A top Department of Homeland Security (DHS) official has admitted on the record that electronics sold in the U.S. are being preloaded with spyware, malware, and security-compromising components by unknown foreign parties. In testimony before the House Oversight and Government Reform Committee, acting deputy undersecretary of the DHS National Protection and Programs Directorate Greg Schaffer told Rep. Jason Chaffetz (R-UT) that both Homeland Security and the White House have been aware of the threat for quite some time.
When asked by Rep. Chaffetz whether Schaffer was aware of any foreign-manufactured software or hardware components that had been purposely embedded with security risks, the DHS representative stated that "I am aware of instances where that has happened," after some hesitation.
This supply chain security issue essentially means that, somewhere along the line, technology being marketed in the United States was either compromised or purposely designed to enable cyberattacks.
Schaffer, who has an extensive background in cybersecurity and communications infrastructure management, did not elaborate on the compromised tech that DHS has encountered. However, he did emphasize that foreign components are found in many American-manufactured devices.
As a matter of sheer speculation, it is not hard to imagine computers, portable devices, and components marketed in the United States being purposely infected with malware, spyware, or other forms of security-compromising software by request of either foreign companies or foreign governments. More worryingly, the hearing specifically mentioned hardware components as possibly being compromised—which raises the questions of whether, perhaps, something as innocuous as Flash memory or embedded RFID chips could be used by interested foreign parties.
During questioning, Schaffer said that a whole-of-government effort would be required to combat security holes caused by malware and spyware making their way through America's electronics supply chain.
Rep. Darrell Issa (R-CA) also specifically asked witnesses about the risk of electronics being sold stateside being purposely designed for cyberattacks. In his words, "software infrastructure, hardware, [and] other things are built overseas that come to the United States with items that are embedded already in them by the time they get here to the United States."
Buried in the White House's Cyberspace Policy Review is a small acknowledgment that the Executive Branch knows something weird is happening in imported tech:
The emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions.
A broad, holistic approach to risk management is required rather than a wholesale condemnation of foreign products and services. The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities.
The Cyberspace Policy Review was written several months ago. Apparently, Homeland Security has found documented examples in the meantime.
Judging from the White House's statement, most of these strategic security compromises have been found in counterfeit and gray-market electronic products.
Schaffer was testifying before committee to discuss a White House policy proposal that offer incentives for private companies to share information with the federal government. The proposal also calls for modifying the Federal Information Security Management Act. Other witnesses included Associate Deputy Attorney General James A. Baker, DoD Deputy Assistant Secretary of Defense for Cyber Policy Robert J. Butler, and Senior Internet Policy Advisor to the National Institute of Standards and Technology Ari Schwartz.
Supply chain security is a growing worry for both the federal government and business. According to White House documents, the executive branch is actively studying the risk of nation-states purposely installing sleeper, one-use attack tools in software and hardware components marketed in the U.S.