Supply chain security moves to front burner in 2013

If the House Intelligence Committee hearings in October didn't tip you off, supply chain security has become a hot topic inside the Washington D.C. Beltway. Now that lawmakers are paying attention, what should you do?

By , ITworld |  Security

Source: Chad Baker

At this late date, most of us know that viruses and other kinds of malicious programs can hide in e-mail attachments, on USB thumb drives and even behind an innocuous looking link you Twitter or Facebook. We know enough (usually) not to just open everything people send us, or link to.

But what about all the hardware and software we buy and just assume to be reliable? Do you know that your Dell laptop, your Mac Powerbook or that new Cisco router for your company didn't come with malicious software already loaded? Could there be an extra hardware component dedicated to spying on you or your colleagues? Assuming that the device did come "certified pre-owned," as they say, how would you ever know?

If you winced just thinking about that, then you have some appreciation of the complexity of what is often called "supply chain security:" the herculean task of verifying the authenticity and integrity of computer hardware and software. It's an issue that's been lurking on the periphery of the national discussion about cyber security -- too thorny and complex to invite many takers among tech firms or policy makers. But the onslaught of sophisticated cyber espionage against the U.S. and its allies has roused both lawmakers and private sector firms to tackle supply chain security.

Microsoft was among those going public with its concerns over supply chain security. The company helped break up a global botnet known as "Nitol," in part by uncovering efforts by cybercriminals to infiltrate its supply chain in China, planting malicious software on computers during the manufacturing process. The company has since released a number of documents and position papers on threats to global supply chains.

But with more attention to the issue in the media, the question falls to individual companies and organizations (to paraphrase CapitalOne): "What's in your router?" In other words: 'what efforts are you making to verify the integrity of the technology products you buy?' And, if the answer is "nothing," is that a risk your company can continue to take?

Join us:






SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question