This week, G DATA claimed that rogue retailers are installing malware on Android-based phones from China and selling them on the open market.
This is a supply chain issue, since the problem is occurring before the devices are sold, and so far, the issue has mostly impacted Chinese consumers—though some infected phones have been found in Europe. The malware has been found on more than 20 brands of mobile phones. The article from eWeek suggests that it “underscore(s) the current difficulties in securing technology as it moves through the supply chain to its destination.”
What we must realize is, supply chain issues are more widespread and have a far different profile than just a few shadowy characters intercepting crates of phones on a dock somewhere:
In 2013, classified documents leaked by former contractor Edward Snowden showed that the U.S. National Security Agency and other national intelligence agencies have regularly infiltrated supply chains feeding technology to countries of interest to compromise devices that act as electronic moles, according to the documents. Devices from Cisco, Dell and other manufacturers, for example, have all been modified in transit to their destination to include implants to enable NSA monitoring.
PricewaterhouseCoopers found several shortcomings in how industrial companies deal with their supply chain security. Its survey, Global State of Information Security 2015, found that manufacturing companies lack knowledge about their own assets, lack employee threat awareness and lack insight into partners’ supply chain security practices.
The U.S. military is supported by a huge supply chain, which has become worrisome to Homeland Security. Mike Garson, the executive vice president and chief administrative officer and general counsel for LGS Innovations, addressed cybersecurity and supply chain concerns at Homeland Security Today. Garson cited IDC figures that the federal government will spend $78 million on IT this year, which is more than 2 percent of what will be spent worldwide. The budget for 2016 could reach $86.4 billion. (You can read Garson’s full feature article here.)
Garson suggests that this huge investment leads to great vulnerabilities, since complexity, geographic diversity and other factors are growing in ways that may overwhelm the technology that is being deployed:
This increased reliance presents considerably increased cybersecurity risks due to the lack of direct interaction with, and control over, the many potential vendors (or counterfeiters) in the ICT supply chain that could intentionally or inadvertently insert a hardware or software vulnerability, backdoor or fault in one of the ICT solution components.
Supply chains are long, complex and rely on technology that is not always seamlessly put together or efficiently run. That’s precisely the type of landscape that hackers like to call home, so of course it should be a concern for Homeland Security and all other organizations that do business with manufacturers.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.