By some estimates, 1 in 10 technology products or systems have counterfeit parts in them. There is no estimate for how many software programs have malicious codes embedded.
The examples of well-known and global vendors suffering holes in their supply chain and passing those problems to the government are growing. Take a recent federal law enforcement sting, called Operation Raider. Officials stopped a ring of counterfeit parts destined for the military supply chain that would have been used to track troop movements and maintain security for bases in Iraq.
Dell sells thousands of servers to the government, but it found one of its suppliers pre-installed malware on the motherboards in the machines. Dell ended up making 16 changes to its supply chain to protect its customers.
And these are just two examples. The Senate Armed Services released a report last month that showed over a two-year investigation more than 1,800 instances of parts that were likely counterfeit in the Defense Department’s supply chain.
The increase of counterfeit technology products and software infected with harmful code has attracted the full attention of the government and its vendors.
But the problem is growing at such a fast rate that federal policy and laws aren’t changing quickly enough to mitigate the risk to mission critical systems, whether they are Air Force planes or the basic routers that every agency uses to help Internet traffic flow more smoothly.
“One of the key things to remember here is that cyber supply chain risk management, the viewing of an end-to-end IT system as a supply chain with multiple actors is a very new phenomena,” said Sandy Boyson, a professor at the University of Maryland and director of its supply chain management center, in an interview with Federal News Radio as part of its week long multimedia special report, Inside the World’s Biggest Buyer.
Boyson led a study with the National Institute of Standards and Technology on how agencies and vendors can better secure their supply chains.
“Only 20 percent of the chips currently used in the U.S. are actually made in the United States,” he said. “We’ve witnessed a very dramatic globalization of the information and communications technology supply chain in the last five or so years. This has created quite a challenge not only for the federal government to get a handle on, but also for industry to get a handle on.”
Keeping pace with attacks is tough
Both the executive branch and Congress are trying to stem the tide of counterfeit products and malicious code in software through legislation and policy.
Sen. Carl Levin (D-Mich.) authored a provision in the fiscal 2012 Defense Authorization requiring DoD to take specific steps to secure its supply chain. Levin, the chairman of the Armed Services Committee, said the investigation that led to the recent report shows counterfeit parts putting the nation’s security in jeopardy. The report stated 70 percent of all counterfeit parts reviewed during the investigation came from China. Frank Kendall, the under secretary of Defense for Acquisition, Technology and Logistics, issued a memo in March to implement the Defense Authorization bill’s provisions.
The guidance highlights 10 steps the military must take to improve the security of their supply chain.
A DoD spokeswoman said in emailed responses to questions that the memo highlights “a risk-based approach to both stopping counterfeits and malicious code.”
When it comes to counterfeits, the Pentagon must have confidence in the origin and integrity of system functions. If these systems fail, it would affect service members’ safety or the military’s mission success, the spokeswoman said.
When it comes to malware, the spokeswoman said, “Our risk management options here must include intelligence, engineering and procurement options. Still, there are some actions that address both counterfeit and malicious insertion concerns, such as increasing the transparency and control of the supply chain for mission- critical components.”
Congress is getting more aggressive in its desire to root out supply chain vulnerabilities.
Reps. Frank Wolf (R-Va.) and Sue Myrick (R-N.C.) introduced a provision in the 2013 Intelligence Authorization bill to take the protection of the IT supply chain once step further.
The bill would require the Office of the Director of National Intelligence to identify foreign suppliers of IT that are linked directly or indirectly to foreign governments. ODNI also would assess the vulnerability of and the malicious activity on the U.S.’s telecommunications networks because of products potentially provided by these foreign companies.
Victoria Espinel, the Intellectual Property Enforcement Coordinator in the White House, said the administration has actively pushed for better enforcement and protection against these cyber threats across all supply chains.
Espinel’s office leads an interagency working group made up of 14 agencies, including DoD, NASA and the White House’s National Security staff, to develop an anti-counterfeiting framework.
“It would be flexible enough to accommodate all the agencies, but will address some of the concerns that we’ve had about counterfeits coming in,” she said. “The focus of that group is to really look at all the tools we have. We think we need better ones. We think we need to make changes. We will look at legislative change, regulatory change and to look at changes in our procurement policy, and make sure we have all the tools we need in order to minimize the risks to the security of the U.S. supply chain wherever we can.” Espinel said the working group’s recommendations are “fairly far along,” and could be completed and sent to the President in the coming months.
Some sources say President Obama may issue an executive order to implement the recommendations. Espinel would not comment on the likelihood of an executive order because the recommendations are not final.
But sources also say Kendall’s memo is a precursor to what the rest of the government will have to do. DoD is requiring 10 steps the services and agencies must take to better protect the supply chain.
“The governmentwide recommendations are not final, but I can tell you that the requirements for DoD and the memo that came out of DoD are very much in line with the strategy that we’ve been developing and that in part reflects that DoD has been at the forefront of the working group,” Espinel said. “We have been working with them very closely. So accordingly, several of the concepts that are described in the March DoD memo come out of the overall working group’s efforts.”
Among the steps Kendall is asking DoD agencies and services to take to better secure the supply chain are to require:
The use of contracting clauses to ensure the supply of authentic products.
Contractors and subcontractors to notify DoD program managers when they are not buying from the original manufacturer or authorized distributor.
Prompt reporting of counterfeit items in the DoD central reporting repository, the Government-Industry Data Exchange Program (GIDEP).
But concerns over the steps DoD, the White House and Congress are taking are growing among vendors.
Trey Hodgkins, senior vice president for National Security and Procurement Policy at TechAmerica, an industry association, said contractors would like to see more discussion from the White House and the working group.
“Industry doesn’t really have significant insight into the specifics or intelligence the government has about risks in the supply chain,” he said. “It’s been very difficult for companies to try and assess their own supply chains and weed things out that are already known. And then the processes and practices the government is developing and putting together to try to address this and be more effective at managing their supply chain, they have largely been done, from the company’s perspective, without industry input. We are concerned about some of the things we’ve heard and some of the things we’ve seen could be unexecutable.”
Hodgkins said the administration only has had minimal discussions about the recommendations the workforce is developing.
In fact, should the requirements be so difficult to meet, Hodgkins said, companies may choose to drop out of the federal market instead of meeting the supply chain rules.
“Commercial companies will look at this and assess this in the context of a global business model and want to understand what does the U.S. government imposing a supply chain requirement mean when I need to sell in 40 other companies,” he said. “Will other countries perceive those things as retaliations and require me to do something unique for their country too? They have a global perspective. There is a significant balancing act in this and we are still working through it.”
But Espinel said her office and the working groups understand industry’s concerns and that the recommendations will impact contractors in a big way.
“I think it’s absolutely the case the private sector has a critical role to play here. That’s undeniable and extremely important and that is why as we have been working on these recommendations we have been working quite closely with the private sector, including significant contractors, but also smaller businesses as well,” Espinel said. “I’m very confident that we’re going to be able to come up with an approach that gives us the tools that we need because clearly there is more that we need in our arsenal in order to attack this while not unduly burdening the private sector.”
Bridging the gap between government, industry
NIST is trying to bridge these potential gaps between the government and industry. NIST recently released a second draft of a supply chain risk management framework.
Jon Boyens, an IT specialist in the computer security division at NIST, said this second draft is less prescriptive than the first one.
“We boiled down the 21 practices that were more perspective in telling the different roles how to do something, and raised them up a level to a more general approach to be more descriptive and less prescriptive, essentially what to do and not how to do it,” Boyens said.
Boyens said one key practice is to map the supply chain through its organizations, processes and elements.
“Every part of the supply chain where there is an entity that touches it or makes it to the elements or sub-elements is historically bona fide or put down in history so that you have the providence so you know where in the supply chain everything is done,” he said.
Boyens said there is a lot of interest from agencies on the risk management framework. He said NIST would like to test out the some aspects of the guidance through a pilot program with an agency. NIST is looking for agency volunteers. The final guidance should be out in the next year.
“We stress in the document that agencies need help from industry partners to mitigate risks and is cost effective with the intent to enable the agencies to better manager supply chain risk that is commiserate to their system’s cruciality,” Boyens said. “We tell agencies to use the practices and provide us feedback on what’s feasible, on what’s cost effective and on what doesn’t work.”