When is a Firewall not a Firewall?: Insecurity in the Technology Product Supply Chain
I would like you to stop reading this article, just for a moment, and take a brief glimpse at your mobile phone. No doubt, there is a major vendor name on the outside of the case: Apple, Samsung, LG, or another trusted global technology manufacturer. However, if you were to open up the case and look at the components, you would find a global menagerie of technology provider names. S ome of them m ight be household names – Intel, or Motorola for example. Others may be less well known, but each component in your phone is likely from a different manufacturer. From the speaker, to the microphone, to the camera, to Bluetooth and WiFi networking components, your mobile phone – just like every other technology product you or your company own – is sourced and assembled from components developed by a worldwide consortium of technology manufacturers.
Global sourcing of technology components is a wonderful thing. It allows manufacturers to quickly develop prototypes using off-the-shelf components, and allows them to scale production quantities in lockstep with consumer demand. As importantly, it keeps costs low by allowing manufacturers to source individual components from different suppliers, and these costs are often passed on to the consumer in the form of a lower-priced product. There’s no question that, without global component-level sourcing, technology vendors – regardless of whether they make mobile phones, firewalls, network switches or servers – would not be able to deliver the products they do at an affordable price. But there’s a downside to global sourcing: the possibility that the integrity of components can be compromised for malicious purposes. The fact is, many globally-sourced components come from nations that, politically speaking, may not be aligned with the interests of the nations where the consumers of their products (be those individuals, or corporations) reside. While we don’t like to believe that a rogue nation-state would force a manufacturer to engineer “back doors” into their products, the reality is that this is not entirely without precedent. The potential for damage can be extreme.
"Quality must and needs to be an integral part of SCM supplier evaluation and qualification to achieve life cycle cost avoidance"
So what could this problem look like? Imagine that a Fortune 500 company is soliciting bids for new enterprise firewalls. They have evaluated several brand-name vendors and product models, and have settled on a specific product. The company sends out an open request for proposal (RFP) to get pricing and terms from resellers. One reseller comes in about five percent below everyone else on price. Since every vendor is selling the exact same product – right? – procurement awards the bid to that vendor. What the company doesn’t realize is that their chosen vendor is not an officially authorized reseller for the product they’re acquiring. Moreover, the products themselves are counterfeit; the reseller has used an offshore company to clone the product, right down to the logo. They’ve also opted to modify the product’s source code to forward proprietary data from customers, including routing tables and host information, to a server they own in the public cloud, where they’ll sell this information to foreign nations to get some additional revenue on the side. As an additional issue, the changes they made to the firewall code (which was stolen from the manufacturer) has resulted in creating instability in the product, which is now causing their IT operations and security personnel tremendous grief as performance issues and dropped packets start to surface once the products are installed and running in the customer’s environment.
A lot of people think that threats to the technology supply chain are overblown. Theresa Payton, former CIO at the White House and founder of Fortalice Solutions, a security consulting firm, is not one of them. She believes this problem is one of the most critical security risks facing the industry today. I asked her about the potential impact of compromised components on technologies used within the corporate world as well as the federal government. Her response was direct: “Whether you’re talking about a single component that is injected with malware or spyware, or a completely counterfeit piece of technology, the potential impact is massive. Technology products with compromised components are more likely to have access inside the firewall, where malicious embedded code on these devices can be used for a range of tactics ranging from collecting information to relay to outside sources, to providing backdoors into the network. The threat is real, it’s pervasive and it can affect both security and performance.”
Despite all the doom-and-gloom you may be experiencing from this article, there are some solutions to the problem for component manufacturers, technology vendors and both corporate and federal technology buyers of complex technology products. For component manufacturers whose products are sourced by OEMs and other vendors, delivering consistent components that are free from both defects and security threats such as unwanted embedded code is critical. Quality standards such as ISO 9001 can be an effective starting point, since they are designed to enforce transparency and consistency across operations. For vendors, managing their global supply chain to ensure the security of their technology products can also be achieved through implementation of standards. Similar to ISO’s quality standard, another standard, ISO 28000, is designed to help manufacturing organizations through effective security, with a focus on supply chain security that includes properly evaluating, selecting, tracking and auditing their supply chain partners and the components they supply. Additionally, vendors can work with accreditation programs such as the Open Group’s Trusted Technology Provider Standard (O-TPPS) to communicate their compliance with supply chain integrity efforts.
For technology buyers, the stakes are highest; they are the organizations that will suffer the most in the event that their products are tainted or counterfeit. Accreditation programs such the Open Group’s O-TTPS are a good place to start for buyers, since these organizations have already done the “heavy lifting” of supply chain integrity validation for accredited vendors. In some cases, of course, buyers may encounter a need to acquire a technology for which only one or two vendors exist, none of which are accredited for their supply chain integrity. In these cases, buyers’ corporate legal counsel should be involved to develop vetting criteria and questions that these vendors can answer, and potentially conduct an audit of supply chain sourcing. Additionally, relying only on authorized resellers who are specifically identified by manufacturers is an effective way to minimize the risk of “man in the middle” threats to the technology supply chain.
Regardless of who you are – a component manufacturer, a product vendor, a corporate or government buyer, or an individual consumer – the threat of an insecure global technology supply chain affects you. Never has the term “caveat emptor” (“buyer beware”) been more significant for those who manufacture or buy technology.