Some consumers who recently acquired netbooks received an unwanted surprise with their purchase.
It was discovered in May 2009 that a factory-sealed M&A Companion Touch netbook contained three pieces of malware, including a worm that tries to spread to USB devices and steal the online passwords of gamers. The nature of the malware seemed to indicate that it showed up on the computer purely by accident, according to security researchers from anti-virus company Kaspersky, who discovered the problem.
The incident is one of the most recent examples of a growing list of new devices that became infected with malware during the supply chain process. Over the past several years, there have been numerous examples of similar occurrences, says Hart Rossman (left), vice president and CTO for cyber programs at Science Applications International Corp. (SAIC), a provider of supply chain management solutions.
For example, in October 2006, TomTom shipped a batch of GPS devices that included malware. And in 2008, two brands of digital picture frames sold at Wal-Mart and Sam's Club also contained malware. The frames, produced by Insignia and Advanced Design System, were infected during the manufacturing process.
“You have to ask: Why does a brand new device show up at Best Buy, Costco or RadioShack already infected?” asks Marcus Sachs, director of the SANS Internet Storm Center.
The global chain
Much of the problem stems from the globalization of the technology market, experts say.
In the past, the United States was a dominant manufacturer of hardware and software and as a result, domestically produced technologies could be accompanied with at least some level of trust, Sachs says. Today, the supply chain is no longer isolated. Labor is cheaper overseas, so electronic device components are manufactured all over the world. A new PC likely contains parts from half a dozen or more countries. One weak link in the global supply chain could result in malware being intentionally or unintentionally installed on a widely deployed product.
Further, because software code is complex, it's easy to make mistakes and inadvertently introduce bugs. Most of the flawed manufactruring incidents that have occurred were the result of accidental errors in the production process. In the case of the M&A Companion Touch netbook, the malware was likely introduced when an infected USB drive was plugged into a computer at a manufacturing facility where technicians were installing drivers for the machine, the Kaspersky researchers said.
To ensure new products are free of malware, all hardware and software should be tested before deployment, experts say. Manoranjan (Mano) Paul (right), software assurance advisor at (ISC)2, a nonprofit information security education and certification organization, suggests organizations deploy all new products in a simulated environment before releasing them into production. Any detected network spikes or traffic can be indicative of a problem.
Being that the technology supply chain is now global also provides increased opportunities for those with malicious intent to harm the U.S. government or corporate America. A rogue actor could intentionally subvert the supply chain by installing backdoors that could later be used to access a system.
“A lot of this is conspiracy theory-type stuff, but we do know this happens,” Sachs (left) says.
This type of attack would likely be carried out for espionage, with the U.S. government and financial institutions being primary targets, says James Lewis, director of technology and public policy at the Center for Strategic International Studies (CSIS). A determined adversary could fairly easily insert hidden instructions or holes that could go undetected for years. It would simply take a few lines of malicious code or a tiny fraction of the entire code to be tweaked to have a malicious effect.
“It has happened,” Lewis says. “People at the Department of Defense say this isn't a hypothetical situation.”
Still, it is less costly as well as easier for adversaries to attack systems that are already operational, making traditional hacking much more common.
“It's easy to overstate this,” Lewis says. “People tend to get hysterical over what has, so far, been a minor threat.”
Others say that incidents of intentional supply chain sabotage should be expected in the future and the time to prepare for these types of attacks is now. Having the most advanced perimeter defenses won't do any good if a threat is introduced through the back door, says Sandor Boyson (right), research professor and co-director of the Supply Chain Management Center at the University of Maryland.
Two major government cybersecurity efforts have addressed the importance of supply chain cybersecurity. The Comprehensive National Cybersecurity Initiative (CNCI), a recently partially declassified program that began in 2008 under the Bush administration to help secure the United States in cyberspace, includes an initiative to develop an approach for global supply chain risk management. In addition, the Obama administration's Cybersecurity Policy Review, released in May 2009, says the government's approach to securing cyberspace must include initiatives for preventing, mitigating and responding to supply chain cyberthreats.
But, while the government has been working to shore up supply chain vulnerabilities for the past few years, it still hasn't come up with a good solution to the problem, says CSIS's Lewis, adding that the government has considered restricting some purchases to products composed of only domestically produced components. However, because of the high costs involved, this has only been pondered for the most sensitive technologies, such as nuclear command and control systems.
In contrast, the government commonly uses commercial, off-the-shelf technologies, which oftentimes depend on parts from overseas.
“The government has accepted the fact that it has to rely on the global supply chain,” says Kurt Seidling, program manager, global supply chain risk management at the Department of Homeland Security (DHS). “Just because something was manufactured in another country doesn't necessarily mean it has a security problem.” The DHS, he adds, is lately seeing an increased awareness of IT security supply chain risks.
But while awareness has ratcheted up, the threats are becoming more targeted, sophisticated and serious, Seidling says. Malicious supply chain activity can potentially compromise personal information or, in a worst-case scenario, threaten national security.
As part of the CNCI, the DHS has been working with the DoD, the National Institute of Standards and Technology (NIST) and private sector organizations to develop a set of best practices to mitigate and manage supply chain cyberrisks. The groups plan to release a cybersecurity supply chain standards document, which was tentatively scheduled to be published by the end of May (at press time it was not yet released).
“Our vision is to examine the supply chain, and manage and mitigate the risk in the global environment,” Seidling says.
Ultimately, the DHS hopes the standard continues to increase awareness for the threats and helps other agencies improve their cybersecurity supply chain posture, he says.
Meanwhile, within the private sector, several initiatives to secure the global supply chain against cybersecurity threats have cropped up in recent years.
The Software Assurance Forum for Excellence in Code (SAFECode), a nonprofit dedicated to software assurance whose members include Adobe, EMC, Juniper Networks, Microsoft, Nokia, SAP and Symantec, is one of the early movers in addressing this issue. SAFECode's supply chain efforts are focused on reducing opportunities for software to be compromised as it moves through the supply chain. The group represents the first industry-led effort that tackles this topic.
“The examples of this are very rare, but there is increasing concern among customers,” says Paul Kurtz (left), executive director of SAFECode and a partner at Good Harbor Consulting.
One of the challenges, he says, is that software supply chain security is still not well understood. For instance, most companies immediately associate supply chain security and risk management with business continuity issues. Fewer consider the possibility that a product could be compromised as it moves through the supply chain.
SAFECode last month released a paper outlining specific steps that software companies can take to minimize the risk that vulnerabilities could be inserted into products during supply chain processes.
Meanwhile, researchers at SAIC and the University of Maryland's Robert H. Smith School of Business recently undertook a research initiative to fuse the fields of cybersecurity and supply chain risk management to create a common language that describes the concept of a “cyber supply chain.”
According to a white paper the researchers published in June 2009, the cyber supply chain can be defined as “the mass of IT systems (hardware, software, and public, and classified networks) that, together, enable the uninterrupted operations of key government and industrial base actors, such as the Department of Defense, the Department of Homeland Security, and their major suppliers.” The cyber supply chain is comprised of system end-users, policymakers, acquisition specialists, system integrators, network providers, and software and hardware suppliers.
Today, cyber supply chains are “fragmented and stovepiped” with no widely accepted industry standard for enterprise cyber supply chain operations and practices, the paper states. An integrated cyber supply chain requires a process for securing and hardening systems and their components, as well as a process for securing all the actors – including customers, system integrators and suppliers – who use and maintain a system. The paper offers an initial assurance model, including a process-oriented approach to cyber supply chain security and presents best practices for all participants in the chain.
Researchers are hoping to have the model validated and to subsequently develop an assessment tool based on it. Ultimately, they hope the model will strengthen the nation's cyber products and services in support of national and economic interests.
“The SAIC study is an extremely valuable piece of work,” says SAFECode's Kurtz.
Ultimately, there is no way to go backward and reverse the globalization of the supply chain that has occurred, Sachs says. Like it or not, the supply chain will become even more dispersed. Going forward, the U.S. will continue to use hardware and software produced in other countries that might be our political adversaries, but are also our business partners.
“The biggest thing is awareness,” Sachs says. “Be aware of the problem, but don't get too hyper over it. It's an issue, but it's not a ‘sky is falling' kind of thing. It doesn't mean everything produced overseas has problems.”
Another supply chain risk which could affect information security professionals is counterfeiting. During the manufacturing process, individuals could steal code to remake the same product and sell it at a cheaper price, experts warn. These counterfeit goods often show up on online auction sites such as eBay.
For instance, a Saudi citizen residing in Texas was recently convicted of selling counterfeit Cisco computer parts purchased on eBay to the United States Marine Corps in Iraq. Ehab Ali Ashoor, 49, purchased the counterfeit products in an attempt to satisfy a contract he had with the Marine Corps to deliver genuine Cisco products. He was sentenced in early May to more than four years in prison.
Purchasing products from unknown vendors offering heavy discounts may open up an organization to risk since counterfeit hardware and software could contain malware, says Lorcan Sheehan, senior VP of marketing at Modus Link, a global supply chain management services provider. The best way to steer clear of counterfeits is to purchase products directly from manufacturers or from legitimate sales channels, he says. – Angela Moscaritolo
Photo: Computer consultant Jerry Askew poses with a digital photo frame in Granada Hills, Calif. Once connected to his computer, software on the frame tried to load four trojans into his system.