Why is everyone suddenly so concerned about Chinese hacking of corporate and US government networks? It comes as no surprise to most Internet security experts.
Officials seem to feel the need to say something loudly just because a recent Mandiant report asserted that one of the chief hackers is likely a branch of the Chinese government. But all this huffing and puffing from US companies and government officials seems an awful lot like Captain Renault in Casablanca , who was “shocked, shocked to find that gambling is going on in here.”
Sure, the Chinese are breaking the rules. The US probably is, too. (See: America’s Declared (& Undeclared) Cyberwar.) As in gambling, both want to come to the craps table, take their chances, and see what they might gain. The real problem is not that governments will hack, but that corporations and governments aren't doing enough to secure their networks.
Shaky supply chain security
There are plenty of ways to secure the network after it's built, such as firewalls and intrusion detection. But what is often overlooked is that security comes down in large part to the components — the supply chain of hardware, software, and services — that go into IT systems. And that supply chain is becoming less and less secure.
At least, that's the conclusion of a Gartner report published last fall (registration required). Neil MacDonald and Ray Valdes, two analysts at the research firm, wrote that CIOs are in for a rude awakening about the lack of security in that supply chain. In fact, they postulated that, within three years, an incident in the IT supply chain could cost companies millions of dollars.
In the old days, the IT supply chain was simple. Vertically integrated companies like IBM or Digital supplied hardware, software (operating system and applications), and services. But today, with globally sourced components, cloud computing, and open-source software, there are a multitude of suppliers in an ever-lengthening supply chain, and IT is increasingly vulnerable to attack.
The US defense and military sector has been wary about certain IT products because of security concerns, according to the Gartner report. For example, An Air Force order for iPads to replace pilot flight manuals was put on hold due to concerns about the encryption used in one of the applications, which came from a Russian company.
Complex and volatile
Such concerns are also becoming more of an issue for corporations, according to Gartner. “The IT supply chain has become more complex, fine-grained, globally distributed and volatile in the sense that rapid change provides the opportunity to introduce compromises,” the firm said in a press release about the report. Hardware companies are outsourcing not only manufacturing, but also design, to companies in Asia and India, some of which outsource parts of the work to places like Vietnam and Indonesia.
And it's not just hardware. Software has a supply chain that includes various sources for components, middleware, virtual machines, and operating systems, Gartner said. There's even an information supply chain; data from sources like Google Maps and Twitter is increasingly incorporated into apps and the IT ecosystem.
The report describes more than half a dozen recent examples of IT supply chain problems, ranging from counterfeit routers to a back door found in mobile phone software. The authors offer some general recommendations:
- Formalize an IT supply chain risk management program.
- Move intelligence out of hardware and into software, where it is more transparent
- Consider “dis-information” strategies, such as mixing bad information with good, to make sensitive data harder to discern
Search for integrity
Any executive reading this report will come away not only convinced of the need to do more to protect the organization from these threats, but also with some solid ideas about how to do that. It won't be easy. IT executives aren't used to thinking in terms of a supply chain. Even the electronics industry — where supply chains are well understood — has a tough time ensuring the integrity and security of the parts it procures. But organizations that don't take action may pay a high price.
“IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years,” MacDonald said in the press release. “Enterprise IT departments must begin to make changes today to protect their systems and information in a world where all IT systems are suspect.”
The report, one in the Gartner Maverick Research series designed to “spark new, unconventional insights,” contains several fascinating examples of recently discovered counterfeit or sabotaged hardware and software in OEM products. I'll go into the details of those examples in my next several posts.
Meanwhile, do you think IT executives have enough motivation to vet their supply chains more thoroughly?