Department of Homeland security officials are warning of weaknesses in the technology supply chain that result in the importation of devices that are already infected with malware, spyware, backdoors and other malicious code that leave the units vulnerable to exploitation.
Greg Schaffer, the acting deputy undersecretary for the DHS National Protection and Programs Directorate, provided testimony to the House Oversight and Government Reform Committee last week.
"These pieces are embedded in software and hardware, and people don't know that. It's very difficult to detect," said Rep. Jason Chaffetz (R-Utah)
Prior to Schaffer's testimony, the notion that lapses in security that exist in the global electronics supply chain could be used by foreign entities to introduce widespread vulnerabilities was for the most part theoretical, as discussed in the U.S.-China Economic and Security Review Commission report released late last year.
Chaffetz asked Schaffer directly, "are you aware of any software or hardware components that have been embedded with security risks?"
"I am aware of instances where that has happened," Schaffer replied in sworn testimony.
Schaffer went on to explain that the importation of infected devices remains "one of the most complicated and difficult challenges" for the agency.
Aside from threats to consumers and businesses, the pre-infected devices could be employed in systems governing critical infrastructure assets or in government networks, making the supply chain vulnerabilities a serious threat to national security.
Schaffer said that the DHS and the Department of Defense have already established a task force to further examine the issue. One significant challenge is determining if a vulnerability was merely due to poor quality control, or if the presence of a vulnerability was intentional in nature.
The White House Cyber Policy Review, released earlier this year, warned that "the emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions."
The report went on to recommend that "a broad, holistic approach to risk management is required rather than a wholesale condemnation of foreign products and services. The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities."