GAO: Supply Chain Poses Threat to Federal ITBut Costs to Determine Threat May Outweigh Potential Risks
Components manufactured overseas that go into IT products used by the United States government could be exploited by foreign intelligence agents or counterfeiters to degrade the security of critical and sensitive federal networks and data, the Government Accountability Office said in a report issued March 23.
"These risks ... in turn can adversely affect an agency's ability to effectively carry out its mission," the 45-page report says. "Each of the key threats could create an unacceptable risk to federal agencies." [See example of vulnerabilities at the end of this article.]
The GAO report identifies four national security-related departments - Energy, Homeland Security, Justice and Defense - that have acknowledged these threats.
But the report from the Congressional investigators also points out that four intelligence agencies contend the costs to determine if such threats exist may outweigh the potential risks posed by the supply chain, a point made by Energy Chief Information Officer Michael Locatis III.
"There are many challenges and cost tradeoffs that must be considered in managing risk to the IT and related supply chains," Locatis says in a written response to the GAO report. "Sophisticated subversion inserted into IT hardware and software supply chains can be exceptionally difficult to detect. In the absence of improved technical means to identify and characterize these exploits, the value of focusing on compliance-driven administrative controls to mitigate supply-chain risks at the individual agency level is questionable and likely counterproductive."
Delineating the Risks
GAO identifies the IT supply chain threats as:
- Installation of malicious logic on hardware or software.
- Installation of counterfeit hardware or software.
- Failure or disruption in the production or distribution of a critical product or service.
- Reliance upon a malicious or unqualified service-provider for the performance of technical services.
- Installation of unintentional vulnerabilities on hardware or software.
[Article continues after illustration.]
Source: GAO analysis of public information
According to the GAO report, DoD has made greater progress through its incremental approach to supply chain risk management. GAO says the department has defined supply chain protection measures and procedures for implementing and monitoring these measures.
But GAO says Energy and Homeland Security have yet to define supply chain protection measures for department information systems and are not in a position to have implementing procedures or monitoring capabilities to verify compliance with and effectiveness of any such measures. Justice has identified supply chain protection measures, but has not developed procedures for implementing or monitoring compliance with and effectiveness of these measures.
"Until comprehensive policies, procedures, and monitoring capabilities are developed, documented, and implemented, it is more likely that these national security-related departments will rely on security measures that are inadequate, ineffective or inefficient to manage emergent information technology supply chain risks," the GAO audit says.
Federal agencies are not required to track and determine the extent to which their networks contain foreign-developed equipment, and none of the four departments do so. The four departments participate in governmentwide efforts to address supply chain security, including the development of technical and policy tools and collaboration with the intelligence community.
GAO says officials from the Office of the National Director of Intelligence and National Security Agency said that the relationship between a company and a foreign military or intelligence service is a more reliable indicator of a potential security risk than whether a product was manufactured outside the United States. In addition, DNI, NSA and Defense Intelligence Agency officials told GAO that tracking the country of origin alone would not be helpful because the country of origin does not necessarily reveal the origin of component technology that a supplier integrates into the final product. Central Intelligence Agency and DNI officials also said that tracking the country of origin for every IT component used in the agency's telecommunications networks would be prohibitively expensive and infeasible, based on readily available mechanisms.
Still, GAO provided specific recommendations to Energy, Homeland Security and Justice to take appropriate steps to defend against supply chain threats. The departments generally agreed with the recommendations, but as Locatis pointed out, the recommendations do not fully align with Obama administration initiatives, adding that he believes policies and standards to address IT supply chain risk management must be coordinated at the national level, not independently through individual agencies.
Source: GAO analysis of unclassified governmental and nongovernmental data.