Is supply-chain risk overstated?

keyhole digital

While the hardware in U.S. telecommunications companies' networks is a more difficult target for electronic attackers than software, telecom service providers and the Government Accountability Office remain concerned foreign-made gear could prove to be a soft spot for critical infrastructure providers.

In testimony issued on May 21 ahead of dual House Energy and Commerce committee and House Communications and Technology subcommittee hearings on cyber threats, GAO's Mark Goldstein said that threats from foreign-made telecom gear are not as great as those posed by software incursions, but there is ample room for problems. Goldstein is GAO's director for physical infrastructure issues.

U.S. telecommunications companies, said Goldstein, increasingly rely on foreign-made gear to run their networks. "Certain entities in the federal government view this dependence as an emerging threat that introduces risks to the networks," he said. President Obama's Feb. 19 executive order created a framework to reduce cyber risks to critical infrastructure overseen by the National Institute of Standards and Technolgy. NIST is conducting a comprehensive review to obtain stakeholder input and develop a supply chain security framework for commercial communications networks.

Goldstein said network providers and equipment manufacturers have told GAO officials that they address potential security risks from foreign-manufactured equipment through voluntary risk management practices. His testimony added that company officials said the risk from foreign-made equipment isn't its origins, but how it is made, particularly the security procedures implemented by manufacturers. According to GAO, the same officials also said they were not aware of intentional attacks originating in the supply chain, and some said that they consider the risk of this type of attack to be low.

Officials from four industry groups and one research institution, said GAO, maintained that supply-chain attacks are harder to carry out and require more resources than other modes of attacks -- like malicious software uploaded to equipment through the Internet -- and less likely to be used by potential attackers. Three network providers told GAO the most common anomalies found in equipment were caused by unintentionally bad coding in their software. A third-party testing firm, however, said the anomalies could lead to exploitable vulnerabilities.

In a separate industry conference down the street from the Capitol that same afternoon, cybersecurity experts concurred that telecom and other IT hardware made overseas could be subverted, but it remains a difficult target.

"In reality, software is the low-hanging fruit," said Roger Schell, senior computer scientist at the University of Southern California. Schell, speaking alongside Charles Berlin, director of the National Security Agency's National Security Operations Center on a cybersecurity panel at the SAS Government Leadership Summit, said hackers go after software, not hardware.

Software manufacturers, said Schell, are not doing nearly enough to protect their users. As evidence of the oversight, he cited a recent government-sponsored "red team" practice attack on a U.S. armed forces computer network in which the team replaced six lines of code in a Windows XP program, resulting in loss of control of the program.

Both Schell and Berlin stressed the need for cooperation among government, equipment manufacturers and users of technology to bolster U.S. cybersercurity.

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Thu, May 23, 2013 Howard

I know of no commercial SW that is developed 100% in-house. As for HW, it is truly a Pandora's box. Once had a senior VP from the worlds leading IT firm tell me that to remain competitive they had no choice but to go with the foreign sources and hope there were no imbedded FW, as it would take up to 3 years to fully reverse Eng the products. Once had a trusted HW source provide Firewalls that came with expanded capabilities we found out about by chance, by the time we got back to them the engineers that developed the system had already returned to their homeland, one of our most trusted allies. Nothing was ever done about it, But the senior Fed IT Security folks know what and who I am referring to. Bottom-Line, you can never fully trust any HW/SW product that you have not personally supervised / managed the developed of.

Thu, May 23, 2013 RayW

Officials from four industry groups and one research institution, said GAO, maintained that supply-chain attacks are harder to carry out and require more resources than other modes of attacks

Yes, in the short term it is harder to do a supply chain attack. But the operative term is "short term" and how it is defined. Here in the US, short term ranges from five minutes to a couple of months, anything past that is not considered. In places like China, short term ranges from a few years to possibly decades, and they plan on the other definition to forget what was done and where.

Given the complexity of microcircuits today, and the future complexity and unused paths that are put in for multi-purposing silicon (or whatever the term is today) or as test paths, it is impossible to know what it will take to turn on a path that will act like a Trojan in software. And given the computing power that can be squeezed into spare paths and voids on a die that can be concealed from most users who lack certain expensive resources, it will be interesting to see what "new" attacks will pop up in 5-10-15 years from now and the responses and finger pointing from the various "powers that be". (And consider the push to put microcircuits in everything that is produced.)

Thu, May 23, 2013 AFRet05

I think the software supply chain risk is not completely understood by most personnel. It is rare that a company develops 100% of the software but utilizes libraries and/or subcontracts out parts of the work. There are not only secondary dependencies but most often tertiary dependencies. The IA community likes to know the "pedigree" of the software. That is where the risk comes into play.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group