IT Needs More Careful Sourcing

Why is everyone suddenly so concerned about Chinese hacking of corporate and US government networks? It comes as no surprise to most Internet security experts.

Officials seem to feel the need to say something loudly just because a recent Mandiant report asserted that one of the chief hackers is likely a branch of the Chinese government. But all this huffing and puffing from US companies and government officials seems an awful lot like Captain Renault in Casablanca , who was “shocked, shocked to find that gambling is going on in here.”

Sure, the Chinese are breaking the rules. The US probably is, too. (See: America’s Declared (& Undeclared) Cyberwar.) As in gambling, both want to come to the craps table, take their chances, and see what they might gain. The real problem is not that governments will hack, but that corporations and governments aren't doing enough to secure their networks.

Shaky supply chain security
There are plenty of ways to secure the network after it's built, such as firewalls and intrusion detection. But what is often overlooked is that security comes down in large part to the components — the supply chain of hardware, software, and services — that go into IT systems. And that supply chain is becoming less and less secure.

Consequence of Laxity

Security comes down in large part to the components -- the supply chain of hardware, software, and services -- that go into IT systems. And that supply chain is becoming less and less secure.

Security comes down in large part to the components — the supply chain of hardware, software, and services — that go into IT systems. And that supply chain is becoming less and less secure.

At least, that's the conclusion of a Gartner report published last fall (registration required). Neil MacDonald and Ray Valdes, two analysts at the research firm, wrote that CIOs are in for a rude awakening about the lack of security in that supply chain. In fact, they postulated that, within three years, an incident in the IT supply chain could cost companies millions of dollars.

In the old days, the IT supply chain was simple. Vertically integrated companies like IBM or Digital supplied hardware, software (operating system and applications), and services. But today, with globally sourced components, cloud computing, and open-source software, there are a multitude of suppliers in an ever-lengthening supply chain, and IT is increasingly vulnerable to attack.

The US defense and military sector has been wary about certain IT products because of security concerns, according to the Gartner report. For example, An Air Force order for iPads to replace pilot flight manuals was put on hold due to concerns about the encryption used in one of the applications, which came from a Russian company.

Complex and volatile
Such concerns are also becoming more of an issue for corporations, according to Gartner. “The IT supply chain has become more complex, fine-grained, globally distributed and volatile in the sense that rapid change provides the opportunity to introduce compromises,” the firm said in a press release about the report. Hardware companies are outsourcing not only manufacturing, but also design, to companies in Asia and India, some of which outsource parts of the work to places like Vietnam and Indonesia.

And it's not just hardware. Software has a supply chain that includes various sources for components, middleware, virtual machines, and operating systems, Gartner said. There's even an information supply chain; data from sources like Google Maps and Twitter is increasingly incorporated into apps and the IT ecosystem.

The report describes more than half a dozen recent examples of IT supply chain problems, ranging from counterfeit routers to a back door found in mobile phone software. The authors offer some general recommendations:

  • Formalize an IT supply chain risk management program.
  • Move intelligence out of hardware and into software, where it is more transparent
  • Consider “dis-information” strategies, such as mixing bad information with good, to make sensitive data harder to discern

Search for integrity
Any executive reading this report will come away not only convinced of the need to do more to protect the organization from these threats, but also with some solid ideas about how to do that. It won't be easy. IT executives aren't used to thinking in terms of a supply chain. Even the electronics industry — where supply chains are well understood — has a tough time ensuring the integrity and security of the parts it procures. But organizations that don't take action may pay a high price.

“IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years,” MacDonald said in the press release. “Enterprise IT departments must begin to make changes today to protect their systems and information in a world where all IT systems are suspect.”

The report, one in the Gartner Maverick Research series designed to “spark new, unconventional insights,” contains several fascinating examples of recently discovered counterfeit or sabotaged hardware and software in OEM products. I'll go into the details of those examples in my next several posts.

Meanwhile, do you think IT executives have enough motivation to vet their supply chains more thoroughly?

Related posts:

14 comments on “IT Needs More Careful Sourcing

  1. prabhakar_deosthali
    March 23, 2013

    The concerns related to the software supplied from global supply chains are really serious but I don't think  the CIOs are equipped well enough to tackle this problem.

    May be , now we require some built-in mechanisms in the software itself to self-detect a malicious attack on it and generate alerts .

    With the hacking community having more intelligence in such matters compared to the designers themselves this is a herculean task

  2. mfbertozzi
    March 23, 2013

    @p_d: well, it is right; let me to add we are also assisting to new paradigms such as cloud and/or BYOD then “tackle” from CIOs needs to include, in my opinion, those evolutions to.

  3. t.alex
    March 23, 2013

    Some executives even have no idea why it is that complicated nowadays. They still think this is just similar to conventional system 10 years ago. Information leakage is secretly happening every day and they won't know about it.

  4. mfbertozzi
    March 24, 2013

    @t.alex: we hope that they will decide to listen to suggestions from experts or colleagues responsible for; companies managed by executives with poor experties and preparation within that matter, sooner or later, are going to face critical conditions.

  5. owen
    March 24, 2013

    Now here's a shocking bit of information I gleaned from a preliminary report posted by Henry Livingston on his “Counterfeit Parts” site:

    “In June 2012, the Bureau of Industry and Security (BIS), Office of Technology Evaluation, in coordination with the U.S. Air Force, the National Aeronautics and Space Administration and the National Reconnaissance Office began a survey and assessment of the U.S. space industrial base supply chain network…”  Here's the kicker…

    Overall, 74 percent of respondents do not have a formal protocol for handling counterfeits.”

    We are dealing with a global epidemic and nobody is immune. It's time to wake up and smell the roses, then again, they may be plastic counterfeits.

  6. Clairvoyant
    March 24, 2013

    It is unfortunate that companies buying parts need to spend the money to put programs in place to deal with counterfeits. Then again, if they don't spend money to properly detect counterfeits, they may be in a worse position in the long run.

  7. owen
    March 24, 2013

    According to most reports annual counterfeit losses approach $700 Billon worldwide, with counterfeit electronics placing #2 at $169 Billion per year. The cost of procedures to avoid counterfeits by comparison would be a pittance. Here's a great source for counterfeit and black-market data.

  8. Clairvoyant
    March 24, 2013

    Hi Owen, could you explain the difference between the cost for Counterfeit Losses and the cost for Counterfeit Electronics? I would have thought both would be in the same category.

  9. owen
    March 24, 2013

    Hello Clairvoyant, if I understand your question correctly, “the difference between the cost for Counterfeit Losses and the cost for Counterfeit Electronics” is that Counterfeit Electronic losses represent only one industry that is part of the total.

    Havascope, for example, includes 26 different segments in the total rankings reported.


  10. HM
    March 25, 2013

    “Meanwhile, do you think IT executives have enough motivation to vet their supply chains more thoroughly?”

    Well IT executives dont make organizational decisions, I think unless this message comes from top management or company's leadership team there wont be much improvement in these cases.


  11. Houngbo_Hospice
    March 25, 2013

    Companies don't let their network infrastructures open for hacker to get into. It may be because current security techniques are not as efficient as we think. Hackers are always a step ahead IT security.

    March 25, 2013

    I don't believe IT execs go deeply enough in this area.  Not many people will know if a rogue component is in their system that is capable of stealing data or rendering the system useless in times of crisis.  It is a very difficult problem to solve.  

  13. ahdand
    March 25, 2013

    @Flyingscott: I think you do need hands on experience on these things. Just reading something will not give you that experience in figuring out the capabilities and the importance on these things for sure.

  14. hash.era
    March 26, 2013

    @Flyingscott: Why do you say that IT Executives does not dig deep enough on this matter? I feel its not only something the IT staff should be involved in but also the other staff too, at least the admin staff should dig deep too.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.