Government security vulnerabilities: The threat of outsourced chips

How urgent is the threat of outsourced chips -- chips created in other countries and deliberately infected with malicious code -- to U.S. government security? Learn more about this potential threat vector in this tip.

The most secure company in the world probably doesn't even know where [their] chip comes from.

Dennis Cox
Chief Technology OfficerBreakingPoint Systems Inc.

From the highest levels of the Executive Branch and the hearing rooms of Congress to the government IT conferences and e-seminars that abound in Washington, there's plenty of chatter about threats to government security. "We talk about cybersecurity so much that it gets boring," said one observer, "and when it gets boring we don't pay quite as close attention to it."

One potential government security vulnerability that may get more attention is "outsourced engineering"—hardware built overseas for U.S. companies containing chips or integrated circuits deliberately infected with malicious code. This is not a fanciful threat – there are already known examples of it occurring:

  • In 2008, BestBuy had to recall Samsung digital pictures frames that had malware loaded on their internal storage at the factory, according to Alan Paller of security consultants SANS Institute.

  • In 2007, Seagate discovered a password-stealing Trojan infecting disk drives it built in China.

Components from the People's Republic of China, in particular, have some experts worried. The country has been the source of increasingly sophisticated cyberattacks on government security, including the widely publicized assault earlier this year on Google. At a House Armed Services Committee hearing on March 26, 2010, Navy Adm. Robert Willard, chief of the U.S. Pacific Command, warned that "U.S. government networks and computer systems continue to be the target of intrusions that appear to have originated within the PRC."

Those attacks have come over the Internet, but the gravity of the Chinese threat should sound alarm bells about microelectronics originating in that country too, according to Dennis Cox, chief technology officer at BreakingPoint Systems Inc., of Austin, Texas, which supplies network testing tools to industry and the government.

Many major U.S. vendors of routers, switches and hubs, for example, use components made in China, said Cox. "It's cheaper to buy [from Chinese sources] than to build. It would be nearly impossible not to buy [hardware] made in China or that had some Chinese component in it." Given the layers that often exist in the supply chain, vendors may have no idea where some components were built, according to Cox. "Maybe with software you can find [a source of malware] but at the chip level you're not going to find it," he said. "The most secure company in the world probably doesn't even know where that chip comes from."

Nonetheless, there are steps Feds can take to reduce risk. John Tkacik Jr., former chief of China intelligence at the State Department, said that agencies should require "trustworthiness" in critical IT systems. "Components for defense-critical IT systems--from chips to storage devices--must come only from trusted and certified firms," he said.

Shawn McCarthy, director of government programs for IDC Government Insights, agreed that agencies should ensure that vendors are held accountable for microelectronics security as part of their procurement contracts, similar to a service level agreement.

About the author:
Richard Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.

This was last published in April 2010

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.