recommended reading

Malicious code in the IT supply chain threatens federal operations

Agencies that deal with national security data and programs must do more to secure their information technology supply chains, a government watchdog said Friday.

Federal agencies aren't required to track "the extent to which their telecommunications networks contain foreign-developed equipment, software or services," the Government Accountability Office report said, and they typically are aware only of the IT vendors nearest to them on the supply chain, not the numerous vendors downstream.

That has left IT systems at the Energy, Homeland Security and Justice departments more vulnerable to malicious or counterfeit software installed by other nations' intelligence agencies or by nonstate actors and hackers.

U.S. enemies could use that malicious software to secretly pull information from government systems, erase or alter information on those systems, or even take control of them remotely.

The Justice Department has identified measures to protect its supply chain but has not developed procedures to implement those measures, the report said. Energy and Homeland Security haven't identified measures to protect their supply chains at all, according to GAO.

The watchdog agency also examined the Defense Department, which it said had designed and effectively implemented a supply chain risk management program.

Defense has reduced its supply chain risk through a series of pilot programs and expects to have "full operational capability for supply chain risk management" by 2016, the report said. Those pilots focus both on assessing the risk posed by particular vendors' supply chains and on testing and evaluating the purchased systems for malicious components, GAO said.

The U.S. Computer Emergency Readiness Team inside DHS has found that about one-fourth of roughly 43,000 agency-reported security incidents during fiscal 2011 involved malicious code that could have been installed somewhere along the supply chain, GAO said.

Globally sourced IT hardware buys can prove embarrassing for agencies that deal with national security data even if there's no malicious or counterfeit technology inside the machines.

The Air Force Special Operations Command, for instance, canceled a planned iPad acquisition in February, two days after receiving a query from Nextgov about Russian-developed security and document reading software specified in the procurement documents.

Tracking the origins of federal technology has been complicated by the complex ownership structures of multinational IT suppliers, which sometimes are owned in one nation, source their IT in another nation and manufacture it in a third nation, GAO said.

The report recommended that Energy and Homeland Security officials develop and implement firm procedures to protect against supply chain threats. The watchdog recommended that all three departments develop monitoring procedures to ensure their supply chain management practices are effective. The departments largely agreed with GAO's assessments, the report said.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.