recommended reading

Threat of destructive coding on foreign-manufactured technology is real

The federal government has identified technology components in the U.S. supply chain that have been embedded with security flaws, the top U.S. civilian cybersecurity official said Thursday.

Greg Schaffer, acting deputy undersecretary of the Homeland Security Department National Protection and Programs Directorate, confirmed the threat during a House Oversight and Government Reform Committee hearing on cybersecurity. At the time of a January federal report on the U.S-China supply chain, conversations had been largely hypothetical about "backdoor" mechanisms, where outsiders insert faulty programming into foreign-manufactured devices to, for example, shut down systems remotely or leak information.

"These pieces are embedded in software and hardware and people don't know that. It's very difficult to detect," said Rep. Jason Chaffetz, R-Utah, chairman of the Subcommittee on National Security, Homeland Defense and Foreign Operations. "Are you aware of any software or hardware components that have been embedded with security risks?" he asked Schaffer.

At first, the DHS official hesitated to provide a yes or no answer, but after repeated questioning, he replied, "I am aware that there have been instances where that has happened."

The revelation follows many congressional hearings on the growing fear that nation states and rogue criminals are undermining the U.S. economy by hacking into proprietary data and other sensitive information. This spring, the White House released an international strategy and legislative proposal to bolster network security.

"To date, public discussion of the vulnerabilities of electronics components to malicious tampering has been largely theoretical," the January U.S.-China Economic and Security Review Commission staff report stated. It said "kill switches" could be installed in Pentagon systems to power down operations in response to remote commands. "The potential for harm is enormous, extending from simple identity theft by criminal enterprises to disrupting networks and defense systems vital to national security," the commission wrote.

The international cybersecurity strategy notes the federal government reserves the right to use military force in response to certain hostile acts in cyberspace. Lawmakers on Thursday asked witnesses to specify when a cyber incident would qualify as this type of hostile act.

James A. Baker, U.S. associate deputy attorney general, said the question is legally difficult to answer but "acts [in cyberspace] that would be equivalent . . . to kinetic attacks on the Unites States" would constitute an "act of war."

Even with a legal determination that war is under way, the U.S. military would still have to conduct "a fairly complicated forensic analysis" to identify an adversary, said Robert J. Butler, Defense deputy assistance secretary for cyber policy.

The White House legislative proposal would mandate that all agencies continuously monitor federal computer equipment and software with automated tools to spot threats faster. Current law requires agencies to fill out paperwork to confirm compliance with security safeguards only once a year.

Members on Thursday wanted to know the price tag for deploying real-time surveillance. Officials from Homeland Security, which is in charge of governmentwide cyber operations, could not provide a cost analysis but agreed to work with Congress on budgeting expenditures into legislation.

"We recognize that much of the work and effort and spending that is done today [for] compliance, check-the-box activities, can be repurposed . . . that allows us to actually buy down risk," Schaffer said. Over the long run, "the expense associated with all the work we do to chase the problems will be reduced . . . Building it in is much cheaper that bolting it on."

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.