When Scott Borg began warning a decade ago of the various ways adversaries could infiltrate electronic supply chains, the danger was largely theoretical. He suggested that an adversary might embed malicious programs in microcircuitry, and then spy on or sabotage weapons and other electronic equipment.
“When my colleagues and I first talked about these things, the actual evidence we could point to was slender and patchy,” said Borg, director of the nonprofit U.S. Cyber Consequences Unit. “It was persuasive if you took the time to study it, but not if you had to cite it quickly to a skeptical audience.”
A decade later, audiences are no longer skeptical. In his Worldwide Threat Assessment in March, Director of National Intelligence James Clapper listed “Threats to US Government Supply Chains,” as a top concern and warned of “potential supply chain subversions.” The Defense Department spends billions of dollars annually to fend off cyber attacks, yet the challenge of securing weapon and information systems is more daunting than ever.
That’s due in part to the massive number of companies involved in military supply chains.
“In an era of globalized commerce, an emerging threat that concerns the Department involves possible foreign compromise of our supply chain, which could degrade or defeat our information systems or weapons platforms by inserting malicious code or otherwise corrupting key components bound for these important war-fighting systems,” Ronald Burgess, the retired Army lieutenant general who was running the Defense Intelligence Agency, told members of the Senate Armed Services Committee in February 2012.
DoD has taken that warning seriously. On Nov. 5, Teresa Takai, the department’s chief information officer, and Frank Kendall, undersecretary for acquisition, technology and logistics, issued policies designed to minimize the risk that “foreign intelligence, terrorists, or other hostile elements” could sabotage or subvert critical systems or components. The new policies direct DoD officials to carefully evaluate individual vendors, particularly the ones who supply code or components of critical systems. They also instruct program managers to conduct rigorous testing and evaluation to identify vulnerabilities in hardware and software.
In December, the Defense Advanced Research Projects Agency launched its own campaign to improve security for information technology. Through the Vetting Commodity IT Software and Firmware program, DARPA is challenging companies to come up with innovative ways to uncover the type of malicious instructions adversaries could use to steal data or sabotage critical operations.
“Determining the security of every device DoD uses in a timely fashion is beyond current capabilities,” an agency announcement said Dec. 19.
While cybersecurity experts applaud the Pentagon’s recent initiatives, they warn that the threat of enemies tampering with hardware, software or data spread through computer networks and mobile devices continues to grow. An enemy could, for example, design malware for a missile system that would lie dormant until the weapon was set for launch and then substitute new geopositioning coordinates for the intended target. This type of attack would be extremely costly and difficult to accomplish, but the stakes are too high to ignore the risk, Borg said.
What’s more, cyber threats have become far more complex in the last decade.
“We see organized crime and nation states becoming more patient and thinking through attacks,” said Gib Sorebo, SAIC vice president and chief cybersecurity technologist. “Just like in spy movies, when James Bond had to get into one facility to get information to get into another facility, we are seeing cyber attacks that are multifaceted and they are targeting suppliers because oftentimes suppliers are easier to attack and oftentimes people don’t suspect them.”
The creators of Flame, sophisticated code that spread undetected among computers in the Middle East from 2010 to 2012, used forged Microsoft Windows licensing certificates to spread the malware through fraudulent Windows updates. Hackers also used two-factor authentication tokens stolen from EMC’s RSA Security Division to break into Lockheed Martin networks in 2011.
There’s no simple way to prevent these attacks. Weapon systems are jam-packed with software and electronic components. Each component is laden with circuitry. Computer experts often have trouble identifying the precise job of each circuit.
“Even if people went to the trouble of attempting to verify that every chip on a circuit board came from a reputable supplier and nothing untoward had been put on there, which virtually no one does, they would still need to make sure the exemplar they were using had not been compromised,” Sorebo said. “We are just beginning to figure out ways to solve the problem.”
TRUST IN THE CLOUD
Still, there are obvious steps companies and government agencies can take to improve security, including figuring out who has access to critical data. With the growing use of cloud computing and mobile devices, data that was once held by a single organization is now shared among many. In a recent survey, one multinational corporation discovered that its data was stored in 15 to 20 different places, said Steve Durbin, global vice president for the nonprofit Information Security Forum, an organization that considers supply chain security among the five top threats to businesses in 2013. Within any enterprise, it’s important to understand what information is being shared, where that information is being stored, how it is being stored and who has access to it, Durbin added.
Similarly, companies and government agencies should evaluate the safety and security of their global hardware and software supply chains.
“If you look at the hardware you buy, virtually none of it is manufactured by the actual company with its name on it,” Sorebo said. So it’s not simply a question of trusting Dell or Cisco, but of trusting every supplier those companies rely on, including companies that provide cloud-based computing services, he added.
In October, a U.S. House Intelligence Committee report raised concerns that China’s Huawei Technologies Co. and ZTE Corp. could not be trusted to provide telecommunications equipment, components or services for U.S. government programs or U.S. government contractors because of the close relationships those companies have with the Chinese government. Some security experts also have raised concerns about the world’s most rapidly growing semiconductor company, GlobalFoundries, based in the United Arab Emirates. GlobalFoundries, which was established in 2009, is the world’s second largest semiconductor fabrication plant that specializes in producing the chips its customers design.
In spite of concerns that hardware and software created in China or the Middle East pose greater risk than domestic products, security experts reject suggestions that the Pentagon limit its procurement to electronic components built in the United States or take pains to identify the country of origin for individual parts. Those exercises would be “prohibitively expensive and infeasible, based on the mechanisms that are currently readily available,” representatives of the CIA and the Office of the Director of National Intelligence told the Government Accountability Office, according to the report, “IT Supply Chain: National Security-Related Agencies Need to Better Address Risks,” published in March 2012.
The military reaps enormous cost and performance advantages from its access to global suppliers. Cybersecurity experts said any steps the government takes to improve security should not prevent that access or include such heavy reporting or due-diligence measures that those cost savings disappear. Instead, government agencies and companies should institute common-sense security measures for all programs, such as vetting suppliers and evaluating whether those suppliers conduct background checks on managers and employees.
Additional security measures are likely to vary from program to program. For weapons critical to national security or those in which a malfunctioning component could cause grave harm, stringent security precautions are warranted. In secure facilities program managers may be restricted to using parts produced domestically.
“It’s similar to the way we treat classified information, with checks at each level of the supply chain,” Sorebo said.
Still, those procedures will increase the cost of products and services, so they should only be employed when a particular program is considered high risk. He said DoD will want to use different procedures to ensure the safety of tires purchased by the Defense Logistics Agency than it would to safeguard infrastructure designed to support the nation’s response to nuclear attack.
In addition, security precautions will vary even among high-risk programs.
“We can’t just think about cybersecurity in terms of patching and avoiding vulnerabilities,” Borg said. “We have to think about threats, consequences and the total risk picture.”
Military leaders should look at an individual weapon, for example, to determine who would want to attack it, what kind of attack they would want to carry out and what harm it would cause.
Once that process is completed, program managers will be in a position to implement defensive strategies. They will know, for example, which systems should be air-gapped, or insulated from any contact with the Internet. They also will know what types of anomalous behavior could signal a serious problem and how to identify that behavior. When that analysis is completed, Pentagon planners will be able to focus resources on securing the most critical systems. For many programs, basic security strategies will be adequate because cyber attacks that degrade or destroy systems would be inconvenient but not dangerous.
The Internet Security Alliance is preparing to release a lengthy set of guidelines for safeguarding the electronic equipment supply chain. These guidelines, written by Borg, are the product of a lengthy series of workshops, discussions, and interviews conducted since 2007. The guidelines will include detailed steps that manufacturers can take to secure each stage of the electronic production process, from design through fabrication, assembly, distribution and maintenance. The new guidelines also will highlight the danger posed by counterfeit electronics.
The Semiconductor Industry Association has issued repeated warnings about the danger of counterfeit electronics in military systems. Because the military services tend to rely on electronic equipment far longer than commercial customers, many of the components the military needs to maintain systems are no longer available from the original manufacturer.
“The Defense Department is wedded to very old technology,” said a semiconductor industry executive who asked not to be identified. As a result, military procurement officers who use the Internet to search for replacement parts often end up with chips stripped from old machinery, cleaned and relabeled.
In many cases, the second-hand parts cause military systems to fail or malfunction because they are damaged, old or incorrectly labeled. However, counterfeit parts also could carry malicious firmware.
“It’s possible to introduce malicious firmware into a process that is to some degree being supervised and visited by a legitimate chipmaker,” Borg said. It would be much easier, however, to introduce malicious firmware on a counterfeit. “You can do things that would be hard to do subtly or covertly in another kind of supply chain,” he added.
To stop counterfeit electronics from entering the U.S., the members of the Semiconductor Industry Association have lobbied for years in support of legislation that would give Customs and Border Protection agents authority to inspect suspicious packages and exchange identifying information with the purported manufacturer to confirm the authenticity of electronic devices. That was the practice until 2008, when customs agents routinely photographed chips and shared images with the manufacturer whose trademark appeared on the label to confirm the authenticity of electronic devices. In 2008, however, the Treasury Department instructed customs agents to redact identifying marks before sharing images.
Late last year, legislation designed to resume the practice of sharing identifying information appeared headed for passage but collapsed amid year-end wrangling over federal spending cuts. On Jan. 11, U.S. Reps. Ted Poe, R-Texas, and Zoe Lofgren, D-Calif., introduced legislation to once again give Customs and Border Protection agents authority to exchange detailed imagery with manufacturers.
“We are hoping a companion bill will be introduced in the Senate,” said Patrick Wilson, Semiconductor Industry Association director of government affairs.
This article appears in the April issue of C4ISR Journal.