IT supply chain security weak at major US agencies, says GAO

Lawmakers call on agencies to focus more on possible vulnerabilities embedded into IT products

U.S. lawmakers called on three large U.S. government agencies, including the Department of Energy, to start monitoring their IT purchases for possible malware, counterfeits or other security flaws, after a watchdog agency pointed out potential vulnerabilities in their IT supply-chain procedures.

The three agencies, also including the U.S. Department of Justice and Department of Homeland Security, do not have plans in place to identify possible embedded threats in IT products or monitor commercial IT products for embedded threats, said the U.S. Government Accountability Office, in a report released Tuesday.

With agencies buying hardware pieced together from components made all over the world, they need to check their purchases for vulnerabilities that could slip in at any point in the manufacturing and shipping process, Gregory Wilshusen, GAO's director of information security issues, told lawmakers.

"The global IT supply chain introduces risks that, if realized, could jeopardize the confidentiality, integrity and availability of federal information systems," he told the U.S. House of Representatives Energy and Commerce Committee's oversight subcommittee.

Of four national security-related agencies the GAO studies, only the Department of Defense has made significant progress toward identifying IT supply chain risks, despite an August 2009 standard on IT supply chain security published by the National Institute of Standards and Technology, the GAO said.

The GAO report prompted lawmakers to push Department of Energy CISO Gil Vega to develop an IT supply chain security plan. The DOE, which oversees the nation's nuclear energy stockpile, began to address the concerns in the GAO report this month, when it first heard of them, Vega told the subcommittee.

"When will the Department of Energy finish its process of giving guidance to your suppliers to promote their supply chain's integrity?" said Representative Cliff Stearns, a Florida Republican. "When is that date going to be?"

A date is "hard to predict," said Vega, who has been the agency's CISO for just eight months. Vega said he's not aware of any cyberattacks at the DOE that resulted from supply chain vulnerabilities.

Supply chain risks are real, Stearns said. Based on the DOE's nuclear mission, "I think you should have been ahead of the curve, instead of, just in the last two weeks, giving guidance to your suppliers," he said.

But four of the five witnesses at Tuesday's hearing, including Wilshusen, said vulnerabilities in the IT supply chain were not the most pressing cybersecurity concern for most federal agencies. Cyberattacks from outside groups or involving insiders are a bigger problem for agencies, said Dave Lounsbury, CTO at the Open Group, an IT standards consortium working on supply chain security.

Still, agencies need to address supply chain security, added Larry Castro, managing director of the Chertoff Group, a security consultancy. Castro pointed to China and Russia as countries that have the expertise to compromise the IT supply chain.

However, the GAO report suggested that merely looking at the country of origin of a piece of software or hardware may not be a good way to track possible supply-chain problems. U.S. intelligence agencies "offered the view that determining if a relationship exists between a supplier company and a foreign military or intelligence service is a more reliable indicator of a potential security risk than whether a product was manufactured or provisioned outside the United States," Casto said.

The U.S. government should investigate links between foreign IT suppliers and military and intelligence services in their countries, Castro recommended.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?