes firmware backdoors that can be remotely installed on Huawei and Juniper routers, but many other so-called "implants" require the hardware to be intercepted during shipment and compromised, according to a December 2013 article in Der Spiegel.

Securing against national intelligence agencies and other actors is difficult, but each company needs to start with an analysis of its risk, James Barnett, partner, co-chair of the telecom and cybersecurity practice at Venable LLP Attorneys at Large, told attendees.

"The main thing with risk management is making sure that you understand this risk," he said.

In 2008, the Bush administration began a Comprehensive National Cybersecurity Initiative (CNCI), which aimed to give agencies a framework to better secure their systems. As one of the dozen initiatives, the CNCI called for federal agencies to secure their supply chains by developing tools, policies, and partnerships with industry to manage the risk.

Yet dealing with the security of products is difficult when it is no longer clear what could be considered a foreign product, said Curtis Duke, deputy director of the Information Assurance Directorate at the U.S. National Security Agency. The IAD is the defensive side of the NSA, with a mission to secure the nation's communications infrastructure.

"In today's global economy, most products are globally sourced. They may be manufactured in the U.S., but the actual components are made offshore," Duke told attendees. "Unfortunately, companies around the world may operate under different rules and uneven oversight, and the practical reality is that raises concerns on the quality, safety, and security of the products."

[Los Alamos National Laboratory's move to oust Chinese hardware without any evidence of backdoors highlights how supply-chain insecurities are difficult to manage. See Supply Chain Uncertainties Complicate Security.]

Locking down a development environment is a large expense, but a necessary one to deal with a national government, Nigel Jones, chief financial officer of mobile-security firm Koolspan, told attendees. The company has created a secure development facility and engineered its systems with an airgap to make it extremely difficult for attackers to penetrate.

"It is not possible, to our knowledge, to extract our intellectual property in any usable form," he said. "It is an ongoing process, which we have to do every day, and we have to keep at it."

Such measures have a significant cost attached to them, Jones said. While such measures are there to assure the U.S. government that the products are secure, convincing other nations that the products do not have U.S. implants is a significant battle as well.

"We have to spend a lot of time assuring some of our non-U.S. customers that their data and communications systems are sufficiently safe against U.S. surveillance," Jones said. "It is the inverse of the supply-chain issue."

While classified government agencies will need to carve out strict standards for suppliers and their products, the commercial sector can use technical standards and certifications to help maintain a secure supply chain, said Roar Thorn, a senior adviser to the Norwegian National Security Authority. Norway and other countries in the European Union have created a common set of standards so that a supplier certified by one country is considered to be vetted by the others, he said.

"We have partnered up with a lot of NATO countries and gained trust over time," he said. "It would be hard to sell any kind of products if we had 350 different standards and rules that different companies had to follow in the product itself."

The Open Group has established the Open Trusted Technology Provider Standard (O-TTPS), for example, so that companies can demonstrate their adherence to best practices.

While the actual threat remains unclear, nations should not seek to block technology because that does not solve the problem, Venable's Barnett said.

"There is a role for government in dealing with this issue, but we need to make sure that we don't clamp down on trade," he said. "There should be a national investment in finding a solution."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
3/4/2014 | 1:52:58 PM
re: Supply-Chain Threats Still An Uncertain Danger
be proud of your work and sign for it
check out the UEFI initiative: kernel software components have to be signed with a valid digital signature or the boot loader rejects them. this is a good practice we should all adopt. it's part of a ZERO DEFECTS process. which needs to be combined with Product Liability.
it's a 'sea change'; a different approach to software.
that is badly needed
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4643
PUBLISHED: 2020-09-21
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Force ID: 185590.
CVE-2020-4590
PUBLISHED: 2020-09-21
IBM WebSphere Application Server Liberty 17.0.0.3 through 20.0.0.9 running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. IBM X-Force ID: 184650.
CVE-2020-4731
PUBLISHED: 2020-09-21
IBM Aspera Web Application 1.9.14 PL1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188055.
CVE-2020-4315
PUBLISHED: 2020-09-21
IBM Business Automation Content Analyzer on Cloud 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the i...
CVE-2020-4579
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted HTTP/2 request with invalid characters. IBM X-Force ID: 184438.