December 10, 2012, 2:23 PM —
Source: Chad Baker
At this late date, most of us know that viruses and other kinds of malicious programs can hide in e-mail attachments, on USB thumb drives and even behind an innocuous looking link you Twitter or Facebook. We know enough (usually) not to just open everything people send us, or link to.
But what about all the hardware and software we buy and just assume to be reliable? Do you know that your Dell laptop, your Mac Powerbook or that new Cisco router for your company didn't come with malicious software already loaded? Could there be an extra hardware component dedicated to spying on you or your colleagues? Assuming that the device did come "certified pre-owned," as they say, how would you ever know?
If you winced just thinking about that, then you have some appreciation of the complexity of what is often called "supply chain security:" the herculean task of verifying the authenticity and integrity of computer hardware and software. It's an issue that's been lurking on the periphery of the national discussion about cyber security -- too thorny and complex to invite many takers among tech firms or policy makers. But the onslaught of sophisticated cyber espionage against the U.S. and its allies has roused both lawmakers and private sector firms to tackle supply chain security.
Microsoft was among those going public with its concerns over supply chain security. The company helped break up a global botnet known as "Nitol," in part by uncovering efforts by cybercriminals to infiltrate its supply chain in China, planting malicious software on computers during the manufacturing process. The company has since released a number of documents and position papers on threats to global supply chains.
But with more attention to the issue in the media, the question falls to individual companies and organizations (to paraphrase CapitalOne): "What's in your router?" In other words: 'what efforts are you making to verify the integrity of the technology products you buy?' And, if the answer is "nothing," is that a risk your company can continue to take?