recommended reading

Threat of destructive coding on foreign-manufactured technology is real

The federal government has identified technology components in the U.S. supply chain that have been embedded with security flaws, the top U.S. civilian cybersecurity official said Thursday.

Greg Schaffer, acting deputy undersecretary of the Homeland Security Department National Protection and Programs Directorate, confirmed the threat during a House Oversight and Government Reform Committee hearing on cybersecurity. At the time of a January federal report on the U.S-China supply chain, conversations had been largely hypothetical about "backdoor" mechanisms, where outsiders insert faulty programming into foreign-manufactured devices to, for example, shut down systems remotely or leak information.

"These pieces are embedded in software and hardware and people don't know that. It's very difficult to detect," said Rep. Jason Chaffetz, R-Utah, chairman of the Subcommittee on National Security, Homeland Defense and Foreign Operations. "Are you aware of any software or hardware components that have been embedded with security risks?" he asked Schaffer.

At first, the DHS official hesitated to provide a yes or no answer, but after repeated questioning, he replied, "I am aware that there have been instances where that has happened."

The revelation follows many congressional hearings on the growing fear that nation states and rogue criminals are undermining the U.S. economy by hacking into proprietary data and other sensitive information. This spring, the White House released an international strategy and legislative proposal to bolster network security.

"To date, public discussion of the vulnerabilities of electronics components to malicious tampering has been largely theoretical," the January U.S.-China Economic and Security Review Commission staff report stated. It said "kill switches" could be installed in Pentagon systems to power down operations in response to remote commands. "The potential for harm is enormous, extending from simple identity theft by criminal enterprises to disrupting networks and defense systems vital to national security," the commission wrote.

The international cybersecurity strategy notes the federal government reserves the right to use military force in response to certain hostile acts in cyberspace. Lawmakers on Thursday asked witnesses to specify when a cyber incident would qualify as this type of hostile act.

James A. Baker, U.S. associate deputy attorney general, said the question is legally difficult to answer but "acts [in cyberspace] that would be equivalent . . . to kinetic attacks on the Unites States" would constitute an "act of war."

Even with a legal determination that war is under way, the U.S. military would still have to conduct "a fairly complicated forensic analysis" to identify an adversary, said Robert J. Butler, Defense deputy assistance secretary for cyber policy.

The White House legislative proposal would mandate that all agencies continuously monitor federal computer equipment and software with automated tools to spot threats faster. Current law requires agencies to fill out paperwork to confirm compliance with security safeguards only once a year.

Members on Thursday wanted to know the price tag for deploying real-time surveillance. Officials from Homeland Security, which is in charge of governmentwide cyber operations, could not provide a cost analysis but agreed to work with Congress on budgeting expenditures into legislation.

"We recognize that much of the work and effort and spending that is done today [for] compliance, check-the-box activities, can be repurposed . . . that allows us to actually buy down risk," Schaffer said. Over the long run, "the expense associated with all the work we do to chase the problems will be reduced . . . Building it in is much cheaper that bolting it on."

Threatwatch Alert

Accidentally leaked credentials / Misplaced data

Boeing Employee Emails 36,000 Coworkers’ Personal Info to Spouse

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.