Is supply-chain risk overstated?

keyhole digital

While the hardware in U.S. telecommunications companies' networks is a more difficult target for electronic attackers than software, telecom service providers and the Government Accountability Office remain concerned foreign-made gear could prove to be a soft spot for critical infrastructure providers.

In testimony issued on May 21 ahead of dual House Energy and Commerce committee and House Communications and Technology subcommittee hearings on cyber threats, GAO's Mark Goldstein said that threats from foreign-made telecom gear are not as great as those posed by software incursions, but there is ample room for problems. Goldstein is GAO's director for physical infrastructure issues.

U.S. telecommunications companies, said Goldstein, increasingly rely on foreign-made gear to run their networks. "Certain entities in the federal government view this dependence as an emerging threat that introduces risks to the networks," he said. President Obama's Feb. 19 executive order created a framework to reduce cyber risks to critical infrastructure overseen by the National Institute of Standards and Technolgy. NIST is conducting a comprehensive review to obtain stakeholder input and develop a supply chain security framework for commercial communications networks.

Goldstein said network providers and equipment manufacturers have told GAO officials that they address potential security risks from foreign-manufactured equipment through voluntary risk management practices. His testimony added that company officials said the risk from foreign-made equipment isn't its origins, but how it is made, particularly the security procedures implemented by manufacturers. According to GAO, the same officials also said they were not aware of intentional attacks originating in the supply chain, and some said that they consider the risk of this type of attack to be low.

Officials from four industry groups and one research institution, said GAO, maintained that supply-chain attacks are harder to carry out and require more resources than other modes of attacks -- like malicious software uploaded to equipment through the Internet -- and less likely to be used by potential attackers. Three network providers told GAO the most common anomalies found in equipment were caused by unintentionally bad coding in their software. A third-party testing firm, however, said the anomalies could lead to exploitable vulnerabilities.

In a separate industry conference down the street from the Capitol that same afternoon, cybersecurity experts concurred that telecom and other IT hardware made overseas could be subverted, but it remains a difficult target.

"In reality, software is the low-hanging fruit," said Roger Schell, senior computer scientist at the University of Southern California. Schell, speaking alongside Charles Berlin, director of the National Security Agency's National Security Operations Center on a cybersecurity panel at the SAS Government Leadership Summit, said hackers go after software, not hardware.

Software manufacturers, said Schell, are not doing nearly enough to protect their users. As evidence of the oversight, he cited a recent government-sponsored "red team" practice attack on a U.S. armed forces computer network in which the team replaced six lines of code in a Windows XP program, resulting in loss of control of the program.

Both Schell and Berlin stressed the need for cooperation among government, equipment manufacturers and users of technology to bolster U.S. cybersercurity.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Thu, May 23, 2013 Howard

I know of no commercial SW that is developed 100% in-house. As for HW, it is truly a Pandora's box. Once had a senior VP from the worlds leading IT firm tell me that to remain competitive they had no choice but to go with the foreign sources and hope there were no imbedded FW, as it would take up to 3 years to fully reverse Eng the products. Once had a trusted HW source provide Firewalls that came with expanded capabilities we found out about by chance, by the time we got back to them the engineers that developed the system had already returned to their homeland, one of our most trusted allies. Nothing was ever done about it, But the senior Fed IT Security folks know what and who I am referring to. Bottom-Line, you can never fully trust any HW/SW product that you have not personally supervised / managed the developed of.

Thu, May 23, 2013 RayW

Officials from four industry groups and one research institution, said GAO, maintained that supply-chain attacks are harder to carry out and require more resources than other modes of attacks

Yes, in the short term it is harder to do a supply chain attack. But the operative term is "short term" and how it is defined. Here in the US, short term ranges from five minutes to a couple of months, anything past that is not considered. In places like China, short term ranges from a few years to possibly decades, and they plan on the other definition to forget what was done and where.

Given the complexity of microcircuits today, and the future complexity and unused paths that are put in for multi-purposing silicon (or whatever the term is today) or as test paths, it is impossible to know what it will take to turn on a path that will act like a Trojan in software. And given the computing power that can be squeezed into spare paths and voids on a die that can be concealed from most users who lack certain expensive resources, it will be interesting to see what "new" attacks will pop up in 5-10-15 years from now and the responses and finger pointing from the various "powers that be". (And consider the push to put microcircuits in everything that is produced.)

Thu, May 23, 2013 AFRet05

I think the software supply chain risk is not completely understood by most personnel. It is rare that a company develops 100% of the software but utilizes libraries and/or subcontracts out parts of the work. There are not only secondary dependencies but most often tertiary dependencies. The IA community likes to know the "pedigree" of the software. That is where the risk comes into play.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group