Supply Chain Security: What It Means on a Global Level

Posted on by John Linkous

Take a good, long look at your smartphone. While there is a big vendor name on the outside, if you were to open up its case, you would find several other vendor labels on various components: capacitive touchscreens; video and audio ASICs; Bluetooth and WiFi hardware; and individual capacitors, resistors, and other electronics gear building blocks, to name just a few, all of which are manufactured by different suppliers and their subcontractors. While your phone may have been assembled in one country—China, Mexico, or possibly even the United States—it was built from components sourced from around the globe ... and those vendors may be targets for hackers seeking to insert compromised hardware and code into your device due, in part, to a lack of supply chain security.

The reality is that every complex electronic device that individuals or organizations own is sourced from components around the globe. Even a product assembled in the US contains components that were made in China, Malaysia, Mexico, Canada, and many other countries—some of which are politically friendly to the US, others of which may be more antagonistic. With free trade agreements that continually reduce the level of scrutiny for goods crossing international borders, the possibility of compromised components rapidly becomes a strong likelihood.

Of course, this problem isn't limited to smartphones, nor are they even the place where the most damage can be done. Imagine an organization soliciting bids for brand-name enterprise firewalls. Multiple vendors respond, including one who comes in about 5 percent below everyone else. Since every vendor is selling the exact same product (right?), procurement naturally awards the bid to that vendor. What the procurement team doesn't know is that the reseller is not authorized to sell the brand-name OEM (despite saying they are), and they've used an offshore facility to build knockoff clones of the real thing, down to the device's color and logo. Even more frightening, they've modified the firewall code to forward some information—say, static routing tables and host information—to a server in Malaysia, where they can sell this information to foreign intelligence operatives for a fee and make some extra cash on the side.

This is just one possibility, and others are even more frightening. Former CIO of the Executive Office of the President and well-known cybersecurity expert Theresa Payton believes that this is one of the most substantial issues facing the security world. The biggest problem with supply chain security is one of certification and tracking. As the number of suppliers increases, so does the surface area of potential compromise of components and equipment. Similarly, suppliers themselves often outsource to subcontractors, who may—or may not—maintain a level of quality control that is consistent with the supplier's goals. But, as usual, the ability to meet the demand for quantity often means that both quality and assurance take a backseat. Without an effective way to maintain the integrity of the supply chain and a strong certification process for suppliers and their subcontractors, organizations are wide open to contamination of their products, and fake versions of components and complete products will abound.

Globalization is not going away—it is increasing at an astounding rate, and as more suppliers can leverage low costs of production in new and far-flung nations (virtually all of which have government intelligence operations), the likelihood of reaching a point where major IT and security infrastructure is compromised through the supply chain reaches virtually 100 percent. Global OEMs, VARs, buyers, and governments should start working together to ensure the integrity of the supply chain.

John Linkous

, Technology Advisor

legislation anti-malware

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs