Neil Ungerleider of Fast Company has noted a very interesting exchange that occurred at Friday’s hearing of the House Oversight and Government Reform Committee. Asked directly by Rep. Jason Chaffetz (R-UT) whether there was a threat that imported software, hardware, and software components had been tampered with and malware embedded within them, Greg Schaffer, the Department of Homeland Security’s acting deputy undersecretary for national protection and programs, very uncomfortably answered in the positive.
You can see the exchange starting at 51:40.
Outside experts have spoken about this threat for a long time, and government officials often speak of the potential threat (see this speech by DoD Deputy Secretary William Lynn III and testimony by former DHS Deputy Under Secretary Philip Reitinger), but you rarely, if ever, get a sitting official to explicitly state that, yes, "I am aware that there are instances where that happened." The hearing did not get very far in discussing solutions. When Rep. Chaffetz asked what the administration is doing to defend against these threats, Schaffer replied that this was one of the most complicated problems since lots of information technology is manufactured outside of the United States. Chaffetz said he knew that, and then moved on to another question about public-private partnerships.
Defending the supply chain was Initiative 11 of the Comprehensive National Cybersecurity Initiative and Schaffer mentioned the formation of task force cochaired by DoD and DHS to address the challenge. And as a CFR workshop on Cybersecurity, Foreign Policy, and Business noted, this is not just a problem for the United States. Confronted with a similar set of security challenges, policymakers in Russia, China, India, Brazil, and elsewhere are responding to the threat to supply chains with national laws that make multiple demands on technology firms dependent on location—they, for example, request to examine proprietary source code. The motivation for these demands is often opaque; policies can be driven by real security concerns, the desire to promote competing technology standards and strengthen domestic firms, or some combination of the two.
As Schaffer said, this is an extremely difficult problem to solve. More and more components are manufactured around the world, and these production networks are becoming increasingly complicated as they become more software- and service-based. Still, the workshop did identify 5 principles for how the U.S. government should address the challenge: 1) A global approach; 2) Global standards should underlie national approaches; 3) Government policy should be technology-neutral and outcome-oriented; 4) Beware the consequences of unilateral action; and 5) Pursue strategic alliances.
Go look at the report and tell me what you think.