Ad Here  
The new threat vector
The new threat vector
We woke up recently to a series of threats that emanate from a hitherto unknown origin – supply chain.
WHEN WE TALK of cyber infractions and frauds, we have traditionally looked at computers, internet, internal networks and wireless applications to find the threat vectors.

We then added ‘people’ as another threat vector and started focusing all research and development efforts at handling the devastating consequences of a combination of these threat vectors exploiting a whole range of vulnerabilities. The likes of Stuxnet and other uniquely architected malware were still operating within the contours of these threat vectors until we woke up recently to a series of threats that emanate from a hitherto unknown origin – supply chain.

We had heard stories of malware embedded in printers during the recent Gulf war but these accusations were mostly unsubstantiated and quite a few dismissed them as technology fairy tales or wishful thinking. Of late, the consequences of security compromise via supply chain embedded threats is becoming a reality. The attack vectors have always looked for new attack paths and such a search yielded the desired results when Stuxnet infected SCADA systems that were till then thought to be invincible. Now a larger scale exploit is on the anvil with the attackers using various unprotected parts of the supply chain to embed the malware or other forms of threats.

Security threat by Chinese telecom companies

In October 2012, a special investigative report by the Permanent Select Committee on Intelligence of the US House of Representatives addressed the specific threat to US Security posed by Chinese Telecom companies in general and two companies in particular – Huawei and ZTE. Apart from a number of recommendations made to protect American interests from the possible onslaught by these companies via infection of the supply chain including network and telecom hardware components, it carries a strongly worded advice to the US companies to avoid Chinese networking hardware. Should the users be worried only about the Chinese networking hardware or take precautions about any hardware coming in for use in critical infrastructure, is a question that deserves consideration. It is surely possible that there are other groups who are either actually doing or are planning to use the supply chain vulnerabilities to introduce spyware or newer genre of threats since those classes of threats, as I write this column, continue to be hard to detect and expensive to defend against.

Supply chain led threats

Since 2005, many nations and particularly the United States, have taken a clear call on combating supply chain led information threats by effecting seizures of counterfeit networking hardware and other telecom components. This entire exercise was built around the faith that any product with a malicious payload will only come via deployment of counterfeit components. The 2011 operation of seizing US$ 143 million worth of counterfeit networking and telecom components by the US authorities and the resultant arrest of 30 people lend credence to the belief that spread of malicious hardware happens via counterfeit. That belief has been busted by some of the findings in the October 2012 report referenced earlier where it is found that even companies that sell apparently genuine products may infect their components with undesirable malware or other forms of malicious content. 
1 2
Author :
Reported On :
Sector :
IE, the business magazine from south was launched in 1968 and pioneered business journalism in south. Through the 45 years IE has been focusing on well-presented and well-researched articles. When giants in the industry stumbled to keep pace with the digital revolution, IE stayed affixed embracing technology.
Read more
Economist Communications Ltd is committed to ensuring that your privacy is protected.
Read more
You agree that your use of this Website and the purchase of the magazine will be governed by these terms and conditions.
Read more
S-15, Industrial Estate,
Chennai - 600 032.
PHONE: +91 44 22501236