Subscribe to FDD

When the IT Supply Chain is Compromised “Inside the Wire”

Samantha F. Ravich
10th October 2017 - Quoted by Kevin D. Freeman - Global Economic Warfare

The term “inside the wire” generally suggests a zone of safety. Going outside the wire suggests being at risk. But what happens when the enemy gets inside the wire? Extreme threat.

Our society has become increasing dependent on electronics and information technology (IT). With that dependence, we recognize that there are numerous external vulnerabilities. Hackers, for example, can break into Equifax and steal our personal information. The North Koreans can break into South Korea’s defense establishment and steal war plans. Not a week goes by without some sort of massive hack being discussed prominently. In response, we have turned to a cadre of technical advisors and security experts. We add the latest and greatest software. We employ strict measures of protection.

So what happens when our trusted sources for security are themselves compromised? This is the same as allowing an enemy to get inside the wire. It is an extreme threat. This was noted by Samantha Ravich from the Foundation for the Defense of Democracies and Michael Hsieh at the Council on Foreign Relations in The Cipher Brief:

Expelling Digital Demons from U.S. Sensitive Supply Chains

August 16, 2017

The open manner with which U.S. national security enterprises bid for goods and services can be exploited by U.S. adversaries seeking to inject counterfeit or malicious components into sensitive electronic hardware. The unprecedented challenge of policing the vast and complex supply chains for such hardware will require radical innovation in technology and governance to ensure that the rules-based system of international trade that the U.S. has long championed is not degraded into a chaotic arena of unrestricted economic warfare.

It is beyond dispute that the supply chains for the electronic hardware used by U.S. armed forces are under attack. Security researchers have documented multiple cases of sophisticated, malicious functionality being surreptitiously introduced into such hardware potentially allowing an adversary, in times of crisis, to turn our own devices against us. But even if this worst-case scenario fails to materialize, the uncertainty in both the reliability of U.S. warfighting arsenal and the civil infrastructure upon which U.S. national security industrial base relies, imposes a cost in its own right.

In 2011, it was reported that, “1,700 supposedly-new memory parts from an ‘unauthorized distributor’ showed signs of previous use, prompting the Missile Defense Agency to have to call for almost 800 parts to be stripped from the assembled hardware.” Then-head of the Missile Defense Agency, Lieutenant General Patrick O’Reilly, testified before the Senate that, “We do not want a $12 million THAAD [Terminal High Altitude Area Defense] interceptor to be destroyed by a $2 part.”

These supply chain attacks are seen as a particular kind of cyber-enabled economic warfare. U.S. national security leadership is confronted with the problem of blunting the aggression of foreign powers who have perverted the peaceful bonds of international trade into channels of espionage and sabotage, while preserving as much as possible the open nature of global trade on which U.S. economic prosperity depends. In lieu of seeking promises of better behavior from adversaries, which are hard to verify, or erecting import restrictions that can trigger a cascade of mutual retaliation, we endorse a mix of technology and governance innovation based on detection and deterrence.

The complexity and scale of the transactions that comprise U.S. sensitive supply chains create a kind of informational fog in which adversaries can hide . . .

We have been warning about this for quite some time. Just recently, however, have our warnings come to life in frightening ways. Rather than go into details, I’ll offer a few links and brief explanations regarding recent headlines. You will get the idea.

...

Read more here.

Tags

ceew, cyber-warfare