Counterfeit hardware poses security risk

A few weeks ago at a cyberwarfare training program, I was asked what single action would have the biggest impact in securing our critical military and intelligence systems? That is a very interesting question that has been on my mind ever since. The answer came on a conference call that took place late last week. On that call the question of supply chain security came up, specifically asking what percentage of components used in a critical piece of security hardware were foreign sourced. For background data, only about 20 percent of all computer chips are made in the United States. The vendor danced around the quest and then a sales representative said, “No one has ever asked this question before, so we should move on.”

That is a dangerous attitude given that counterfeit computer hardware is viewed as a significant problem by private corporations and the military. Two years ago there was a White House report that noted that there had been several “unambiguous, deliberate subversions” of computer hardware.

As I experienced on the conference call, vendors routinely try to side-step this critical security issue. In order to guard against processor level cyberattacks or potential product compromise, vendors should be required to disclose, in a classified setting, all known or suspected vulnerabilities in the devices proposed for use in sensitive security applications or systems. This should be done during the request for proposal process—a proper assessment of the cyber security risks must be part of the offer evaluation. And while you are at it, ask the vendor is they are selling products to China and complying with the rule China enacted this past spring that requires detailed disclosure of the inner-workings of 21 different categories of security products.