U.S. Suspects Contaminated Foreign-Made Components Threaten Cyber Security
By MICHAEL ONO
WASHINGTON, July 9, 2011
Some foreign-made computer components are being manufactured to make it easier to launch cyber attacks on U.S. companies and consumers, a security official at the the Department of Homeland Security said.
"I am aware of instances where that has happened," said Greg Schaffer, who is the Acting Deputy Undersecretary National Protection and Programs Director at the DHS.
Schaffer did not say where specifically these components are coming from or elaborate on how they could be manufactured in such a way as to facilitate a cyber attack.
But Schaffer's comment confirms that the U.S. government believes some electronics manufacturers have included parts in products that could make U.S. consumers and corporations more vulnerable to targeted cyber attacks.
A top official from the Department of Homeland Security said for the first time Thursday that some foreign-made computer components are being manufactured with cyber attacks in mind.
A device tampered with prior to distribution or sale could act as a "Trojan horse" in the opening wave of an international cyberwar. Contaminated products could be used to jeopardize the entire network.
The admission by Schaffer came out Thursday after repeated questioning from Rep. Jason Chaffetz, R-Utah, at a House Oversight and Government Reform Committee hearing on cyber threats.
ABC News previously reported that the FBI was investigating a case in which counterfeit Cisco routers were being sold to various government agencies but this is the first time that a government official has confirmed that the threat is real.
Such attacks are difficult to detect and many go unnoticed. Cyber tactics have changed and many hackers just want to steal information without incident. Cyber thieves are going after personal information such as credit card numbers or target corporations and trade secrets.
Many in Congress have pointed to foreign governments as the source of many recent cyber attacks, although the administration has yet to call out any one nation.
Rep. Rosa DeLauro, D-Conn., in April called on Secretary of State Hillary Clinton to condemn cyber attacks launched by Chinese attackers against the American social action website Change.org.
Foreign-made components, often manufactured in Asia, play a key role in consumer electronic devices -- everything from Internet routers to home computers -- that make up the national digital infrastructure. DHS is charged with identifying and defending that infrastructure, but lacks legal authority to intervene in private companies.
While the threat of a contaminated supply chain is real, it is not exclusively directed at the United States, according to Jim Lewis, a senior fellow at the Center for Strategic and International Studies.
"The threat of a contaminated supply chain is a risk, but it's a risk that everybody has, because it's a global supply chain," he said.
Will Cyber War Become a Partisan Issue?
Part of that challenge facing DHS includes a plan to form partnerships with the private sector, because most of the nation's cyber infrastructure is controlled by private companies.
DHS has begun classifying key infrastructure and is reaching out to private Internet companies.
But Republicans in particular have expressed concerns with the president's proposed cyber legislation, calling the new rules too burdensome on the private sector.
"The president's plan gives the Department of Homeland Security unfettered authority to regulate private industry," Rep. Bob Goodlatte, R-Va., who spoke at an earlier hearing at the House Judiciary Committee.
And while cyber security has been traditionally treated as a non-partisan issue, House Speaker John Boehner, R-Ohio, stirred up controversy last week by appointing a Republican-only cyber security taskforce in the House.
Rep. Jim Langevin, D-R.I., a long-time cyber security advocate, expressed his displeasure with the decision but said he remains committed to working with Republicans to help improve national cyber security.
"I am deeply disappointed in this decision, but have developed strong relationships with my colleagues on the other side of the aisle and will continue my push to ensure that we finally address the structural problems that have persisted in our policy and that have allowed our nation to remain vulnerable online," Langevin said.
Congress is expected to take up cyber security legislation this session and still remains a top priority for the Obama administration.