We've all heard about how Stuxnet, the virus that reportedly destroyed a number of Iranian uranium centrifuges, was distributed through a series of carefully scattered USB thumb drives. But a U.S. government official is claiming that malware is being built into computer hardware right at the factory.
Neal Ungerleider of Fast Company reported earlier this month that in testimony before the House Oversight and Government Reform Committee, acting deputy undersecretary of the DHS National Protection and Programs Directorate Greg Schaffer told Rep. Jason Chaffetz (R-UT) that both Homeland Security and the White House believed that electronics sold in the U.S. are being preloaded with spyware, malware, and security-compromising components by unknown foreign parties. Schaffer did not specify what sort of equipment or components might be affected.
Ungerleider went on to cite two White House reports describing the problem. First is the Cyberspace Policy Review, which mentioned the problem in passing; second is "Securing the Supply Chain for Electronic Equipment," a report that is undated but appears to have been posted on the White House site on or before June, 2009.
The Council on Foreign Relations, which also wrote about the testimony, went on to cite two other speeches where Department of Defense Deputy Secretary William Lynn III and former DHS Deputy Under Secretary Philip Reitinger had made reference to the problem, though as more of a theoretical concept. The CFR also held a workshop on Cybersecurity, Foreign Policy, and Business that attempted to address the problem, which it said was a concern worldwide, not just for the U.S.
Examples of such malware could include kill switches that would power down the system in response to remote commands, or even more, as described by a prescient article in Scientific American last year by John Villasenor. He wrote:
"Anything that uses a microprocessor—which is to say, just about everything electronic—is vulnerable. Integrated circuits lie at the heart of our communications systems and the world’s electricity supply. They position the flaps on modern airliners and modulate the power in your car’s antilock braking system. They are used to access bank vaults and ATMs and to run the stock market. They form the core of almost every critical system in use by our armed forces. A well-designed attack could conceivably bring commerce to a halt or immobilize critical parts of our military or government."
The FBI also had an investigation in 2008 about counterfeit Cisco routers that could have been used to provide a way for hackers to gain access to government data.
The worst part is that Schaffer didn't particularly have a solution or recommendation; the CFR workshop recommendations -- while certainly laudatory -- were rather Mom-and-apple-pie:
"1) A global approach; 2) Global standards should underlie national approaches; 3) Government policy should be technology-neutral and outcome-oriented; 4) Beware the consequences of unilateral action; and 5) Pursue strategic alliances."
For its part, Scientific American recommended hardware that tested and diagnosed itself periodically -- which, of course, begs the question of who develops *that* and how do we ensure that it's reliable.
