Malware imported into U.S. on foreign-made components

DHS' Greg Schaffer testifying before House committee // Source: digitaltrends.com

A high level DHS official acknowledged that malware built into imported electronic components sold in the United States poses a serious threat to U.S. economy and security. He also said it was a complex threat which the federal government has been trying to address in different ways.

Greg Schaffer, acting deputy undersecretary for the National Protection and Programs Directorate at DHS, said in a testimony before the House Oversight and Government Reform Committee that the threat is “one of the most complicated and difficult challenges we have,” adding that he is “aware that there are instances where that has happened,” although he did not go into specifics about those instances (see a video of the testimony here).

Schaffer said that cyber-securing the U.S. supply chain requires securing the multiple steps of the supply chain — product assembly and acquisition, data sharing among partners, governance, and more — to ensure components of devices such as laptops and smartphones are not already infected by malware before they are sold. This makes it a difficult problem to manage.

Information Week quotes Schaffer to say that there are a number of existing federal efforts under way to tackle the problem. He mentioned a task force co-managed by the DHS and the Department of Defense to identify “short-term mitigation strategies” against such threats. He said the agencies also are working with the private sector to better monitor the manufacturing supply chain to prevent infected components from coming into the U.S. market.

Information Week notes that the Comprehensive National Cyber Initiative and the Cybersecurity Policy Review — the former set up under the George W. Bush Administration, the latter under President Obama — are aimed at shoring up the security of cyber supply chains.