Know your vendor

Operation Cisco Raider was an international effort that involved multiple U.S. government agencies in 2007 and 2008. The effort focused on North American distribution of counterfeit Cisco Systems network hardware that was manufactured in China and resulted in more than 400 seizures.

Immigration and Customs Enforcement and many others seized more than 74,000 counterfeit Cisco network components and labels with a total estimated retail value of more than $73 million, according to the U.S. Attorney's Office in the Eastern District of Virginia.

Our ability to detect malicious circuitry, basic input/output systems and software in equipment like this requires every single networking card or board to be analyzed. Not surprisingly, we do not have an efficient and effective way to accomplish that, making it too costly and time-consuming to determine if any of the counterfeits were components of cyber espionage. Sources familiar with the operation told me that these counterfeits made their way into several federal agencies, including the Defense Department. Supporting this information is an FBI presentation included in an article, “FBI Fears Chinese Hackers Have Back Door Into U.S. Government & Military.”

Sensitive electronic equipment valued in the billions is transiting global supply chains at any time. One source on a congressional commission, who wished not to be identified, expressed concern that the U.S. government is at risk as a result of the global computer supply chain.

The supply chain is a critical area and requires security measures to manage risks. For this reason, the International Organization for Standardization created a standard to deal with the security of supply chains. Fourteen countries participated in its development, together with several international organizations and regional bodies. ISO 28000 calls for security management systems specifically to deal with risk in the supply chain. This standard provides organizations the guidance necessary to establish, implement and maintain a security management system that specifically addresses critical security and assurance aspects of the supply chain.

This is a critical measure to minimize the risk of counterfeit or compromised equipment making its way into your systems or on your networks. That risk can take many forms.

The FBI is investigating the unexpected delivery of laptops to officials in several states, including West Virginia Gov. Joe Manchin's office. In early August, Manchin's office received five computers in Hewlett-Packard packages. The evolution of supply chain processes for receiving sensitive equipment alerted staff members to the anomaly. An internal investigation concluded that no one from the state had ordered them. Authorities are working with HP trying to obtain tracking documents that clearly define the path from manufacturer to order, point of distribution, point of sale and delivery.

The concerns prompted the isolation of the computer equipment. The laptops were not turned on or connected to a network. It is not clear at this point if forensic analysis has been completed on the computer equipment in question or if there were any malicious capabilities accompanying the computer equipment.

Introduction of unauthorized or compromised computer hardware, networking equipment or electronic components could wreak havoc on any system.

The following disciplines can help secure your supply chain and reduce your overall risk of compromise.

•  Integrating security into the supply chain.
•  Matching all received equipment, including serial numbers, against packing slips and purchase orders.
•  Contacting your computer equipment supplier and establishing controls for ordering and receiving.
•  Controlling rogue acquisition of all sensitive equipment.
•  Establishing a centralized place for each facility that acts as a control point to receive packages.
•  Establishing a reporting process for handling strange activities, packages and shipments.
•  Establishing a security awareness training program for all persons involved in the supply chain.
•  Establishing a certified supplier program that includes vendor background investigations and security asessment of their processes and facilities.