acm-header
Sign In

Communications of the ACM

ACM TechNews

Trust But Verify: Security Risks Abound in the It Supply Chain


There are substantial national security issues associated with the use of information technology (IT) products delivered via the global supply chain, including theft of intellectual property, logic bombs and self-modifying code, deliberately concealed back doors and features for unsanctioned remote access, and risks from bogus or counterfeit products.

Three years ago, ACM published a study identifying the national security risks posed by the U.S. government's use of foreign software, and the leading risk was that non-understanding of code pedigree could permit belligerent nations, terrorists, and others to undermine or sabotage software used in critical government systems. Yet the problem also applies to hardware and potential risks caused by counterfeit products or foreign computer chips and microprocessors, as well as the activities of domestic miscreants. The complexity of the IT supply chain means no clear demarcation between software and hardware pedigree from source to government system.

In January 2008, the White House issued a Homeland Security Presidential Directive calling for a national priority and plan for anti-cyberthreat action, and one of the directive's initiatives is designed to address IT supply chain risks. The National Institute of Standards and Technology has identified several sub-program areas to tackle, including criteria for identifying federal government systems and networks that need augmented efforts to ensure supply chain risk management, lifecycle processes and standards, acquisition policy and legal analysis, and a process for sharing vendor threat analyses across the federal government.

Meanwhile, U.S. Customs and Border Protection's Customs-Trade Partnership Against Terrorism (C-TPAT) has shown considerable progress in its goal to protect the trade industry from terrorists and offer incentives and benefits to private-sector firms that meet or surpass C-TPAT supply chain security criteria and best practices.

From Government Computer News
View Full Article

 

Abstracts Copyright © 2009 Information Inc., Bethesda, Maryland, USA


 

No entries found