 |
| Jennifer Bisceglie testifies for a Homeland Security Hearing Source: www.hsgac.senate.gov |
Jennifer Bisceglie testified for the Senate Homeland Security Committee hearing "Evolving Threats to the Homeland" on September 13, 2018. She specifically reviews supply chain risk management (SCRM) as it relates to information and communications technology (ICT), a security domain covered by her company Interos.
Her company recently supported the US China Economic and Security Review Commission with regards to their report on supply chain vulnerabilities from China "which outlines several recommendations, the most important being that the U.S. establish a “National Strategy for Supply Chain Risk Management (SCRM) in U.S. ICT” with supporting policies, so that the Nation’s security posture is forward-leaning vs reactive and based on incident response."
She organizes her written testimony to address six key areas related to the report and to the topic of the hearing. Here are a few of the topics she addresses:
1. A brief assessment of the emerging economic and national security risks from next generation connectivity and devices (particularly the IoT and 5G networks) for the U.S. with specific reference to the risks posed by other economies such as China, Russia and other sensitive countries. What additional risks, if any, does use of IT, standards, and/or equipment developed in sensitive countries pose to U.S. security? Are existing authorities and regulations adequate to address these challenges?
Software supply chain attacks will become easier – and more prevalent - as developing technologies such as fifth generation (5G) mobile network technology and the IoT exponentially increase the avenues for attack.1 [,,,] Relevant to the Report, increasing IoT installations will expand the attack surface of federal ICT networks while decreasing the time required to breach them, yet to date, the time required to detect breaches is not decreasing. The responsibility of both the public and private sector in improving their approach to risk awareness and management in the commercial technology supply chain cannot be overstated.
The information technology (IT) supply chain threat to U.S. national security stems from products produced, manufactured, or assembled by entities that are owned, directed, or subsidized by national governments or entities known to pose a potential supply chain or intelligence threat to the U.S., including China, North Korea, and Russia. These products could be modified to 1) perform below expectations or fail, 2) facilitate state or corporate espionage, or 3) otherwise compromise the confidentiality, integrity, or availability of a federal information technology system.
In the past, this concern was exemplified by counterfeit components entering the supply chain of U.S. defense systems, such as counterfeit integrated circuits from China discovered in the U.S. Navy’s P-8A Poseidon airplane, in a U.S. Air Force cargo plane, and in assemblies intended for Special Operations helicopters.4 In 2011, the Senate Armed Services Committee investigated 1,800 cases of counterfeit components which created vulnerabilities throughout the Department of Defense’s supply chain, and reported that 70 percent of all counterfeits come from China, and a majority of the remaining counterfeits could be traced back through the supply chain to China. In these cases, recycled, obsolete, or modified components passed off as genuine circuits had potential to perform below expectations or fail, threatening U.S. national security and the safety of U.S. service members.
Increasingly, the importance of an ICT component’s physical structure pales in comparison with the firmware and software operating within it. In 2016, researchers identified vulnerabilities that allowed hackers to surveil and manipulate users by hacking the embedded firmware of their computer monitors.5 In 2017, researchers uncovered vulnerabilities in printers manufactured by Hewlett-Packard, Dell, and Lexmark that allowed attackers to steal passwords, shut down printers, and even reroute print jobs.6 The mid-2017 CCleaner supply chain attack, in which hackers accessed the code development structure of Piriform in order to install malware into the company’s Windows utility product, typifies the types of threats federal ICT systems will continue to face. Over 2.2 million users downloaded CCleaner and unwittingly installed the hacker’s embedded malware at the same time. This malware compromised 40 international technology firms, 51 international banks, and at least 540 computers connected to various governments.7 Firms targeted by the hackers included many within the federal ICT ecosystem, including Cisco, Google (Gmail), Microsoft, Intel, Samsung, Sony, HTC, VMware, Vodafone, Epson, and Oracle
As information technology advances, and connectivity increases, these risks will multiply. Concepts such as the IoT, are but one avenue by which risk to federal IT systems will increase. The National Institute of Standards and Technology stated in Draft NISTIR 8200, released in February 2018, that “the adoption of IoT brings cybersecurity risks that pose a significant threat to the Nation.”9 Other aspects of supply chain risk depend on technologies that are not yet fully developed or deployed, such as 5G mobile network technology, which is expected to start deploying in 2020. The full deployment of 5G networks is expected to dramatically expand the number of connected devices, reduce network energy use, and decrease end-to-end round trip delay (latency10) to under one millisecond.11 5G is important for subsequent developments in virtual reality, artificial intelligence, and seamless integration of IoT.12,13 Faster connectivity supplied by 5G networks will enhance productivity, efficiency, and facilitate greater interconnectedness through the IoT. But these benefits come with increased cybersecurity risks.
[...]
7. What steps should the U.S. government and U.S. Congress take to address the emerging security and economic risks from technology sourced from outside of the U.S.?
As previously mentioned, the Federal ICT supply chain risks can be best managed by focusing on four (4) areas: 1) embracing an adaptive SCRM process, 2) promoting supply chain transparency, 3) centralizing federal ICT SCRM efforts, and 4) crafting forward-looking policies.
No comments:
Post a Comment