The federal government has identified technology components in the U.S. supply chain that have been embedded with security flaws, the top U.S. civilian cybersecurity official said Thursday.
Greg Schaffer, acting deputy undersecretary of the Homeland Security Department National Protection and Programs Directorate, confirmed the threat during a House Oversight and Government Reform Committee hearing on cybersecurity. At the time of a January federal report on the U.S-China supply chain, conversations had been largely hypothetical about "backdoor" mechanisms, where outsiders insert faulty programming into foreign-manufactured devices to, for example, shut down systems remotely or leak information.
"These pieces are embedded in software and hardware and people don't know that. It's very difficult to detect," said Rep. Jason Chaffetz, R-Utah, chairman of the Subcommittee on National Security, Homeland Defense and Foreign Operations. "Are you aware of any software or hardware components that have been embedded with security risks?" he asked Schaffer.
At first, the DHS official hesitated to provide a yes or no answer, but after repeated questioning, he replied, "I am aware that there have been instances where that has happened."
The revelation follows many congressional hearings on the growing fear that nation states and rogue criminals are undermining the U.S. economy by hacking into proprietary data and other sensitive information. This spring, the White House released an international strategy and legislative proposal to bolster network security.
"To date, public discussion of the vulnerabilities of electronics components to malicious tampering has been largely theoretical," the January U.S.-China Economic and Security Review Commission staff report stated. It said "kill switches" could be installed in Pentagon systems to power down operations in response to remote commands. "The potential for harm is enormous, extending from simple identity theft by criminal enterprises to disrupting networks and defense systems vital to national security," the commission wrote.
The international cybersecurity strategy notes the federal government reserves the right to use military force in response to certain hostile acts in cyberspace. Lawmakers on Thursday asked witnesses to specify when a cyber incident would qualify as this type of hostile act.
James A. Baker, U.S. associate deputy attorney general, said the question is legally difficult to answer but "acts [in cyberspace] that would be equivalent . . . to kinetic attacks on the Unites States" would constitute an "act of war."
Even with a legal determination that war is under way, the U.S. military would still have to conduct "a fairly complicated forensic analysis" to identify an adversary, said Robert J. Butler, Defense deputy assistance secretary for cyber policy.
The White House legislative proposal would mandate that all agencies continuously monitor federal computer equipment and software with automated tools to spot threats faster. Current law requires agencies to fill out paperwork to confirm compliance with security safeguards only once a year.
Members on Thursday wanted to know the price tag for deploying real-time surveillance. Officials from Homeland Security, which is in charge of governmentwide cyber operations, could not provide a cost analysis but agreed to work with Congress on budgeting expenditures into legislation.
"We recognize that much of the work and effort and spending that is done today [for] compliance, check-the-box activities, can be repurposed . . . that allows us to actually buy down risk," Schaffer said. Over the long run, "the expense associated with all the work we do to chase the problems will be reduced . . . Building it in is much cheaper that bolting it on."