Stuxnet may have been "ours," but the next 'Stuxnet' may not. And it's almost certain that Stuxnets, in some form, are coming our way. In April, 2012, for example, the U.S. Department of Homeland Security's Industrial Control System CERT (ICS-CERT) warned natural gas pipeline firms (PDF) in the U.S. about a campaign of targeted, "spear phishing" attacks that used malicious email attachments and web sites to try to get a foothold on the firm's' IT infrastructure. That's just one of a number of warnings related to what ICS-CERT believes is a widespread campaign (PDF) against critical infrastructure in the U.S.
Paul Nicholas, the head of Microsoft's Global Security Strategy and Diplomacy Team, said that supply chain security started to take on new importance within the last five years. "People started to realize that their information and communications technology supply chain was global," he said. "Governments started to worry about that (and) wonder 'I am reliant on this IT. How well do I understand the risks?"
On Capitol Hill, those questions found predictable expression. The House Intelligence Committee, for example, conducted hearings this year into allegations that telecommunications vendors ZTE and Huawei were conspiring with the Chinese military to steal intellectual property from U.S. and Western firms. Despite any hard evidence to support those claims, the Committee issued a report in October calling the firms evasive and untrustworthy, and warning U.S. firms to beware.
The Senate has acted, also, in a more nuanced way: adding language to the National Defense Authorization (NDA) act (S. 3254) (PDF) calling for "improvements of security, quality and competition in computer software procured by the Department of Defense." Part of that is for the DOD to require government software development and maintenance organizations and contractors to create a secure software coding plan that includes verifiable processes and practices and to comply with approved secure coding standards issued by the DOD, submit to inspection and appraisals. A version of that bill passed the Senate 98-0 in December.
Knock-offs, backdoors and other headaches
That's all well and good, but what does it mean for businesses and other organizations worried less about geopolitical scorekeeping, and more about the integrity of new equipment they buy - and the hundreds or thousands of devices that have already been deployed on their networks?