DoD Takes Aim at Supply Chain ThreatDefending against Off-the-Shelf Tech Reprogrammed to Spy, Steal
A new Defense Department initiative is aimed at what's perceived as a growing, IT security menace: purchased technology - either hardware or software - that could be reprogrammed to pilfer sensitive and top-secret information or cause sabotage.
The program from the Defense Advanced Research Projects Agency is known as VET, for Vetting Commodity IT Software and Firmware, and seeks innovative, large-scale approaches to verify the security and functionality of commodity IT devices purchased by DoD to ensure they're free of hidden backdoors and malicious functions.
"DoD relies on millions of devices to bring network access and functionality to its users," Tim Fraser, a DARPA program manager, says in a statement announcing VET. "Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception."
The Defense Department purchases massive quantities of computer and communications equipments built with components manufactured all over the world. Backdoors, malware and other vulnerabilities unknown to the user could allow an adversary to use a device to cause significant harm, including the exfiltration of classified information and the sabotage of critical operations, DoD says, adding that to determine quickly the security of each device it uses is beyond current capabilities.
Three Technical Challenges
VET, according to DARPA, will try to address three technical challenges:
- Defining malice: Given a sample device, how can DoD analysts produce a prioritized checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out?
Confirming the absence of malice: Given a checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out, how can DoD analysts demonstrate the absence of those broad classes of hidden malicious functionality?
Examining equipment at scale: Given a means for DoD analysts to demonstrate the absence of broad classes of hidden malicious functionality in sample devices in the lab, how can this procedure scale to non-specialist technicians who must vet every individual new device used by DoD prior to deployment?
On Dec. 12, DARPA will host a Proposers' Day in Arlington, Va., where, supply-chain participants will be briefed on the program and anticipated solicitation.
The House Permanent Select Committee on Intelligence brought the supply-chain problem to the forefront in October when it issued an investigative report that recommends U.S. government systems, particularly sensitive IT systems, should refrain from using equipment and component parts manufactured by the two companies, Huawei and ZTE, the world's largest and fifth-largest telecom equipment makers, respectively [see House Panel: 2 Chinese Firms Pose IT Security Risks].
Committee Chairman Mike Rogers says he worries that the Chinese government could be using communications products manufactured by the two Chinese and installed into U.S. government and American corporate IT systems to steal classified information and trade secrets. "Any bug, beacon or backdoor put into our critical systems could allow for a catastrophic and devastating domino effect of failures throughout our networks," the Michigan Republican says.
Despite claims by the two companies that such backdoor espionage and theft is not taking place, at least with their products, the threat is real, says Gavin Long, managing director at Civitas Group, an investment advisory services firm focused on the security and capital markets.
The Pervasive Problem of Cyberespionage
"The continuing loss of data to China suggests that the U.S. government should carefully assess the cybersecurity implications associated with the expansion of Chinese providers in the U.S. market," Long writes in a blog for GovInfoSecurity [see Do Chinese Cloud, Mobile Providers Pose a Threat?]. "Regardless of whether a vendor is based domestically or abroad, cyberespionage and data theft is a pervasive problem. Indeed, large U.S. companies have experienced significant data losses to hackers and other actors. In response, some providers have implemented more robust security policies to mitigate this persistent threat; others, however, lag behind."
Neil MacDonald, a fellow at the IT advisory firm Gartner, says a defense against such backdoor spying isn't to ban components and software - that could prove impossible to achieve - but to promote more transparency from suppliers along the supply chain that reveals pertinent information about components and equipment used by businesses and governments [see How Secure are the IT Wares You Buy?]. "Can your supplier show you a chain of custody from each component?" MacDonald asks. "How was it created; where did it come from, where was it sourced? Does the provider perform periodic sampling to make sure there aren't counterfeit parts introduced or backdoors introduced?"