The most secure company in the world probably doesn't even know where [their] chip comes from.
Chief Technology OfficerBreakingPoint Systems Inc.
One potential government security vulnerability that may get more attention is "outsourced engineering"—hardware built overseas for U.S. companies containing chips or integrated circuits deliberately infected with malicious code. This is not a fanciful threat – there are already known examples of it occurring:
- In 2008, BestBuy had to recall Samsung digital pictures frames that had malware loaded on their internal storage at the factory, according to Alan Paller of security consultants SANS Institute.
- In 2007, Seagate discovered a password-stealing Trojan infecting disk drives it built in China.
Components from the People's Republic of China, in particular, have some experts worried. The country has been the source of increasingly sophisticated cyberattacks on government security, including the widely publicized assault earlier this year on Google. At a House Armed Services Committee hearing on March 26, 2010, Navy Adm. Robert Willard, chief of the U.S. Pacific Command, warned that "U.S. government networks and computer systems continue to be the target of intrusions that appear to have originated within the PRC."
Those attacks have come over the Internet, but the gravity of the Chinese threat should sound alarm bells about microelectronics originating in that country too, according to Dennis Cox, chief technology officer at BreakingPoint Systems Inc., of Austin, Texas, which supplies network testing tools to industry and the government.
Many major U.S. vendors of routers, switches and hubs, for example, use components made in China, said Cox. "It's cheaper to buy [from Chinese sources] than to build. It would be nearly impossible not to buy [hardware] made in China or that had some Chinese component in it." Given the layers that often exist in the supply chain, vendors may have no idea where some components were built, according to Cox. "Maybe with software you can find [a source of malware] but at the chip level you're not going to find it," he said. "The most secure company in the world probably doesn't even know where that chip comes from."
Nonetheless, there are steps Feds can take to reduce risk. John Tkacik Jr., former chief of China intelligence at the State Department, said that agencies should require "trustworthiness" in critical IT systems. "Components for defense-critical IT systems--from chips to storage devices--must come only from trusted and certified firms," he said.
Shawn McCarthy, director of government programs for IDC Government Insights, agreed that agencies should ensure that vendors are held accountable for microelectronics security as part of their procurement contracts, similar to a service level agreement.
About the author:
Richard Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.
This was first published in April 2010