Recently, Microsoft’s Digital Crimes Unit discovered the botnet Nitol – Chinese malware embedded in more than 4,000 computers purchased by consumers from U.S. retailers.[i] The malware equipped hackers with the ability to remotely turn on the machines; record users by hacking microphones and webcams; and log all keystrokes, including passwords and banking information. This breach shows us just how vulnerable our supply chains really are. The ease by which cyber thieves are attacking trusted U.S. providers is sobering.
As federal agencies are placed under increasing pressure to outsource services to cloud and other IT service providers, security leaders must seriously evaluate the potential risk of faulty technology being introduced into providers’ supply chains. In a market with complex global networks, providers who manage and store government data may acquire technology or partner with firms overseas to build the physical infrastructure necessary to deliver cloud services. This dependence on foreign technology companies increases the likelihood of malicious intrusion and may jeopardize network security.
Such a shift necessitates the creation of more thorough due diligence practices to assess the potential risk exposure of all contributing parties, and to ensure complete transparency by providers.
Last January, the Director of National Intelligence stated that vulnerabilities associated with IT supply chain networks are among the most significant cyber security threats we face. The damning conclusions of Congress’ recent investigation into Chinese technology companies Huawei and ZTE further underscore the gravity of this threat and the importance of demanding provider transparency as a preventative measure.[ii] The U.S. still lacks an effective system to track the origins of equipment, software, or services within telecommunications networks. Government acquirers are often only aware of participants with whom they have direct contact.[iii]
As a result, supply chains can exist as figurative black boxes, with the identity of each product or service provider opaque to others in the chain. Corporate arrangements further complicate these relations, since a parent company may have multiple subsidiaries conducting business under different names in various countries. The result is a tangled web of firms that span the globe.
The multitude of sources of potential security risk should compel federal cloud customers to exercise caution when assessing risks to the supply chain as an integral part of the procurement process. Today, government practices in these areas are at best nascent.
As evidenced by the Government Accountability Office (GAO) in March 2012 in a review of the supply chain practices of national security-related departments, major flaws and slow regulatory proceedings continue to leave large gaps in IT security.[iv] While the U.S. Department of Defense agreed with all recommendations released, its networks will remain vulnerable until at least 2016, when the department plans to fully implement a program to detect and assess supply chain security threats.
For its part, the U.S. Department of Energy argues outright that in the face of the depth and interdependencies of existing supply chains, the cost of implementing true due diligence would outweigh the benefits.[v]
Though cost is a major concern, it should not negate the importance of maintaining Federal IT supply chain security. It may even call for the development of new, more dynamic means of surveillance as a cost-effective alternative to current practices. The acquisition process should shape the development of a comprehensive risk assessment and set the conditions for provider transparency. Contracts should ask providers to identify all active suppliers and secondary partners to enable government to assess potential areas of risk exposure. Further, access privileges to government information should be carefully defined by contract and subsequently monitored. Lastly, continuous monitoring should be used to identify, evaluate, and respond to network intrusions as they occur.
By prioritizing processes of provider assurance and demanding transparency of all direct and indirect contributors without exception, federal acquirers will gain confidence in the provider’s ability to deliver secure, resilient networks. Such an initiative will improve national security on a large scale by better protecting sensitive government information stored in a cloud environment.
In a generation where a single networked printer can be exploited as an origin of intrusion, total system security can never be assured, only improved. Though the government may currently characterize the development and execution of new supply risk controls as financially unreasonable, it is critical to recognize the implications of maintaining current supply chain practices. Ultimately, a lack of attention to sound due diligence measures in the cloud could end up costing the nation much more.