Is supply-chain risk overstated?

While the hardware in U.S. telecommunications companies' networks is a more difficult target for electronic attackers than software, telecom service providers and the Government Accountability Office remain concerned foreign-made gear could prove to be a soft spot for critical infrastructure providers.

In testimony issued on May 21 ahead of dual House Energy and Commerce committee and House Communications and Technology subcommittee hearings on cyber threats, GAO's Mark Goldstein said that threats from foreign-made telecom gear are not as great as those posed by software incursions, but there is ample room for problems. Goldstein is GAO's director for physical infrastructure issues.

U.S. telecommunications companies, said Goldstein, increasingly rely on foreign-made gear to run their networks. "Certain entities in the federal government view this dependence as an emerging threat that introduces risks to the networks," he said. President Obama's Feb. 19 executive order created a framework to reduce cyber risks to critical infrastructure overseen by the National Institute of Standards and Technolgy. NIST is conducting a comprehensive review to obtain stakeholder input and develop a supply chain security framework for commercial communications networks.

Goldstein said network providers and equipment manufacturers have told GAO officials that they address potential security risks from foreign-manufactured equipment through voluntary risk management practices. His testimony added that company officials said the risk from foreign-made equipment isn't its origins, but how it is made, particularly the security procedures implemented by manufacturers. According to GAO, the same officials also said they were not aware of intentional attacks originating in the supply chain, and some said that they consider the risk of this type of attack to be low.

Officials from four industry groups and one research institution, said GAO, maintained that supply-chain attacks are harder to carry out and require more resources than other modes of attacks -- like malicious software uploaded to equipment through the Internet -- and less likely to be used by potential attackers. Three network providers told GAO the most common anomalies found in equipment were caused by unintentionally bad coding in their software. A third-party testing firm, however, said the anomalies could lead to exploitable vulnerabilities.

In a separate industry conference down the street from the Capitol that same afternoon, cybersecurity experts concurred that telecom and other IT hardware made overseas could be subverted, but it remains a difficult target.

"In reality, software is the low-hanging fruit," said Roger Schell, senior computer scientist at the University of Southern California. Schell, speaking alongside Charles Berlin, director of the National Security Agency's National Security Operations Center on a cybersecurity panel at the SAS Government Leadership Summit, said hackers go after software, not hardware.

Software manufacturers, said Schell, are not doing nearly enough to protect their users. As evidence of the oversight, he cited a recent government-sponsored "red team" practice attack on a U.S. armed forces computer network in which the team replaced six lines of code in a Windows XP program, resulting in loss of control of the program.

Both Schell and Berlin stressed the need for cooperation among government, equipment manufacturers and users of technology to bolster U.S. cybersercurity.