“The vast majority of this is really criminal behavior,” said Brett Lambert, Deputy Assistant Secretary of Defense for Manufacturing and Industrial Base Policy, speaking Wednesday at the Potomac Institute “These are people who are doing this for profit, [and] that’s where you need aggressive prosecution.”
“The more complex issues are those who are trying to enter the supply chain for nefarious purposes,” Lambert went on, “either for failure” — that is, to sneak a booby-trapped component into US systems that can sabotage them or shut down down by remote control — “or for exfiltration” — that is, to install a back-door to access and download sensitive data. Compared to garden-variety fraud, he said, those subtle, malign modifications “are very difficult to catch.”
“The threat we face as a nation is real, growing, and evolving,” agreed George “Dennis” Bartko, special assistant for cyber to the Director of the National Security Agency. “It started out in the way of theft,” he said, but “our real concern and fear that it could evolve past that, to destruction.”
Nor are the parts themselves the only weaknesses in the global supply chain on which the Pentagon now relies, Bartko added: “[It's] those who install them or maintain them as well.”
Indeed, since most computerized systems nowadays automatically go online to check in with the manufacturer and download updates, all sorts of companies potentially have access to aspects of government systems, remotely and invisibly, not just the maintenance contractors physically and visibly walking in the door. The vast majority of this automatic updating is legitimate, even essential, especially (and ironically) to patch security problems. But not every sub-sub-subcontractor that provides components can be trusted with such access.
Sometimes even the manufacturer may not know what’s there. In one much-publicized case this summer, Cambridge University researchers found that a widely used Actel/Microsemi chip made in Taiwan (originally misleading reported as “China”) had “an undocumented backdoor key” they could crack in “hours.” This particular backdoor appears to have been not the result of deliberate malice but simply of a failure to deactivate a standard debugging feature. The Actel/Microsemi case shows how easily such vulnerabilities can be over-hyped, but it also shows how easily they can be overlooked in the first place.
So how do you guard against them? The Pentagon has helped set up highly secure manufacturing facilities on US soil — the so-called “trusted foundries” — to make electronic components for certain ultra-high-priority programs, like nuclear weapons, but Lambert said that approach would be too expensive, and too isolated from global innovation, to use for most weapons. “They are a very good solution for some things, but it’s a very narrow, very specific set of challenges, [and] it’s a very expensive solution,” he said.
As for imposing mandatory standards on commercial manufacturers in general, Congress thoroughly rejected legislation to do so in the related area of cybersecurity data sharing, and Lambert made clear that’s not the approach the Pentagon plans to take here.
“The old standby remedy to most supply chain concerns of ‘mandate it’ won’t work in the new global reality,” Lambert said. Even if the Pentagon just imposes requirements on its own supplies, information technology companies have such thriving commercial markets that they can just walk away from the military customer if it gets too difficult: “We find ourselves coming out with great standards but alienating the very technological edge we’re seeking.”
“We’re really looking at incentives,” Lambert went on. “Strict regulations and restrictions, when you talk about technology, never really work,” because tech changes faster than officials can update the regs. That said, he noted, “[while] the market does tend to be in many cases self-correcting, we can’t always wait around for it to self-correct without some incentives” to hurry the process along.
What kind of incentives? Lambert left it vague, but a private-sector participant on the panel, former Bush administration official turned consultant Melissa Hathaway, suggested tax credits to businesses (and individuals) for spending on good security practices and for investing in more secure processes to make key components, so that “three years from now, five years from now, you’re going to have more secure products hitting the market.”
One tech trend already underway that had NSA’s Bartko feeling optimistic is the rise of cloud computing, in which most data (and, often, applications) reside not on individual desktop computers but in a few centralized servers. It amounts to putting all your eggs in a few big baskets and making those big baskets (hopefully) more bulletproof than all the little ones they replaced could ever be, from the chips on up. The current Internet architecture was designed to maximize openness, not security or even privacy, and “we’ve typically looked at security as an add-on,” Bartko said. “What excites us with cloud computing is we’re at a stage [to design in] security right from the beginning.”
In the meantime, though, what’s DoD to do? One essential lesson for the Pentagon is to let go of its longstanding fixations on permanency and control, Lambert said. Instead of building systems to last for decades, the military needs to adapt them for constant upgrades, which would allow equipment to keep up with the constant advances in information technoloy and, by the way, to fix security problems as they were found or as more secure components became available. And the more the Pentagon can rely on “ubiquitous” commercial components where the military is only a tiny portion of the global demand, the harder it is for adversaries to know which ones to mess with. The idea “is not to try to control the space but to get lost in it,” Lambert said. “That’s quite adequate for many of our systems.”