In an increasingly connected world — where governments, industries and communities rely on the integrity of their network infrastructure as much as the security of their physical infrastructure — another serious security risk has surfaced. And that’s the threat to digital data and devices from attacks within their supply chain.
Cyberthreats abound, from lone-wolf hackers and terrorists, to government-backed professionals and stealth organizations. And each of these entities, whether down the block or on the opposite side of the world, can access sensitive data, hijack computers, take down systems and wreak potentially catastrophic havoc.
Cyberthreats most commonly originate from a remote attacker who breaches an organization’s firewall and other network-security systems. But threats also can bypass network security measures entirely when they’re planted in the electronic equipment or devices that ultimately connect to an organization’s network. And disturbingly, it’s becoming clear that supply chain security vulnerabilities create opportunities for just these sorts of breaches.
These threats typically take the form of malicious software (malware) that is embedded in counterfeit, tampered or otherwise unauthorized electronics — from tablets and laptops to servers and routers – that are unknowingly procured as a legitimate part of the product supply chain.
Counterfeit products are pervasive across nearly every industry, from consumer luxury goods to pharmaceuticals. The average person may view a counterfeit as simply a lower-quality and less-expensive knock-off. But security conscious organizations have begun to consider them nothing less than a profound security threat being exploited increasingly often.
Through your own back door
It can be surprisingly easy to integrate malware-infected counterfeit electronics into the unprotected supply chain of a government contractor or OEM. Without a formalized system of oversight, the counterfeit product can gain a direct and unrestricted pathway to the sensitive information. The counterfeit could be an end-user product or an electronic part or component of the product.
Malware also can be planted when authentic electronic parts and components from the legitimate supply chain are rerouted into unauthorized markets, known as gray market diversion. Once diverted, these parts and components are at risk for tampering and malware infections.
After malware has made its way into a government facility and is connected to the network, its potential capacity for disruptions can be nearly endless. It can infect work stations, corrupt files, destroy machines and steal any piece of sensitive or classified data. Malware could also be used to create targeted failures within critical systems, where no information is stolen but network activity is halted. In short, a destructive malware program can put an entire country’s national security at risk.
Malware can be installed on nearly any kind of computing and networking equipment. The vast number of parts and components used in this equipment — as well as the range of suppliers and subcontractors that can support a single OEM – only complicates matters for those trying to prevent supply chain security breaches. In order to secure the supply chain, government contractors and OEMs must monitor and authenticate an extensive list of parts and components for their own operations and for all those who come into contact with these electronics, including suppliers, manufacturing and distribution centers, and logistics carriers.
Counterfeit, diverted and tampered electronics are becoming a commonplace event. A 2012 Senate Committee on Armed Services report said that a two-year investigation in 2009-2010 uncovered about 1,800 cases of suspected counterfeit electronic parts in the US defense supply chain. The total number of suspected counterfeits in these cases was said to exceed one million.
“Disruptive and destructive cyberattacks are becoming a part of conflict between states, within states and among nonstate actors,” Army Gen. Martin E. Dempsey, chairman of the Joint Chiefs of Staff, said at a Brookings Institution forum in June. “The borderless nature of cyberspace means anyone, anywhere in the world, can use cyber to affect someone else.”
The DoD recently proposed a rule change to help ward off the threat of counterfeit electronics. The rule change builds on Section 818 of the 2012 National Defense Authorization Act (NDAA), which established the first anti-counterfeiting rules for defense contractors. It is intended to hold government contractors responsible for the detection and avoidance of counterfeit electronics and would require contractors to pay for any corrective actions.
Securing the DoD’s electronics, networks and data is crucial to protecting homeland security. But counterfeit electronics and malware also pose a threat to government security beyond the DoD, from federal agencies like the Department of Homeland Security (DHS) to law enforcement agencies.
Securing every link in the supply chain
While the DoD is in the process of implementing anti-counterfeiting regulations to protect its systems and data, the DHS is still formulating its approach.
As DHS develops its own anti-counterfeiting regulations, it can draw on the proposed DoD counterfeit detection and avoidance rule for guidance — although DHS may want to make some changes. The proposed DoD rule currently applies only to items purchased under Cost Accounting Standard (CAS) contracts, essentially giving a free pass to groups that aren’t covered by the CAS standards.
Yet a supply chain is only as strong as its weakest link. Until an entire supply chain is protected, it’s not secure.
On the industry side, contractors and OEMs that supply both the DoD and DHS would be well-advised to take a broader and more proactive approach to self-regulation. While anti-counterfeiting rules are not yet in place, contractors and OEMs will want to be prepared when such rules are implemented.
A few companies already have implemented anti-counterfeiting efforts, like using mass serialization and product authentication to secure their supply chains. This involves “marking” parts, items or groups of items with a unique identifier (UID), such as a randomized alphanumeric code. Such codes can be traced across the entire supply chain. When a government entity takes possession of these products, it can then authenticate them against a database registry to confirm the product’s authenticity.
Beyond supply chain security and regulation compliance, serialization can deliver a number of other benefits to contractors and OEMs. The ability to track and trace products from production to customer receipt creates transparency that can give companies new visibility into their own operations and those of their suppliers and distributors. The result is the ability to optimize operations, realize logistical improvements and drive down costs — all increasingly important in the era of sequestration.
There’s no question that anti-counterfeiting regulations are on the horizon. Contractors and OEMs that sell to the government will have a decision to make in anticipation of changing regulations: either step up now and take on the security concerns of their customers by voluntarily securing their supply chains, or maintain the status quo and attempt to rapidly transition when regulations require it.
Mark Prokosch is a vice president with Verify Brand. He has more than 25 years of experience in the technology field, with expertise in software-as-a-service and content-management solutions. In his role at Verify Brand, he helps oversee strategy development of supply chain security and product-authentication solutions for industries such as government, life sciences, high-value consumergoods and chemicals. He received a master’s in business administration from the University of St. Thomas and a bachelor’s degree from Minnesota State University, Mankato.