Is supply-chain risk overstated?
- By Mark Rockwell
- May 22, 2013
While the hardware in U.S. telecommunications companies' networks is a more difficult target for electronic attackers than software, telecom service providers and the Government Accountability Office remain concerned foreign-made gear could prove to be a soft spot for critical infrastructure providers.
In testimony issued on May 21 ahead of dual House Energy and Commerce committee and House Communications and Technology subcommittee hearings on cyber threats, GAO's Mark Goldstein said that threats from foreign-made telecom gear are not as great as those posed by software incursions, but there is ample room for problems. Goldstein is GAO's director for physical infrastructure issues.
U.S. telecommunications companies, said Goldstein, increasingly rely on foreign-made gear to run their networks. "Certain entities in the federal government view this dependence as an emerging threat that introduces risks to the networks," he said. President Obama's Feb. 19 executive order created a framework to reduce cyber risks to critical infrastructure overseen by the National Institute of Standards and Technolgy. NIST is conducting a comprehensive review to obtain stakeholder input and develop a supply chain security framework for commercial communications networks.
Goldstein said network providers and equipment manufacturers have told GAO officials that they address potential security risks from foreign-manufactured equipment through voluntary risk management practices. His testimony added that company officials said the risk from foreign-made equipment isn't its origins, but how it is made, particularly the security procedures implemented by manufacturers. According to GAO, the same officials also said they were not aware of intentional attacks originating in the supply chain, and some said that they consider the risk of this type of attack to be low.
Officials from four industry groups and one research institution, said GAO, maintained that supply-chain attacks are harder to carry out and require more resources than other modes of attacks -- like malicious software uploaded to equipment through the Internet -- and less likely to be used by potential attackers. Three network providers told GAO the most common anomalies found in equipment were caused by unintentionally bad coding in their software. A third-party testing firm, however, said the anomalies could lead to exploitable vulnerabilities.
In a separate industry conference down the street from the Capitol that same afternoon, cybersecurity experts concurred that telecom and other IT hardware made overseas could be subverted, but it remains a difficult target.
"In reality, software is the low-hanging fruit," said Roger Schell, senior computer scientist at the University of Southern California. Schell, speaking alongside Charles Berlin, director of the National Security Agency's National Security Operations Center on a cybersecurity panel at the SAS Government Leadership Summit, said hackers go after software, not hardware.
Software manufacturers, said Schell, are not doing nearly enough to protect their users. As evidence of the oversight, he cited a recent government-sponsored "red team" practice attack on a U.S. armed forces computer network in which the team replaced six lines of code in a Windows XP program, resulting in loss of control of the program.
Both Schell and Berlin stressed the need for cooperation among government, equipment manufacturers and users of technology to bolster U.S. cybersercurity.
Mark Rockwell is a staff writer at FCW.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.