American-manufactured hardware and software purchased by the government and U.S. consumers, have at times included components preloaded with spyware and malware by unknown foreign parties, reluctantly acknowledged a Homeland Security Department official during a July 7 before the House Oversight and Government Reform Committee.
“This is one of the most complicated and difficult challenges that we have. The range of issues goes to the fact that there are foreign components in many U.S.-manufactured devices,” said Greg Schaffer, acting deputy undersecretary of DHS’s national protection programs directorate. Schaffer later added that White House and DHS have known of the threat for some time.
“There is a task force that DoD and DHS co-chair to look at these issues with goals to identify short-term mitigation strategies and also to make sure that we have capability for maintaining U.S. manufacturing capability over the long term,” said Schaffer.
If the attention paid to cybersecurity supply chain risk management by the National Institute of Standards is any indication, the problem is likely not new even though it is rarely asserted publicly. Some cybersecurity experts have cast doubt on the notion that the United States could adopt a protectionist, indigenously-manufactured or -coded acquisition policy due to a weak economic climate that could continue for several years.
During the hearing lawmakers asked for the estimated cost of continuous monitoring which may flag security vulnerabilities in the supply chain. Schaffer was unable to provide a figure but said he would work with other at DHS to determine a number for legislative purposes.
Much of what drives today’s IT expenses are “compliance, check-the-box activities” said Schaffer. “Building [security] in is much cheaper that bolting it on.”
Editor’s Note: The 7-7-11 “Cybersecurity: Assessing the Nation’s Ability to Address the Growing Cyber Threat” hearing documents may be found here.