We woke up recently to a series of threats that emanate from a hitherto unknown origin – supply chain.
WHEN WE TALK of cyber infractions and frauds, we have traditionally looked at computers, internet, internal networks and wireless applications to find the threat vectors.
We then added ‘people’ as another threat vector and started focusing all research and development efforts at handling the devastating consequences of a combination of these threat vectors exploiting a whole range of vulnerabilities. The likes of Stuxnet and other uniquely architected malware were still operating within the contours of these threat vectors until we woke up recently to a series of threats that emanate from a hitherto unknown origin – supply chain.
We had heard stories of malware embedded in printers during the recent Gulf war but these accusations were mostly unsubstantiated and quite a few dismissed them as technology fairy tales or wishful thinking. Of late, the consequences of security compromise via supply chain embedded threats is becoming a reality. The attack vectors have always looked for new attack paths and such a search yielded the desired results when Stuxnet infected SCADA systems that were till then thought to be invincible. Now a larger scale exploit is on the anvil with the attackers using various unprotected parts of the supply chain to embed the malware or other forms of threats.
Security threat by Chinese telecom companies
In October 2012, a special investigative report by the Permanent Select Committee on Intelligence of the US House of Representatives addressed the specific threat to US Security posed by Chinese Telecom companies in general and two companies in particular – Huawei and ZTE. Apart from a number of recommendations made to protect American interests from the possible onslaught by these companies via infection of the supply chain including network and telecom hardware components, it carries a strongly worded advice to the US companies to avoid Chinese networking hardware. Should the users be worried only about the Chinese networking hardware or take precautions about any hardware coming in for use in critical infrastructure, is a question that deserves consideration. It is surely possible that there are other groups who are either actually doing or are planning to use the supply chain vulnerabilities to introduce spyware or newer genre of threats since those classes of threats, as I write this column, continue to be hard to detect and expensive to defend against.
Supply chain led threats
Since 2005, many nations and particularly the United States, have taken a clear call on combating supply chain led information threats by effecting seizures of counterfeit networking hardware and other telecom components. This entire exercise was built around the faith that any product with a malicious payload will only come via deployment of counterfeit components. The 2011 operation of seizing US$ 143 million worth of counterfeit networking and telecom components by the US authorities and the resultant arrest of 30 people lend credence to the belief that spread of malicious hardware happens via counterfeit. That belief has been busted by some of the findings in the October 2012 report referenced earlier where it is found that even companies that sell apparently genuine products may infect their components with undesirable malware or other forms of malicious content.
When supply chain is totally insecure
While these reports and analysis point a finger to China for supply of counterfeit or malware infected components, it would appear that the Chinese computer market itself is battling counterfeits locally. When Microsoft successfully launched an all-out effort to eliminate Nitol Botnets, they got trusted people to go out and buy laptops and desktops in the market in China and of the 20 systems they procured, all were found with some counterfeit component. Richard Boscovich from Microsoft Digital Crime Unit said further that each of these purchased systems had been configured in such a way to reduce security and four of these systems already had malware installed! Just imagine you are getting a brand new computer system with all its box seals in tact and find that you are starting off with a low security configuration along with an embedded malware. The worst part of this scenario is that many of the users may not be aware of this scenario and will be happily typing away on their keyboards not knowing they are vulnerable enough to become either zombies or are otherwise vulnerable to attack and damage. This scenario is well summarised by Boscovich who said that the “supply chain is broken; it is totally insecure, and it is easy for criminals to inject what they want into that supply chain.”
Three point response
How does the business react to insecurity of supply chain? A report published Georgia Tech Information Security Center and Georgia Tech Research Institute has classified the responses into three categories – Firstly, we have a majority of the companies who do nothing about it other than to limit their purchases to what they regard as ‘trusted’ vendors. Secondly, a small number of companies carry out random tests on devices and determine if there are any indications of extra components or serious forms of vulnerabilities. Depending on the test results, further action is initiated. Thirdly, a very small number of companies are taking a rather paranoid approach of not trusting the supply chain at all. Their security stance is based on the premise that any device that comes through the front door has already been compromised. These companies continuously monitor the devices for any indication or abnormality that could point to a compromise or vulnerability.
Andrew Howard of Georgia Tech Research Institute perhaps had the most realistic of assessments on this subject when he said “this is a problem that is extremely expensive and difficult to solve. Solve may not even be the right word.” I sincerely hope that what Howard said later does not become a reality – “it is going to take a bad event to have the momentum necessary to fully tackle the problem.” One silver lining here is that the problem and its large scale ramifications appear to have been recognized though it is too ubiquitous in its reach for any one set of stakeholder to manage it completely.
IE, the business magazine from south was launched in 1968 and pioneered business journalism in south. Through the 45 years IE has been focusing on well-presented and well-researched articles. When giants in the industry stumbled to keep pace with the digital revolution, IE stayed affixed embracing technology.