recommended reading

Threat of destructive coding on foreign-manufactured technology is real

The federal government has identified technology components in the U.S. supply chain that have been embedded with security flaws, the top U.S. civilian cybersecurity official said Thursday.

Greg Schaffer, acting deputy undersecretary of the Homeland Security Department National Protection and Programs Directorate, confirmed the threat during a House Oversight and Government Reform Committee hearing on cybersecurity. At the time of a January federal report on the U.S-China supply chain, conversations had been largely hypothetical about "backdoor" mechanisms, where outsiders insert faulty programming into foreign-manufactured devices to, for example, shut down systems remotely or leak information.

"These pieces are embedded in software and hardware and people don't know that. It's very difficult to detect," said Rep. Jason Chaffetz, R-Utah, chairman of the Subcommittee on National Security, Homeland Defense and Foreign Operations. "Are you aware of any software or hardware components that have been embedded with security risks?" he asked Schaffer.

At first, the DHS official hesitated to provide a yes or no answer, but after repeated questioning, he replied, "I am aware that there have been instances where that has happened."

The revelation follows many congressional hearings on the growing fear that nation states and rogue criminals are undermining the U.S. economy by hacking into proprietary data and other sensitive information. This spring, the White House released an international strategy and legislative proposal to bolster network security.

"To date, public discussion of the vulnerabilities of electronics components to malicious tampering has been largely theoretical," the January U.S.-China Economic and Security Review Commission staff report stated. It said "kill switches" could be installed in Pentagon systems to power down operations in response to remote commands. "The potential for harm is enormous, extending from simple identity theft by criminal enterprises to disrupting networks and defense systems vital to national security," the commission wrote.

The international cybersecurity strategy notes the federal government reserves the right to use military force in response to certain hostile acts in cyberspace. Lawmakers on Thursday asked witnesses to specify when a cyber incident would qualify as this type of hostile act.

James A. Baker, U.S. associate deputy attorney general, said the question is legally difficult to answer but "acts [in cyberspace] that would be equivalent . . . to kinetic attacks on the Unites States" would constitute an "act of war."

Even with a legal determination that war is under way, the U.S. military would still have to conduct "a fairly complicated forensic analysis" to identify an adversary, said Robert J. Butler, Defense deputy assistance secretary for cyber policy.

The White House legislative proposal would mandate that all agencies continuously monitor federal computer equipment and software with automated tools to spot threats faster. Current law requires agencies to fill out paperwork to confirm compliance with security safeguards only once a year.

Members on Thursday wanted to know the price tag for deploying real-time surveillance. Officials from Homeland Security, which is in charge of governmentwide cyber operations, could not provide a cost analysis but agreed to work with Congress on budgeting expenditures into legislation.

"We recognize that much of the work and effort and spending that is done today [for] compliance, check-the-box activities, can be repurposed . . . that allows us to actually buy down risk," Schaffer said. Over the long run, "the expense associated with all the work we do to chase the problems will be reduced . . . Building it in is much cheaper that bolting it on."

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.