Congress has been warned that imported software and hardware components are being deliberately infected with spyware and malware.
“Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions,” reads the White House’s Cyberspace Policy Review.
“The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities.”
The report was produced a few months ago, and the warning may sound a little vague.
But acting deputy undersecretary of the Department of Homeland Security (DHS) National Protection and Programs Directorate GregSchaffer has told the the House Oversight and Government Reform Committee that since its publication he’s come across specific occasions when this has happened.
He didn’t give details. But suspicion is likely to fall on China, where components for many mainstream products sold in the US are manufactured.
It’s not clear whether Schaffer was talking about specialist systems, or common-or-garden PCs which could, for example, be shipping with pre-loaded malware designed to co-opt them into botnets.
Schaffer says a task force has been created jointly by the DHS and the Department of Defense to look into the problem.